Bug#1036867: marked as done (unblock: qt6-base/6.4.2+dfsg-10)

To: Paul Gevers <elbrus@debian.org>
Subject: Bug#1036867: marked as done (unblock: qt6-base/6.4.2+dfsg-10)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Wed, 31 May 2023 20:12:04 +0000
Message-id: <[🔎] handler.1036867.D1036867.1685563770187768.ackdone@bugs.debian.org>
Reply-to: 1036867@bugs.debian.org
References: <64ef3095-e5eb-6a54-d48c-fbe1e5ec5be9@debian.org> <[🔎] 168526432008.148717.8753426811595454053.reportbug@treadstone-71>

Your message dated Wed, 31 May 2023 22:09:27 +0200
with message-id <64ef3095-e5eb-6a54-d48c-fbe1e5ec5be9@debian.org>
and subject line Re: Bug#1036867: unblock: qt6-base/6.4.2+dfsg-10
has caused the Debian Bug report #1036867,
regarding unblock: qt6-base/6.4.2+dfsg-10
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1036867: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036867
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: unblock: qt6-base/6.4.2+dfsg-10
From: Patrick Franz <deltaone@debian.org>
Date: Sun, 28 May 2023 10:58:40 +0200
Message-id: <[🔎] 168526432008.148717.8753426811595454053.reportbug@treadstone-71>

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: deltaone@debian.org,debian-qt-kde@lists.debian.org

Please unblock package qt6-base

[ Reason ]
Fixes CVE-2023-33285 that prevents a buffer overflow.

[ Impact ]
Lack of security fixes.

[ Tests ]
Tested by upstream, do not break API/ABI, seems safe.

[ Risks ]
None that I can think of.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock qt6-base/6.4.2+dfsg-10

diffstat for qt6-base-6.4.2+dfsg qt6-base-6.4.2+dfsg

 changelog                   |    7 ++++
 patches/cve-2023-33285.diff |   70 ++++++++++++++++++++++++++++++++++++++++++++
 patches/series              |    3 +
 3 files changed, 79 insertions(+), 1 deletion(-)

diff -Nru qt6-base-6.4.2+dfsg/debian/changelog qt6-base-6.4.2+dfsg/debian/changelog
--- qt6-base-6.4.2+dfsg/debian/changelog	2023-05-22 16:40:45.000000000 +0200
+++ qt6-base-6.4.2+dfsg/debian/changelog	2023-05-28 10:41:24.000000000 +0200
@@ -1,3 +1,10 @@
+qt6-base (6.4.2+dfsg-10) unstable; urgency=medium
+
+  [ Patrick Franz ]
+  * Add patch to fix CVE-2023-33285 (Closes: #1036848).
+
+ -- Patrick Franz <deltaone@debian.org>  Sun, 28 May 2023 10:41:24 +0200
+
 qt6-base (6.4.2+dfsg-9) unstable; urgency=medium
 
   * Team upload.
diff -Nru qt6-base-6.4.2+dfsg/debian/patches/cve-2023-33285.diff qt6-base-6.4.2+dfsg/debian/patches/cve-2023-33285.diff
--- qt6-base-6.4.2+dfsg/debian/patches/cve-2023-33285.diff	1970-01-01 01:00:00.000000000 +0100
+++ qt6-base-6.4.2+dfsg/debian/patches/cve-2023-33285.diff	2023-05-28 10:40:55.000000000 +0200
@@ -0,0 +1,70 @@
+diff --git a/src/network/kernel/qdnslookup_unix.cpp b/src/network/kernel/qdnslookup_unix.cpp
+index 75f7c6c440..de0113494f 100644
+--- a/src/network/kernel/qdnslookup_unix.cpp
++++ b/src/network/kernel/qdnslookup_unix.cpp
+@@ -193,7 +193,6 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+     // responseLength in case of error, we still can extract the
+     // exact error code from the response.
+     HEADER *header = (HEADER*)response;
+-    const int answerCount = ntohs(header->ancount);
+     switch (header->rcode) {
+     case NOERROR:
+         break;
+@@ -226,18 +225,31 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+         return;
+     }
+
+-    // Skip the query host, type (2 bytes) and class (2 bytes).
+     char host[PACKETSZ], answer[PACKETSZ];
+     unsigned char *p = response + sizeof(HEADER);
+-    int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
+-    if (status < 0) {
++    int status;
++
++    if (ntohs(header->qdcount) == 1) {
++        // Skip the query host, type (2 bytes) and class (2 bytes).
++        status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
++        if (status < 0) {
++            reply->error = QDnsLookup::InvalidReplyError;
++            reply->errorString = tr("Could not expand domain name");
++            return;
++        }
++        if ((p - response) + status + 4 >= responseLength)
++            header->qdcount = 0xffff;   // invalid reply below
++        else
++            p += status + 4;
++    }
++    if (ntohs(header->qdcount) > 1) {
+         reply->error = QDnsLookup::InvalidReplyError;
+-        reply->errorString = tr("Could not expand domain name");
++        reply->errorString = tr("Invalid reply received");
+         return;
+     }
+-    p += status + 4;
+
+     // Extract results.
++    const int answerCount = ntohs(header->ancount);
+     int answerIndex = 0;
+     while ((p < response + responseLength) && (answerIndex < answerCount)) {
+         status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
+@@ -249,6 +261,11 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+         const QString name = QUrl::fromAce(host);
+
+         p += status;
++
++        if ((p - response) + 10 > responseLength) {
++            // probably just a truncated reply, return what we have
++            return;
++        }
+         const quint16 type = (p[0] << 8) | p[1];
+         p += 2; // RR type
+         p += 2; // RR class
+@@ -256,6 +273,8 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+         p += 4;
+         const quint16 size = (p[0] << 8) | p[1];
+         p += 2;
++        if ((p - response) + size > responseLength)
++            return;             // truncated
+
+         if (type == QDnsLookup::A) {
+             if (size != 4) {
diff -Nru qt6-base-6.4.2+dfsg/debian/patches/series qt6-base-6.4.2+dfsg/debian/patches/series
--- qt6-base-6.4.2+dfsg/debian/patches/series	2023-05-22 16:37:22.000000000 +0200
+++ qt6-base-6.4.2+dfsg/debian/patches/series	2023-05-28 10:22:01.000000000 +0200
@@ -1,6 +1,7 @@
-# fixed in 6.5
+# fixed in 6.5.1
 cve-2023-32762.diff
 cve-2023-32763.diff
+cve-2023-33285.diff
 upstream_Add-HPPA-detection.patch
 upstream_Add-M68k-detection.patch

--- End Message ---

--- Begin Message ---

To: Patrick Franz <deltaone@debian.org>, 1036867-done@bugs.debian.org

Cc: deltaone@debian.org, debian-qt-kde@lists.debian.org

Subject: Re: Bug#1036867: unblock: qt6-base/6.4.2+dfsg-10

From: Paul Gevers <elbrus@debian.org>

Date: Wed, 31 May 2023 22:09:27 +0200

Message-id: <64ef3095-e5eb-6a54-d48c-fbe1e5ec5be9@debian.org>

In-reply-to: <[🔎] 168526432008.148717.8753426811595454053.reportbug@treadstone-71>

References: <[🔎] 168526432008.148717.8753426811595454053.reportbug@treadstone-71>
Hi,

On 28-05-2023 10:58, Patrick Franz wrote:
unblock qt6-base/6.4.2+dfsg-10
Unblocked, thanks.

Paul
Attachment: OpenPGP_signature
Description: OpenPGP digital signature

--- End Message ---

Reply to:

References:
- Bug#1036867: unblock: qt6-base/6.4.2+dfsg-10
  - From: Patrick Franz <deltaone@debian.org>

Prev by Date: Bug#1036864: marked as done (unblock: soapysdr/0.8.1-3)
Next by Date: Processed: your mail
Previous by thread: Bug#1036867: unblock: qt6-base/6.4.2+dfsg-10
Next by thread: Processed: affects 1036864
Index(es):
- Date
- Thread