Bug#1108831: marked as done (unblock: qtbase-opensource-src/5.15.15+dfsg-6)

To: Ivo De Decker <ivodd@respighi.debian.org>
Subject: Bug#1108831: marked as done (unblock: qtbase-opensource-src/5.15.15+dfsg-6)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Sat, 05 Jul 2025 21:35:02 +0000
Message-id: <[🔎] handler.1108831.D1108831.17517511982540268.ackdone@bugs.debian.org>
Reply-to: 1108831@bugs.debian.org
References: <E1uYAVW-008jHc-0f@respighi.debian.org> <[🔎] aGl_L-pOj1cH8iNR@mitya57.me>

Your message dated Sat, 05 Jul 2025 21:33:14 +0000
with message-id <E1uYAVW-008jHc-0f@respighi.debian.org>
and subject line unblock qtbase-opensource-src
has caused the Debian Bug report #1108831,
regarding unblock: qtbase-opensource-src/5.15.15+dfsg-6
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1108831: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108831
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: unblock: qtbase-opensource-src/5.15.15+dfsg-6
From: Dmitry Shachnev <mitya57@debian.org>
Date: Sat, 5 Jul 2025 22:38:23 +0300
Message-id: <[🔎] aGl_L-pOj1cH8iNR@mitya57.me>

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: qtbase-opensource-src@packages.debian.org
Control: affects -1 + src:qtbase-opensource-src
User: release.debian.org@packages.debian.org
Usertags: unblock

Dear Release Team,

Please unblock package qtbase-opensource-src.

It fixes the same CVE as qt6-base 6.8.2+dfsg-8, so I took the liberty to
copy some wording from qt6-base unblock bug (#1108624).

[ Reason ]
This upload backports a patch fixing CVE-2025-5455 (#1108475).

[ Impact ]
If malformed data is sent and a specific function in the Qt API
(qDecodeDataUrl()) is used, it could result in a denial of service.

[ Tests ]
No manual tests were conducted, but the patch is directly from upstream Qt
where it's been part of the 5.15.19 release and has therefore gone through
the normal QA.

[ Risks ]
I deem the risks to be low. The patch is taken directly from upstream and
has been part of the 5.15.19 release.
The patch in itself is rather simple, just 4 deletions and 5 insertions.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock qtbase-opensource-src/5.15.15+dfsg-6

--
Dmitry Shachnev

--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+qtbase-opensource-src (5.15.15+dfsg-6) unstable; urgency=medium
+
+  * Backport upstream patch to fix assertion errors in data: URL parsing
+    (CVE-2025-5455, closes: #1108475).
+
+ -- Dmitry Shachnev <mitya57@debian.org>  Sun, 29 Jun 2025 22:50:45 +0300
+
 qtbase-opensource-src (5.15.15+dfsg-5) unstable; urgency=medium
 
   * Backport upstream patch to add null checks in table iface methods in
--- /dev/null
+++ b/debian/patches/CVE-2025-5455.diff
@@ -0,0 +1,30 @@
+Description: qDecodeDataUrl(): fix precondition violation in call to QByteArrayView::at()
+ It is a precondition violation to call QByteArrayView::at() with
+ size() as argument. The code used that, though, as an implicit
+ end-of-string check, assuming == ' ' and == '=' would both fail for
+ null bytes. Besides, QByteArrays (but most certainly QByteArrayViews)
+ need not be null-terminated, so this could read even past size().
+ .
+ To fix, use higher-level API (startsWith()), consuming parsed tokens
+ along the way.
+Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2025-5455-qtbase-5.15.patch
+Last-Update: 2025-06-29
+
+--- a/src/corelib/io/qdataurl.cpp
++++ b/src/corelib/io/qdataurl.cpp
+@@ -76,10 +76,11 @@ Q_CORE_EXPORT bool qDecodeDataUrl(const
+         }
+ 
+         if (data.toLower().startsWith("charset")) {
+-            int i = 7;      // strlen("charset")
+-            while (data.at(i) == ' ')
+-                ++i;
+-            if (data.at(i) == '=')
++            int prefixSize = 7; // strlen("charset")
++            QLatin1String copy(data.constData() + prefixSize, data.size() - prefixSize);
++            while (copy.startsWith(QLatin1String(" ")))
++                copy = copy.mid(1);
++            if (copy.startsWith(QLatin1String("=")))
+                 data.prepend("text/plain;");
+         }
+ 
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -19,6 +19,7 @@ revert_statusnotifierhost_checking.diff
 dont_fallback_to_x11_tray_on_non_x11.diff
 check_dbus_tray_availability_every_time.diff
 a11y_null_checks.diff
+CVE-2025-5455.diff
 
 # Debian specific.
 no_htmlinfo_example.diff

Attachment: signature.asc
Description: PGP signature

--- End Message ---

--- Begin Message ---

To: 1108831-done@bugs.debian.org

Subject: unblock qtbase-opensource-src

From: Ivo De Decker <ivodd@respighi.debian.org>

Date: Sat, 05 Jul 2025 21:33:14 +0000

Message-id: <E1uYAVW-008jHc-0f@respighi.debian.org>
Unblocked qtbase-opensource-src.
--- End Message ---

Reply to:

References:
- Bug#1108831: unblock: qtbase-opensource-src/5.15.15+dfsg-6
  - From: Dmitry Shachnev <mitya57@debian.org>

Prev by Date: Bug#1108459: marked as done (unblock: libssh/0.11.2-1)
Next by Date: Bug#1108479: unblock: nut/2.8.1-5
Previous by thread: Processed: unblock: qtbase-opensource-src/5.15.15+dfsg-6
Next by thread: Bug#1108459: marked as done (unblock: libssh/0.11.2-1)
Index(es):
- Date
- Thread