--- Begin Message ---
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: qt6-base@packages.debian.org, deltaone@debian.org
Control: affects -1 + src:qt6-base
User: release.debian.org@packages.debian.org
Usertags: unblock
Dear Release Team,
please unblock package qt6-base.
[ Reason ]
This upload backports a patch fixing CVE-2025-5455.
[ Impact ]
If malformed data is sent and a specific function in the Qt API used,
it would result in a denial of service.
[ Tests ]
No manual tests were conducted, but the patch is directly from upstream Qt
where it's been part of the 6.8.4 release and has therefore gone through
the normal QA.
[ Risks ]
I deem the risks to be low. The patch is taken directly from upstream and
has been part of the 6.8.4 release.
The patch in itself is rather simple, just a couple of lines.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock qt6-base/6.8.2+dfsg-8
Thank you.
diff -Nru qt6-base-6.8.2+dfsg/debian/changelog qt6-base-6.8.2+dfsg/debian/changelog
--- qt6-base-6.8.2+dfsg/debian/changelog 2025-06-20 00:08:21.000000000 +0200
+++ qt6-base-6.8.2+dfsg/debian/changelog 2025-06-29 23:52:49.000000000 +0200
@@ -1,3 +1,10 @@
+qt6-base (6.8.2+dfsg-8) unstable; urgency=medium
+
+ [ Patrick Franz ]
+ * Backport patch to fix CVE-2025-5455 (Closes: #1108474).
+
+ -- Patrick Franz <deltaone@debian.org> Sun, 29 Jun 2025 23:52:49 +0200
+
qt6-base (6.8.2+dfsg-7) unstable; urgency=medium
[ Patrick Franz ]
diff -Nru qt6-base-6.8.2+dfsg/debian/patches/series qt6-base-6.8.2+dfsg/debian/patches/series
--- qt6-base-6.8.2+dfsg/debian/patches/series 2025-06-20 00:08:03.000000000 +0200
+++ qt6-base-6.8.2+dfsg/debian/patches/series 2025-06-29 23:47:49.000000000 +0200
@@ -7,6 +7,7 @@
# fixed in 6.8.4
upstream_cve-2025-3512_fix_heap_buffer_overflow.diff
+upstream_cve-2025-5455_fix_data_assertion_error.diff
# fixed in 6.8.3
upstream_unset_current_openglcontext.diff
diff -Nru qt6-base-6.8.2+dfsg/debian/patches/upstream_cve-2025-5455_fix_data_assertion_error.diff qt6-base-6.8.2+dfsg/debian/patches/upstream_cve-2025-5455_fix_data_assertion_error.diff
--- qt6-base-6.8.2+dfsg/debian/patches/upstream_cve-2025-5455_fix_data_assertion_error.diff 1970-01-01 01:00:00.000000000 +0100
+++ qt6-base-6.8.2+dfsg/debian/patches/upstream_cve-2025-5455_fix_data_assertion_error.diff 2025-06-29 23:50:17.000000000 +0200
@@ -0,0 +1,28 @@
+Description: qDecodeDataUrl(): fix precondition violation in call to QByteArrayView::at()
+ It is a precondition violation to call QByteArrayView::at() with
+ size() as argument. The code used that, though, as an implicit
+ end-of-string check, assuming == ' ' and == '=' would both fail for
+ null bytes. Besides, QByteArrays (but most certainly QByteArrayViews)
+ need not be null-terminated, so this could read even past size().
+ .
+ To fix, use higher-level API (startsWith()), consuming parsed tokens
+ along the way.
+Origin: upstream, https://download.qt.io/official_releases/qt/6.8/CVE-2025-5455-qtbase-6.8.patch
+Last-Update: 2025-06-29
+
+--- a/src/corelib/io/qdataurl.cpp
++++ b/src/corelib/io/qdataurl.cpp
+@@ -47,10 +47,10 @@ Q_CORE_EXPORT bool qDecodeDataUrl(const QUrl &uri, QString &mimeType, QByteArray
+ QLatin1StringView textPlain;
+ constexpr auto charset = "charset"_L1;
+ if (QLatin1StringView{data}.startsWith(charset, Qt::CaseInsensitive)) {
+- qsizetype i = charset.size();
+- while (data.at(i) == ' ')
+- ++i;
+- if (data.at(i) == '=')
++ QByteArrayView copy = data.sliced(charset.size());
++ while (copy.startsWith(' '))
++ copy.slice(1);
++ if (copy.startsWith('='))
+ textPlain = "text/plain;"_L1;
+ }
--- End Message ---