Your message dated Sat, 05 Jul 2025 21:33:14 +0000 with message-id <E1uYAVW-008jHc-0f@respighi.debian.org> and subject line unblock qtbase-opensource-src has caused the Debian Bug report #1108831, regarding unblock: qtbase-opensource-src/5.15.15+dfsg-6 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1108831: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108831 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: unblock: qtbase-opensource-src/5.15.15+dfsg-6
- From: Dmitry Shachnev <mitya57@debian.org>
- Date: Sat, 5 Jul 2025 22:38:23 +0300
- Message-id: <[🔎] aGl_L-pOj1cH8iNR@mitya57.me>
Package: release.debian.org Severity: normal X-Debbugs-Cc: qtbase-opensource-src@packages.debian.org Control: affects -1 + src:qtbase-opensource-src User: release.debian.org@packages.debian.org Usertags: unblock Dear Release Team, Please unblock package qtbase-opensource-src. It fixes the same CVE as qt6-base 6.8.2+dfsg-8, so I took the liberty to copy some wording from qt6-base unblock bug (#1108624). [ Reason ] This upload backports a patch fixing CVE-2025-5455 (#1108475). [ Impact ] If malformed data is sent and a specific function in the Qt API (qDecodeDataUrl()) is used, it could result in a denial of service. [ Tests ] No manual tests were conducted, but the patch is directly from upstream Qt where it's been part of the 5.15.19 release and has therefore gone through the normal QA. [ Risks ] I deem the risks to be low. The patch is taken directly from upstream and has been part of the 5.15.19 release. The patch in itself is rather simple, just 4 deletions and 5 insertions. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock qtbase-opensource-src/5.15.15+dfsg-6 -- Dmitry Shachnev--- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +qtbase-opensource-src (5.15.15+dfsg-6) unstable; urgency=medium + + * Backport upstream patch to fix assertion errors in data: URL parsing + (CVE-2025-5455, closes: #1108475). + + -- Dmitry Shachnev <mitya57@debian.org> Sun, 29 Jun 2025 22:50:45 +0300 + qtbase-opensource-src (5.15.15+dfsg-5) unstable; urgency=medium * Backport upstream patch to add null checks in table iface methods in --- /dev/null +++ b/debian/patches/CVE-2025-5455.diff @@ -0,0 +1,30 @@ +Description: qDecodeDataUrl(): fix precondition violation in call to QByteArrayView::at() + It is a precondition violation to call QByteArrayView::at() with + size() as argument. The code used that, though, as an implicit + end-of-string check, assuming == ' ' and == '=' would both fail for + null bytes. Besides, QByteArrays (but most certainly QByteArrayViews) + need not be null-terminated, so this could read even past size(). + . + To fix, use higher-level API (startsWith()), consuming parsed tokens + along the way. +Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2025-5455-qtbase-5.15.patch +Last-Update: 2025-06-29 + +--- a/src/corelib/io/qdataurl.cpp ++++ b/src/corelib/io/qdataurl.cpp +@@ -76,10 +76,11 @@ Q_CORE_EXPORT bool qDecodeDataUrl(const + } + + if (data.toLower().startsWith("charset")) { +- int i = 7; // strlen("charset") +- while (data.at(i) == ' ') +- ++i; +- if (data.at(i) == '=') ++ int prefixSize = 7; // strlen("charset") ++ QLatin1String copy(data.constData() + prefixSize, data.size() - prefixSize); ++ while (copy.startsWith(QLatin1String(" "))) ++ copy = copy.mid(1); ++ if (copy.startsWith(QLatin1String("="))) + data.prepend("text/plain;"); + } + --- a/debian/patches/series +++ b/debian/patches/series @@ -19,6 +19,7 @@ revert_statusnotifierhost_checking.diff dont_fallback_to_x11_tray_on_non_x11.diff check_dbus_tray_availability_every_time.diff a11y_null_checks.diff +CVE-2025-5455.diff # Debian specific. no_htmlinfo_example.diffAttachment: signature.asc
Description: PGP signature
--- End Message ---
--- Begin Message ---
- To: 1108831-done@bugs.debian.org
- Subject: unblock qtbase-opensource-src
- From: Ivo De Decker <ivodd@respighi.debian.org>
- Date: Sat, 05 Jul 2025 21:33:14 +0000
- Message-id: <E1uYAVW-008jHc-0f@respighi.debian.org>
Unblocked qtbase-opensource-src.
--- End Message ---