Bug#1107418: marked as done (unblock: qt6-imageformats/6.8.2-4)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 07 Jun 2025 15:05:11 +0000
with message-id <E1uNv6d-009bsv-0f@respighi.debian.org>
and subject line unblock qt6-imageformats
has caused the Debian Bug report #1107418,
regarding unblock: qt6-imageformats/6.8.2-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1107418: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1107418
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: qt6-imageformats/6.8.2-4
• From: Patrick Franz <deltaone@debian.org>
• Date: Sat, 07 Jun 2025 13:51:56 +0200
• Message-id: <[🔎] 174929711646.300139.8894680594828484780.reportbug@treadstone-71>

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: qt6-imageformats@packages.debian.org, deltaone@debian.org
Control: affects -1 + src:qt6-imageformats
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear Release-Team,

please unblock package qt6-imageformats.

[ Reason ]
Backporting a patch to fix CVE-2025-5683.

[ Impact ]
The patch fixes a bug that can trigger a crash with specifically crafted
ICNS images.

[ Tests ]
The patch is taken directly from the upstream LTS branch and has gone
through the usual testing in Qt upstream.

[ Risks ]
The code is effectively a 2-line patch and since it is taken directly from
upstream where it goes through QA, I deem the risk to be low.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
The link to the security tracker:
https://security-tracker.debian.org/tracker/CVE-2025-5683

diff -Nru qt6-imageformats-6.8.2/debian/changelog qt6-imageformats-6.8.2/debian/changelog
--- qt6-imageformats-6.8.2/debian/changelog	2025-03-01 12:41:03.000000000 +0100
+++ qt6-imageformats-6.8.2/debian/changelog	2025-06-06 19:37:30.000000000 +0200
@@ -1,3 +1,10 @@
+qt6-imageformats (6.8.2-4) unstable; urgency=medium
+
+  [ Patrick Franz ]
+  * Backport patch to fix CVE-2025-5683 (Closes: #1107317).
+
+ -- Patrick Franz <deltaone@debian.org>  Fri, 06 Jun 2025 19:37:30 +0200
+
 qt6-imageformats (6.8.2-3) unstable; urgency=medium
 
   * Upload to unstable.
diff -Nru qt6-imageformats-6.8.2/debian/patches/CVE-2025-5683.diff qt6-imageformats-6.8.2/debian/patches/CVE-2025-5683.diff
--- qt6-imageformats-6.8.2/debian/patches/CVE-2025-5683.diff	1970-01-01 01:00:00.000000000 +0100
+++ qt6-imageformats-6.8.2/debian/patches/CVE-2025-5683.diff	2025-06-06 19:35:34.000000000 +0200
@@ -0,0 +1,43 @@
+From efd332516f510144927121fa749ce819b82ec633 Mon Sep 17 00:00:00 2001
+From: Samuel Gaist <samuel.gaist@idiap.ch>
+Date: Fri, 09 May 2025 17:12:49 +0200
+Subject: [PATCH] Fix validation issue for ICNS image
+
+The header validation logic could trigger an assert when an invalid ICNS
+image was loaded. This patch fixes the validation logic.
+
+Credit to OSS-Fuzz
+
+Fixes: QTBUG-136707
+Pick-to: 6.9 6.8 6.5
+Change-Id: I9571b9fd0b53d07ceee9792c9418472e949eff30
+Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
+---
+
+diff --git a/src/plugins/imageformats/icns/qicnshandler.cpp b/src/plugins/imageformats/icns/qicnshandler.cpp
+index 6cf74b2..501394d 100644
+--- a/src/plugins/imageformats/icns/qicnshandler.cpp
++++ b/src/plugins/imageformats/icns/qicnshandler.cpp
+@@ -324,8 +324,11 @@
+ 
+ static inline bool isBlockHeaderValid(const ICNSBlockHeader &header, quint64 bound = 0)
+ {
+-    return header.ostype != 0 && (bound == 0
+-                || qBound(quint64(ICNSBlockHeaderSize), quint64(header.length), bound) == header.length);
++    return header.ostype != 0 &&
++        (bound == 0 ||
++            // qBound can be used but requires checking the limits first
++            // this requires less operations
++            (ICNSBlockHeaderSize <= header.length && header.length <= bound));
+ }
+ 
+ static inline bool isIconCompressed(const ICNSEntry &icon)
+@@ -870,7 +873,7 @@
+             return false;
+ 
+         const qint64 blockDataOffset = device()->pos();
+-        if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize + filelength - blockDataOffset)) {
++        if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize - blockDataOffset + filelength)) {
+             qWarning("QICNSHandler::scanDevice(): Failed, bad header at pos %s. OSType \"%s\", length %u",
+                      QByteArray::number(blockDataOffset).constData(),
+                      nameFromOSType(blockHeader.ostype).constData(), blockHeader.length);
diff -Nru qt6-imageformats-6.8.2/debian/patches/series qt6-imageformats-6.8.2/debian/patches/series
--- qt6-imageformats-6.8.2/debian/patches/series	1970-01-01 01:00:00.000000000 +0100
+++ qt6-imageformats-6.8.2/debian/patches/series	2025-06-06 19:36:17.000000000 +0200
@@ -0,0 +1,2 @@
+# Fixed in 6.8.5/6.9.1
+CVE-2025-5683.diff

--- End Message ---

--- Begin Message ---

• To: 1107418-done@bugs.debian.org
• Subject: unblock qt6-imageformats
• From: Ivo De Decker <ivodd@respighi.debian.org>
• Date: Sat, 07 Jun 2025 15:05:11 +0000
• Message-id: <E1uNv6d-009bsv-0f@respighi.debian.org>

Unblocked qt6-imageformats.

--- End Message ---