[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1108624: marked as done (unblock: qt6-base/6.8.2+dfsg-8)



Your message dated Tue, 01 Jul 2025 18:55:06 +0000
with message-id <E1uWg8I-003q0H-2p@respighi.debian.org>
and subject line unblock qt6-base
has caused the Debian Bug report #1108624,
regarding unblock: qt6-base/6.8.2+dfsg-8
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1108624: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108624
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: qt6-base@packages.debian.org, deltaone@debian.org
Control: affects -1 + src:qt6-base
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear Release Team,

please unblock package qt6-base.

[ Reason ]
This upload backports a patch fixing CVE-2025-5455.

[ Impact ]
If malformed data is sent and a specific function in the Qt API used,
it would result in a denial of service.

[ Tests ]
No manual tests were conducted, but the patch is directly from upstream Qt
where it's been part of the 6.8.4 release and has therefore gone through
the normal QA.

[ Risks ]
I deem the risks to be low. The patch is taken directly from upstream and
has been part of the 6.8.4 release.
The patch in itself is rather simple, just a couple of lines.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock qt6-base/6.8.2+dfsg-8

Thank you.
diff -Nru qt6-base-6.8.2+dfsg/debian/changelog qt6-base-6.8.2+dfsg/debian/changelog
--- qt6-base-6.8.2+dfsg/debian/changelog	2025-06-20 00:08:21.000000000 +0200
+++ qt6-base-6.8.2+dfsg/debian/changelog	2025-06-29 23:52:49.000000000 +0200
@@ -1,3 +1,10 @@
+qt6-base (6.8.2+dfsg-8) unstable; urgency=medium
+
+  [ Patrick Franz ]
+  * Backport patch to fix CVE-2025-5455 (Closes: #1108474).
+
+ -- Patrick Franz <deltaone@debian.org>  Sun, 29 Jun 2025 23:52:49 +0200
+
 qt6-base (6.8.2+dfsg-7) unstable; urgency=medium
 
   [ Patrick Franz ]
diff -Nru qt6-base-6.8.2+dfsg/debian/patches/series qt6-base-6.8.2+dfsg/debian/patches/series
--- qt6-base-6.8.2+dfsg/debian/patches/series	2025-06-20 00:08:03.000000000 +0200
+++ qt6-base-6.8.2+dfsg/debian/patches/series	2025-06-29 23:47:49.000000000 +0200
@@ -7,6 +7,7 @@
 
 # fixed in 6.8.4
 upstream_cve-2025-3512_fix_heap_buffer_overflow.diff
+upstream_cve-2025-5455_fix_data_assertion_error.diff
 
 # fixed in 6.8.3
 upstream_unset_current_openglcontext.diff
diff -Nru qt6-base-6.8.2+dfsg/debian/patches/upstream_cve-2025-5455_fix_data_assertion_error.diff qt6-base-6.8.2+dfsg/debian/patches/upstream_cve-2025-5455_fix_data_assertion_error.diff
--- qt6-base-6.8.2+dfsg/debian/patches/upstream_cve-2025-5455_fix_data_assertion_error.diff	1970-01-01 01:00:00.000000000 +0100
+++ qt6-base-6.8.2+dfsg/debian/patches/upstream_cve-2025-5455_fix_data_assertion_error.diff	2025-06-29 23:50:17.000000000 +0200
@@ -0,0 +1,28 @@
+Description: qDecodeDataUrl(): fix precondition violation in call to QByteArrayView::at()
+ It is a precondition violation to call QByteArrayView::at() with
+ size() as argument. The code used that, though, as an implicit
+ end-of-string check, assuming == ' ' and == '=' would both fail for
+ null bytes. Besides, QByteArrays (but most certainly QByteArrayViews)
+ need not be null-terminated, so this could read even past size().
+ .
+ To fix, use higher-level API (startsWith()), consuming parsed tokens
+ along the way.
+Origin: upstream, https://download.qt.io/official_releases/qt/6.8/CVE-2025-5455-qtbase-6.8.patch
+Last-Update: 2025-06-29
+
+--- a/src/corelib/io/qdataurl.cpp
++++ b/src/corelib/io/qdataurl.cpp
+@@ -47,10 +47,10 @@ Q_CORE_EXPORT bool qDecodeDataUrl(const QUrl &uri, QString &mimeType, QByteArray
+         QLatin1StringView textPlain;
+         constexpr auto charset = "charset"_L1;
+         if (QLatin1StringView{data}.startsWith(charset, Qt::CaseInsensitive)) {
+-            qsizetype i = charset.size();
+-            while (data.at(i) == ' ')
+-                ++i;
+-            if (data.at(i) == '=')
++            QByteArrayView copy = data.sliced(charset.size());
++            while (copy.startsWith(' '))
++                copy.slice(1);
++            if (copy.startsWith('='))
+                 textPlain = "text/plain;"_L1;
+         }

--- End Message ---
--- Begin Message ---
Unblocked qt6-base.

--- End Message ---

Reply to: