Your message dated Sun, 28 May 2023 09:52:08 +0200 with message-id <CAM8zJQsRwYzJ2xmRBi0J=obNxNuOmWeNL4impiOW6c+Sur1Srg@mail.gmail.com> and subject line Re: Bug#1036793: unblock: qtbase-opensource-src/5.15.8+dfsg-11 has caused the Debian Bug report #1036793, regarding unblock: qtbase-opensource-src/5.15.8+dfsg-11 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1036793: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036793 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: unblock: qtbase-opensource-src/5.15.8+dfsg-11
- From: Dmitry Shachnev <mitya57@debian.org>
- Date: Fri, 26 May 2023 12:37:58 +0300
- Message-id: <ZHB99rjCM/s0yw2P@mitya57.me>
Package: release.debian.org Severity: normal User: release.debian.org@packages.debian.org Usertags: unblock X-Debbugs-Cc: qtbase-opensource-src@packages.debian.org Control: affects -1 + src:qtbase-opensource-src Please unblock package qtbase-opensource-src. [ Reason ] One more CVE was published for qtbase, CVE-2023-33285 [1]. [ Impact ] QDnsLookup has a buffer over-read via a crafted reply from a DNS server. [ Tests ] No automated tests are run for this package. But QDnsLookup is covered by tests which are run as part of upstream CI: tests/auto/network/kernel/qdnslookup/tst_qdnslookup.cpp. [ Risks ] This change passed the upstream tests, so it should be safe. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] Also I added DEP-3 headers to the patches from previous upload and renamed them in a consistent way. This will not affect the binary packages in any way. The reported piuparts regression is in piuparts itself [2]. unblock qtbase-opensource-src/5.15.8+dfsg-11 [1]: https://security-tracker.debian.org/tracker/CVE-2023-33285 [2]: https://salsa.debian.org/debian/piuparts/-/merge_requests/42 -- Dmitry Shachnev--- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +qtbase-opensource-src (5.15.8+dfsg-11) unstable; urgency=medium + + * Rename the patches for consistency and add DEP-3 headers. + * Add a patch to fix buffer overflow in QDnsLookup (CVE-2023-33285). + + -- Dmitry Shachnev <mitya57@debian.org> Thu, 25 May 2023 13:45:05 +0300 + qtbase-opensource-src (5.15.8+dfsg-10) unstable; urgency=medium * Add patches to fix CVE-2023-32762 and CVE-2023-32763. --- a/debian/patches/CVE-2023-32762.patch +++ b/debian/patches/CVE-2023-32762.diff @@ -1,6 +1,7 @@ ---- - src/network/access/qhsts.cpp | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) +Description: hsts: match header names case insensitively + Header field names are always considered to be case-insensitive. +Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2023-32762-qtbase-5.15.diff +Last-Update: 2023-05-22 --- a/src/network/access/qhsts.cpp +++ b/src/network/access/qhsts.cpp --- a/debian/patches/cve-2023-32763.diff +++ b/debian/patches/CVE-2023-32763.diff @@ -1,7 +1,7 @@ ---- - src/gui/painting/qfixed_p.h | 9 +++++++++ - src/gui/text/qtextlayout.cpp | 9 ++++++--- - 2 files changed, 15 insertions(+), 3 deletions(-) +Description: fix buffer overflow in Qt SVG + Adds qAddOverflow and qMulOverflow definitions to QFixed. +Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2023-32763-qtbase-5.15.diff +Last-Update: 2023-05-22 --- a/src/gui/painting/qfixed_p.h +++ b/src/gui/painting/qfixed_p.h --- /dev/null +++ b/debian/patches/CVE-2023-33285.diff @@ -0,0 +1,77 @@ +Description: QDnsLookup/Unix: make sure we don't overflow the buffer + The DNS Records are variable length and encode their size in 16 bits + before the Record Data (RDATA). Ensure that both the RDATA and the + Record header fields before it fall inside the buffer we have. + . + Additionally reject any replies containing more than one query records. +Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=7dba2c87619d558a +Last-Update: 2023-05-25 + +--- a/src/network/kernel/qdnslookup_unix.cpp ++++ b/src/network/kernel/qdnslookup_unix.cpp +@@ -227,7 +227,6 @@ void QDnsLookupRunnable::query(const int + // responseLength in case of error, we still can extract the + // exact error code from the response. + HEADER *header = (HEADER*)response; +- const int answerCount = ntohs(header->ancount); + switch (header->rcode) { + case NOERROR: + break; +@@ -260,18 +259,31 @@ void QDnsLookupRunnable::query(const int + return; + } + +- // Skip the query host, type (2 bytes) and class (2 bytes). + char host[PACKETSZ], answer[PACKETSZ]; + unsigned char *p = response + sizeof(HEADER); +- int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); +- if (status < 0) { ++ int status; ++ ++ if (ntohs(header->qdcount) == 1) { ++ // Skip the query host, type (2 bytes) and class (2 bytes). ++ status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); ++ if (status < 0) { ++ reply->error = QDnsLookup::InvalidReplyError; ++ reply->errorString = tr("Could not expand domain name"); ++ return; ++ } ++ if ((p - response) + status + 4 >= responseLength) ++ header->qdcount = 0xffff; // invalid reply below ++ else ++ p += status + 4; ++ } ++ if (ntohs(header->qdcount) > 1) { + reply->error = QDnsLookup::InvalidReplyError; +- reply->errorString = tr("Could not expand domain name"); ++ reply->errorString = tr("Invalid reply received"); + return; + } +- p += status + 4; + + // Extract results. ++ const int answerCount = ntohs(header->ancount); + int answerIndex = 0; + while ((p < response + responseLength) && (answerIndex < answerCount)) { + status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); +@@ -283,6 +295,11 @@ void QDnsLookupRunnable::query(const int + const QString name = QUrl::fromAce(host); + + p += status; ++ ++ if ((p - response) + 10 > responseLength) { ++ // probably just a truncated reply, return what we have ++ return; ++ } + const quint16 type = (p[0] << 8) | p[1]; + p += 2; // RR type + p += 2; // RR class +@@ -290,6 +307,8 @@ void QDnsLookupRunnable::query(const int + p += 4; + const quint16 size = (p[0] << 8) | p[1]; + p += 2; ++ if ((p - response) + size > responseLength) ++ return; // truncated + + if (type == QDnsLookup::A) { + if (size != 4) { --- a/debian/patches/series +++ b/debian/patches/series @@ -15,8 +15,9 @@ image_deletion_order.diff qxcbwindow_set_geometry.diff CVE-2023-24607.diff qshapedpixmapwindow_no_tooltip.diff -cve-2023-32763.diff -CVE-2023-32762.patch +CVE-2023-32763.diff +CVE-2023-32762.diff +CVE-2023-33285.diff # Debian specific. gnukfreebsd.diffAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: Dmitry Shachnev <mitya57@debian.org>, 1036793-done@bugs.debian.org
- Subject: Re: Bug#1036793: unblock: qtbase-opensource-src/5.15.8+dfsg-11
- From: Graham Inggs <ginggs@debian.org>
- Date: Sun, 28 May 2023 09:52:08 +0200
- Message-id: <CAM8zJQsRwYzJ2xmRBi0J=obNxNuOmWeNL4impiOW6c+Sur1Srg@mail.gmail.com>
- In-reply-to: <ZHB99rjCM/s0yw2P@mitya57.me>
- References: <ZHB99rjCM/s0yw2P@mitya57.me>
On Fri, 26 May 2023 at 11:42, Dmitry Shachnev <mitya57@debian.org> wrote: > unblock qtbase-opensource-src/5.15.8+dfsg-11 Unblocked, thanks.
--- End Message ---