summaryrefslogtreecommitdiff
path: root/user/qt5-qtbase
diff options
context:
space:
mode:
Diffstat (limited to 'user/qt5-qtbase')
-rw-r--r--user/qt5-qtbase/APKBUILD18
-rw-r--r--user/qt5-qtbase/CVE-2020-0569.patch29
-rw-r--r--user/qt5-qtbase/CVE-2020-0570.patch55
-rw-r--r--user/qt5-qtbase/CVE-2020-17507.patch159
4 files changed, 169 insertions, 92 deletions
diff --git a/user/qt5-qtbase/APKBUILD b/user/qt5-qtbase/APKBUILD
index 8e51ff124..3f5bc413b 100644
--- a/user/qt5-qtbase/APKBUILD
+++ b/user/qt5-qtbase/APKBUILD
@@ -1,8 +1,8 @@
# Maintainer: A. Wilcox <awilfox@adelielinux.org>
pkgname=qt5-qtbase
_pkgname=qtbase-everywhere-src
-pkgver=5.12.6
-pkgrel=2
+pkgver=5.12.9
+pkgrel=0
pkgdesc="Cross-platform application and UI framework"
url="https://www.qt.io/"
arch="all"
@@ -27,8 +27,7 @@ source="https://download.qt.io/official_releases/qt/${pkgver%.*}/$pkgver/submodu
link-to-execinfo.patch
qt-musl-iconv-no-bom.patch
time64.patch
- CVE-2020-0569.patch
- CVE-2020-0570.patch
+ CVE-2020-17507.patch
section-header.patch
"
@@ -42,6 +41,10 @@ source="https://download.qt.io/official_releases/qt/${pkgver%.*}/$pkgver/submodu
# 5.12.6-r1:
# - CVE-2020-0569
# - CVE-2020-0570
+# 5.12.9-r0:
+# - CVE-2015-9541
+# - CVE-2020-13962
+# - CVE-2020-17507
_qt5_prefix=/usr/lib/qt5
_qt5_datadir=/usr/share/qt5
@@ -95,7 +98,7 @@ build() {
-system-zlib \
-translationdir "$_qt5_datadir"/translations \
-no-reduce-relocations \
- -debug -optimize-debug -force-debug-info \
+ -force-debug-info \
$ARCH_OPTS
make
}
@@ -177,11 +180,10 @@ x11() {
return 0
}
-sha512sums="5fb82d903b0db95c23c55785047722dea7979e7f94ecaaf374e0c73b4787aabd768a1c79482a091b8b11f61d7bd4fb891675a6842b90cdc9caaa3b393a3187c6 qtbase-everywhere-src-5.12.6.tar.xz
+sha512sums="40916f73e44dbcab2a3196063d491d5563ec3de583436dac25ecf219aea6e7eb55c46ce8b1c761980f90495b91c89bd5239bd081636054311fee6420750319b0 qtbase-everywhere-src-5.12.9.tar.xz
d00dc607b71a93132f756b952871df9197cfd6d78cc3617544bfa11d7f0eea21ce5dd0d1aeb69dd2702a5694a63d3802accc76499dbf414c01eb56421698cb0c big-endian-scroll-wheel.patch
ee78a44e28ba5f728914bfc3d8d5b467896c7de11a02d54b0bce11e40a4338b1f776c1fcc30cbd436df4f548c1ab0b4fe801f01b162ddd5c0f892893e227acfd link-to-execinfo.patch
e3982b2df2ab4ba53b7a1329a9eb928eb1fee813c61cf6ac03d3300a767ffb57f019ac0fd89f633cac2330549446ff3d43344871296bf362815e7ebffadefa6b qt-musl-iconv-no-bom.patch
436f0bb7a89a88aa62c7b0398c4e91c325e78542e96f747c903f7e96dbf9d9b693d9688c722f2a74e287fb9ab31e861bd5ed8deb172ed28f56a1b8757663771c time64.patch
-ddeb0a59cf0901b38669314fd2f14dffba63c6cbd06a3d864cd329081cc2b10323ec52053a6ffe7baf5ee8a1e137331acfe5d874c03596660630dd151828da56 CVE-2020-0569.patch
-b5973799d6dc7c03124b7df5424e5fa84cb81ec3b997e039b84cca21852abaf4ff61780b99c47f1fd6ce64ae61f61b2458ca2929e068644f1973a6f1c53a4d64 CVE-2020-0570.patch
+9ebf15139025d76ff103a1ae77973136b2f883a38dc54febfa44f08060f41ee13016668c96a29c62dcc458125516ba8bdb899b1ab5604dc976b4f72e513bb682 CVE-2020-17507.patch
47b2973561965e3ef906f03480b3877ad0018f32d31fecb4c410abe22c68ccad7d232cfe68804b70111616e15b979fb26642225b984d8fdbfc6cf6899ad63a0d section-header.patch"
diff --git a/user/qt5-qtbase/CVE-2020-0569.patch b/user/qt5-qtbase/CVE-2020-0569.patch
deleted file mode 100644
index fa0efdce3..000000000
--- a/user/qt5-qtbase/CVE-2020-0569.patch
+++ /dev/null
@@ -1,29 +0,0 @@
-From bf131e8d2181b3404f5293546ed390999f760404 Mon Sep 17 00:00:00 2001
-From: Olivier Goffart <ogoffart@woboq.com>
-Date: Fri, 8 Nov 2019 11:30:40 +0100
-Subject: Do not load plugin from the $PWD
-
-I see no reason why this would make sense to look for plugins in the current
-directory. And when there are plugins there, it may actually be wrong
-
-Change-Id: I5f5aa168021fedddafce90effde0d5762cd0c4c5
-Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
----
- src/corelib/plugin/qpluginloader.cpp | 1 -
- 1 file changed, 1 deletion(-)
-
-diff --git a/src/corelib/plugin/qpluginloader.cpp b/src/corelib/plugin/qpluginloader.cpp
-index cadff4f32b..c2443dbdda 100644
---- a/src/corelib/plugin/qpluginloader.cpp
-+++ b/src/corelib/plugin/qpluginloader.cpp
-@@ -305,7 +305,6 @@ static QString locatePlugin(const QString& fileName)
- paths.append(fileName.left(slash)); // don't include the '/'
- } else {
- paths = QCoreApplication::libraryPaths();
-- paths.prepend(QStringLiteral(".")); // search in current dir first
- }
-
- for (const QString &path : qAsConst(paths)) {
---
-cgit v1.2.1
-
diff --git a/user/qt5-qtbase/CVE-2020-0570.patch b/user/qt5-qtbase/CVE-2020-0570.patch
deleted file mode 100644
index dcf507c0d..000000000
--- a/user/qt5-qtbase/CVE-2020-0570.patch
+++ /dev/null
@@ -1,55 +0,0 @@
-From e6f1fde24f77f63fb16b2df239f82a89d2bf05dd Mon Sep 17 00:00:00 2001
-From: Thiago Macieira <thiago.macieira@intel.com>
-Date: Fri, 10 Jan 2020 09:26:27 -0800
-Subject: QLibrary/Unix: do not attempt to load a library relative to $PWD
-
-I added the code in commit 5219c37f7c98f37f078fee00fe8ca35d83ff4f5d to
-find libraries in a haswell/ subdir of the main path, but we only need
-to do that transformation if the library is contains at least one
-directory seprator. That is, if the user asks to load "lib/foo", then we
-should try "lib/haswell/foo" (often, the path prefix will be absolute).
-
-When the library name the user requested has no directory separators, we
-let dlopen() do the transformation for us. Testing on Linux confirms
-glibc does so:
-
-$ LD_DEBUG=libs /lib64/ld-linux-x86-64.so.2 --inhibit-cache ./qml -help |& grep Xcursor
- 1972475: find library=libXcursor.so.1 [0]; searching
- 1972475: trying file=/usr/lib64/haswell/avx512_1/libXcursor.so.1
- 1972475: trying file=/usr/lib64/haswell/libXcursor.so.1
- 1972475: trying file=/usr/lib64/libXcursor.so.1
- 1972475: calling init: /usr/lib64/libXcursor.so.1
- 1972475: calling fini: /usr/lib64/libXcursor.so.1 [0]
-
-Fixes: QTBUG-81272
-Change-Id: I596aec77785a4e4e84d5fffd15e89689bb91ffbb
-Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
----
- src/corelib/plugin/qlibrary_unix.cpp | 4 +++-
- 1 file changed, 3 insertions(+), 1 deletion(-)
-
-diff --git a/src/corelib/plugin/qlibrary_unix.cpp b/src/corelib/plugin/qlibrary_unix.cpp
-index f0de1010d7..135b82cd37 100644
---- a/src/corelib/plugin/qlibrary_unix.cpp
-+++ b/src/corelib/plugin/qlibrary_unix.cpp
-@@ -1,7 +1,7 @@
- /****************************************************************************
- **
- ** Copyright (C) 2016 The Qt Company Ltd.
--** Copyright (C) 2018 Intel Corporation
-+** Copyright (C) 2020 Intel Corporation
- ** Contact: https://www.qt.io/licensing/
- **
- ** This file is part of the QtCore module of the Qt Toolkit.
-@@ -218,6 +218,8 @@ bool QLibraryPrivate::load_sys()
- for(int suffix = 0; retry && !pHnd && suffix < suffixes.size(); suffix++) {
- if (!prefixes.at(prefix).isEmpty() && name.startsWith(prefixes.at(prefix)))
- continue;
-+ if (path.isEmpty() && prefixes.at(prefix).contains(QLatin1Char('/')))
-+ continue;
- if (!suffixes.at(suffix).isEmpty() && name.endsWith(suffixes.at(suffix)))
- continue;
- if (loadHints & QLibrary::LoadArchiveMemberHint) {
---
-cgit v1.2.1
-
diff --git a/user/qt5-qtbase/CVE-2020-17507.patch b/user/qt5-qtbase/CVE-2020-17507.patch
new file mode 100644
index 000000000..126b55c96
--- /dev/null
+++ b/user/qt5-qtbase/CVE-2020-17507.patch
@@ -0,0 +1,159 @@
+From 5b2f75388424995925a0e45654a0d509b290aaa0 Mon Sep 17 00:00:00 2001
+From: Robert Loehning <robert.loehning@qt.io>
+Date: Thu, 9 Jul 2020 13:33:34 +0200
+Subject: [PATCH] Fix buffer overflow
+
+Fixes: oss-fuzz-23988
+Change-Id: I4efdbfc3c0a96917c0c8224642896088ade99f35
+Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
+(cherry picked from commit e80be8a43da78b9544f12fbac47e92c7f1f64366)
+Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
+---
+ src/gui/image/qxpmhandler.cpp | 2 +-
+ tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm | 1 +
+ tests/auto/gui/image/qimagereader/tst_qimagereader.cpp | 8 ++++++++
+ 3 files changed, 10 insertions(+), 1 deletion(-)
+ create mode 100644 tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm
+
+diff --git a/src/gui/image/qxpmhandler.cpp b/src/gui/image/qxpmhandler.cpp
+index 17272ffe69b..417dab7ce3f 100644
+--- a/src/gui/image/qxpmhandler.cpp
++++ b/src/gui/image/qxpmhandler.cpp
+@@ -973,7 +973,7 @@ static bool read_xpm_body(
+ } else {
+ char b[16];
+ b[cpp] = '\0';
+- for (x=0; x<w && d<end; x++) {
++ for (x=0; x<w && d+cpp<end; x++) {
+ memcpy(b, (char *)d, cpp);
+ *p++ = (uchar)colorMap[xpmHash(b)];
+ d += cpp;
+diff --git a/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm b/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm
+new file mode 100644
+index 00000000000..7e6c1e4ca2e
+--- /dev/null
++++ b/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm
+@@ -0,0 +1 @@
++/* XPM "20 8 1 7"" ÿÿ c ÿ" " ÿÿÿÿÿÿÿ "
+\ No newline at end of file
+diff --git a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
+index 1eee2f273ef..0135e48c7df 100644
+--- a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
++++ b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
+@@ -167,6 +167,8 @@ private slots:
+ void devicePixelRatio_data();
+ void devicePixelRatio();
+
++ void xpmBufferOverflow();
++
+ private:
+ QString prefix;
+ QTemporaryDir m_temporaryDir;
+@@ -2002,5 +2004,11 @@ void tst_QImageReader::devicePixelRatio()
+ QCOMPARE(img.devicePixelRatio(), dpr);
+ }
+
++void tst_QImageReader::xpmBufferOverflow()
++{
++ // Please note that the overflow only showed when Qt was configured with "-sanitize address".
++ QImageReader(":/images/oss-fuzz-23988.xpm").read();
++}
++
+ QTEST_MAIN(tst_QImageReader)
+ #include "tst_qimagereader.moc"
+--
+2.16.3
+
+From 35ecd0b69d58bcc8113afc5e449aef841c73e26c Mon Sep 17 00:00:00 2001
+From: Allan Sandfeld Jensen <allan.jensen@qt.io>
+Date: Thu, 23 Jul 2020 11:48:48 +0200
+Subject: [PATCH] Fix buffer overflow in XBM parser
+
+Avoid parsing over the buffer limit, or interpreting non-hex
+as hex.
+
+This still leaves parsing of lines longer than 300 chars
+unreliable
+
+Change-Id: I1c57a7e530c4380f6f9040b2ec729ccd7dc7a5fb
+Reviewed-by: Robert Loehning <robert.loehning@qt.io>
+Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
+(cherry picked from commit c562c1fc19629fb505acd0f6380604840b634211)
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+---
+ src/gui/image/qxbmhandler.cpp | 4 ++-
+ .../gui/image/qimagereader/tst_qimagereader.cpp | 37 ++++++++++++++++++++++
+ 2 files changed, 40 insertions(+), 1 deletion(-)
+
+diff --git a/src/gui/image/qxbmhandler.cpp b/src/gui/image/qxbmhandler.cpp
+index 7ba44049b48..8c4be4f0eda 100644
+--- a/src/gui/image/qxbmhandler.cpp
++++ b/src/gui/image/qxbmhandler.cpp
+@@ -158,7 +158,9 @@ static bool read_xbm_body(QIODevice *device, int w, int h, QImage *outImage)
+ w = (w+7)/8; // byte width
+
+ while (y < h) { // for all encoded bytes...
+- if (p) { // p = "0x.."
++ if (p && p < (buf + readBytes - 3)) { // p = "0x.."
++ if (!isxdigit(p[2]) || !isxdigit(p[3]))
++ return false;
+ *b++ = hex2byte(p+2);
+ p += 2;
+ if (++x == w && ++y < h) {
+diff --git a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
+index 0135e48c7df..61b11a77794 100644
+--- a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
++++ b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp
+@@ -168,6 +168,7 @@ private slots:
+ void devicePixelRatio();
+
+ void xpmBufferOverflow();
++ void xbmBufferHandling();
+
+ private:
+ QString prefix;
+@@ -2010,5 +2011,41 @@ void tst_QImageReader::xpmBufferOverflow()
+ QImageReader(":/images/oss-fuzz-23988.xpm").read();
+ }
+
++void tst_QImageReader::xbmBufferHandling()
++{
++ uint8_t original_buffer[256];
++ for (int i = 0; i < 256; ++i)
++ original_buffer[i] = i;
++
++ QImage image(original_buffer, 256, 8, QImage::Format_MonoLSB);
++ image.setColorTable({0xff000000, 0xffffffff});
++
++ QByteArray buffer;
++ {
++ QBuffer buf(&buffer);
++ QImageWriter writer(&buf, "xbm");
++ writer.write(image);
++ }
++
++ QCOMPARE(QImage::fromData(buffer, "xbm"), image);
++
++ auto i = buffer.indexOf(',');
++ buffer.insert(i + 1, " ");
++ QCOMPARE(QImage::fromData(buffer, "xbm"), image);
++ buffer.insert(i + 1, " ");
++ QCOMPARE(QImage::fromData(buffer, "xbm"), image);
++ buffer.insert(i + 1, " ");
++#if 0 // Lines longer than 300 chars not supported currently
++ QCOMPARE(QImage::fromData(buffer, "xbm"), image);
++#endif
++
++ i = buffer.lastIndexOf("\n ");
++ buffer.truncate(i + 1);
++ buffer.append(QByteArray(297, ' '));
++ buffer.append("0x");
++ // Only check we get no buffer overflow
++ QImage::fromData(buffer, "xbm");
++}
++
+ QTEST_MAIN(tst_QImageReader)
+ #include "tst_qimagereader.moc"
+--
+2.16.3
+