Bug#1108868: marked as done (unblock: qtimageformats-opensource-src/5.15.15-4)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 06 Jul 2025 17:54:18 +0000
with message-id <E1uYTZC-009jpV-0p@respighi.debian.org>
and subject line unblock qtimageformats-opensource-src
has caused the Debian Bug report #1108868,
regarding unblock: qtimageformats-opensource-src/5.15.15-4
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1108868: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108868
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: unblock: qtimageformats-opensource-src/5.15.15-4
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Sun, 06 Jul 2025 16:06:02 +0200
• Message-id: <[🔎] 175181076242.3501436.13621398377378175848.reportbug@eldamar.lan>

Package: release.debian.org
Severity: normal
X-Debbugs-Cc: qtimageformats-opensource-src@packages.debian.org, team@security.debian.org, Dmitry Shachnev <mitya57@debian.org>, carnil@debian.org
Control: affects -1 + src:qtimageformats-opensource-src
User: release.debian.org@packages.debian.org
Usertags: unblock

Hi

qtimageformats-opensource-src in trixie is vulnerable to
CVE-2025-5683, cf. #1107318.

The package cannot migrate automatically as it does not contain
autopkgtests.

Dmitry what is your take on it?

Attached is the debdiff for the package fixing the issue.

Regards,
Salvatore

diff -Nru qtimageformats-opensource-src-5.15.15/debian/changelog qtimageformats-opensource-src-5.15.15/debian/changelog
--- qtimageformats-opensource-src-5.15.15/debian/changelog	2024-10-28 22:08:53.000000000 +0100
+++ qtimageformats-opensource-src-5.15.15/debian/changelog	2025-06-06 09:57:26.000000000 +0200
@@ -1,3 +1,10 @@
+qtimageformats-opensource-src (5.15.15-4) unstable; urgency=medium
+
+  * Backport upstream patch to fix validation issue for ICNS image
+    (CVE-2025-5683, closes: #1107318).
+
+ -- Dmitry Shachnev <mitya57@debian.org>  Fri, 06 Jun 2025 10:57:26 +0300
+
 qtimageformats-opensource-src (5.15.15-3) unstable; urgency=medium
 
   * Add a patch to reject broken MNG images, backported from qtbase 6.0
diff -Nru qtimageformats-opensource-src-5.15.15/debian/patches/CVE-2025-5683.patch qtimageformats-opensource-src-5.15.15/debian/patches/CVE-2025-5683.patch
--- qtimageformats-opensource-src-5.15.15/debian/patches/CVE-2025-5683.patch	1970-01-01 01:00:00.000000000 +0100
+++ qtimageformats-opensource-src-5.15.15/debian/patches/CVE-2025-5683.patch	2025-06-06 09:57:26.000000000 +0200
@@ -0,0 +1,31 @@
+Description: fix validation issue for ICNS image
+ The header validation logic could trigger an assert when an invalid ICNS
+ image was loaded. This patch fixes the validation logic.
+Origin: upstream, https://code.qt.io/cgit/qt/qtimageformats.git/commit/?id=efd332516f510144
+Last-Update: 2025-06-06
+
+--- a/src/plugins/imageformats/icns/qicnshandler.cpp
++++ b/src/plugins/imageformats/icns/qicnshandler.cpp
+@@ -359,8 +359,11 @@ static inline bool isPowOf2OrDividesBy16
+ 
+ static inline bool isBlockHeaderValid(const ICNSBlockHeader &header, quint64 bound = 0)
+ {
+-    return header.ostype != 0 && (bound == 0
+-                || qBound(quint64(ICNSBlockHeaderSize), quint64(header.length), bound) == header.length);
++    return header.ostype != 0 &&
++        (bound == 0 ||
++            // qBound can be used but requires checking the limits first
++            // this requires less operations
++            (ICNSBlockHeaderSize <= header.length && header.length <= bound));
+ }
+ 
+ static inline bool isIconCompressed(const ICNSEntry &icon)
+@@ -899,7 +902,7 @@ bool QICNSHandler::scanDevice()
+             return false;
+ 
+         const qint64 blockDataOffset = device()->pos();
+-        if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize + filelength - blockDataOffset)) {
++        if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize - blockDataOffset + filelength)) {
+             qWarning("QICNSHandler::scanDevice(): Failed, bad header at pos %s. OSType \"%s\", length %u",
+                      QByteArray::number(blockDataOffset).constData(),
+                      nameFromOSType(blockHeader.ostype).constData(), blockHeader.length);
diff -Nru qtimageformats-opensource-src-5.15.15/debian/patches/series qtimageformats-opensource-src-5.15.15/debian/patches/series
--- qtimageformats-opensource-src-5.15.15/debian/patches/series	2024-10-28 22:08:53.000000000 +0100
+++ qtimageformats-opensource-src-5.15.15/debian/patches/series	2025-06-06 09:57:26.000000000 +0200
@@ -1 +1,2 @@
 CVE-2020-23884.patch
+CVE-2025-5683.patch

--- End Message ---

--- Begin Message ---

• To: 1108868-done@bugs.debian.org
• Subject: unblock qtimageformats-opensource-src
• From: Ivo De Decker <ivodd@respighi.debian.org>
• Date: Sun, 06 Jul 2025 17:54:18 +0000
• Message-id: <E1uYTZC-009jpV-0p@respighi.debian.org>

Unblocked qtimageformats-opensource-src.

--- End Message ---