Bug#1036553: unblock: qtsvg-opensource-src/5.15.8-3

To: submit@bugs.debian.org
Subject: Bug#1036553: unblock: qtsvg-opensource-src/5.15.8-3
From: Dmitry Shachnev <mitya57@debian.org>
Date: Mon, 22 May 2023 16:01:08 +0300
Message-id: <ZGtnlMF/sdfxMpHA@mitya57.me>
Reply-to: Dmitry Shachnev <mitya57@debian.org>, 1036553@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: qtsvg-opensource-src@packages.debian.org
Control: affects -1 + src:qtsvg-opensource-src

Please unblock package qtsvg-opensource-src.

[ Reason ]
This fixes a security bug. See:

- https://security-tracker.debian.org/tracker/CVE-2023-32573
- https://www.qt.io/blog/security-advisory-qt-svg

[ Impact ]
Use of uninitialized variable which is undefined behavior, e.g. may lead to
division by zero.

[ Tests ]
The upstream test suite is run during build.

[ Risks ]
The change is quite trivial, it just initializes the variable and uses a constant
to keep the value in one place.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock qtsvg-opensource-src/5.15.8-3

--
Dmitry Shachnev

--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+qtsvg-opensource-src (5.15.8-3) unstable; urgency=medium
+
+  * Backport upstream commit to initialize QSvgFont::m_unitsPerEm
+    (CVE-2023-32573).
+
+ -- Dmitry Shachnev <mitya57@debian.org>  Sun, 21 May 2023 19:06:01 +0300
+
 qtsvg-opensource-src (5.15.8-2) unstable; urgency=medium
 
   * Upload to unstable.
--- /dev/null
+++ b/debian/patches/CVE-2023-32573.diff
@@ -0,0 +1,34 @@
+Description: QSvgFont: initialize m_unitsPerEm to fix undefined behavior
+Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2023-32573-qtsvg-5.15.diff
+Last-Update: 2023-05-21
+
+--- a/src/svg/qsvgfont_p.h
++++ b/src/svg/qsvgfont_p.h
+@@ -74,6 +74,7 @@ public:
+ class Q_SVG_PRIVATE_EXPORT QSvgFont : public QSvgRefCounted
+ {
+ public:
++    static constexpr qreal DEFAULT_UNITS_PER_EM = 1000;
+     QSvgFont(qreal horizAdvX);
+ 
+     void setFamilyName(const QString &name);
+@@ -86,7 +87,7 @@ public:
+     void draw(QPainter *p, const QPointF &point, const QString &str, qreal pixelSize, Qt::Alignment alignment) const;
+ public:
+     QString m_familyName;
+-    qreal m_unitsPerEm;
++    qreal m_unitsPerEm = DEFAULT_UNITS_PER_EM;
+     qreal m_ascent;
+     qreal m_descent;
+     qreal m_horizAdvX;
+--- a/src/svg/qsvghandler.cpp
++++ b/src/svg/qsvghandler.cpp
+@@ -2666,7 +2666,7 @@ static bool parseFontFaceNode(QSvgStyleP
+ 
+     qreal unitsPerEm = toDouble(unitsPerEmStr);
+     if (!unitsPerEm)
+-        unitsPerEm = 1000;
++        unitsPerEm = QSvgFont::DEFAULT_UNITS_PER_EM;
+ 
+     if (!name.isEmpty())
+         font->setFamilyName(name);
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
 reject_oversize_svgs.diff
+CVE-2023-32573.diff

Attachment: signature.asc
Description: PGP signature

Reply to:

Follow-Ups:
- Processed: unblock: qtsvg-opensource-src/5.15.8-3
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>
- Bug#1036553: marked as done (unblock: qtsvg-opensource-src/5.15.8-3)
  - From: "Debian Bug Tracking System" <owner@bugs.debian.org>

Prev by Date: Processed: unblock: qtsvg-opensource-src/5.15.8-3
Next by Date: Bug#1036459: marked as done (pre-unblock: palo/2.23)
Previous by thread: Bug#1036552: marked as done (unblock: twinkle/1:1.10.2+dfsg-2)
Next by thread: Processed: unblock: qtsvg-opensource-src/5.15.8-3
Index(es):
- Date
- Thread