diff options
Diffstat (limited to 'user/qt5-qtbase')
-rw-r--r-- | user/qt5-qtbase/APKBUILD | 18 | ||||
-rw-r--r-- | user/qt5-qtbase/CVE-2020-0569.patch | 29 | ||||
-rw-r--r-- | user/qt5-qtbase/CVE-2020-0570.patch | 55 | ||||
-rw-r--r-- | user/qt5-qtbase/CVE-2020-17507.patch | 159 |
4 files changed, 169 insertions, 92 deletions
diff --git a/user/qt5-qtbase/APKBUILD b/user/qt5-qtbase/APKBUILD index 8e51ff124..3f5bc413b 100644 --- a/user/qt5-qtbase/APKBUILD +++ b/user/qt5-qtbase/APKBUILD @@ -1,8 +1,8 @@ # Maintainer: A. Wilcox <awilfox@adelielinux.org> pkgname=qt5-qtbase _pkgname=qtbase-everywhere-src -pkgver=5.12.6 -pkgrel=2 +pkgver=5.12.9 +pkgrel=0 pkgdesc="Cross-platform application and UI framework" url="https://www.qt.io/" arch="all" @@ -27,8 +27,7 @@ source="https://download.qt.io/official_releases/qt/${pkgver%.*}/$pkgver/submodu link-to-execinfo.patch qt-musl-iconv-no-bom.patch time64.patch - CVE-2020-0569.patch - CVE-2020-0570.patch + CVE-2020-17507.patch section-header.patch " @@ -42,6 +41,10 @@ source="https://download.qt.io/official_releases/qt/${pkgver%.*}/$pkgver/submodu # 5.12.6-r1: # - CVE-2020-0569 # - CVE-2020-0570 +# 5.12.9-r0: +# - CVE-2015-9541 +# - CVE-2020-13962 +# - CVE-2020-17507 _qt5_prefix=/usr/lib/qt5 _qt5_datadir=/usr/share/qt5 @@ -95,7 +98,7 @@ build() { -system-zlib \ -translationdir "$_qt5_datadir"/translations \ -no-reduce-relocations \ - -debug -optimize-debug -force-debug-info \ + -force-debug-info \ $ARCH_OPTS make } @@ -177,11 +180,10 @@ x11() { return 0 } -sha512sums="5fb82d903b0db95c23c55785047722dea7979e7f94ecaaf374e0c73b4787aabd768a1c79482a091b8b11f61d7bd4fb891675a6842b90cdc9caaa3b393a3187c6 qtbase-everywhere-src-5.12.6.tar.xz +sha512sums="40916f73e44dbcab2a3196063d491d5563ec3de583436dac25ecf219aea6e7eb55c46ce8b1c761980f90495b91c89bd5239bd081636054311fee6420750319b0 qtbase-everywhere-src-5.12.9.tar.xz d00dc607b71a93132f756b952871df9197cfd6d78cc3617544bfa11d7f0eea21ce5dd0d1aeb69dd2702a5694a63d3802accc76499dbf414c01eb56421698cb0c big-endian-scroll-wheel.patch ee78a44e28ba5f728914bfc3d8d5b467896c7de11a02d54b0bce11e40a4338b1f776c1fcc30cbd436df4f548c1ab0b4fe801f01b162ddd5c0f892893e227acfd link-to-execinfo.patch e3982b2df2ab4ba53b7a1329a9eb928eb1fee813c61cf6ac03d3300a767ffb57f019ac0fd89f633cac2330549446ff3d43344871296bf362815e7ebffadefa6b qt-musl-iconv-no-bom.patch 436f0bb7a89a88aa62c7b0398c4e91c325e78542e96f747c903f7e96dbf9d9b693d9688c722f2a74e287fb9ab31e861bd5ed8deb172ed28f56a1b8757663771c time64.patch -ddeb0a59cf0901b38669314fd2f14dffba63c6cbd06a3d864cd329081cc2b10323ec52053a6ffe7baf5ee8a1e137331acfe5d874c03596660630dd151828da56 CVE-2020-0569.patch -b5973799d6dc7c03124b7df5424e5fa84cb81ec3b997e039b84cca21852abaf4ff61780b99c47f1fd6ce64ae61f61b2458ca2929e068644f1973a6f1c53a4d64 CVE-2020-0570.patch +9ebf15139025d76ff103a1ae77973136b2f883a38dc54febfa44f08060f41ee13016668c96a29c62dcc458125516ba8bdb899b1ab5604dc976b4f72e513bb682 CVE-2020-17507.patch 47b2973561965e3ef906f03480b3877ad0018f32d31fecb4c410abe22c68ccad7d232cfe68804b70111616e15b979fb26642225b984d8fdbfc6cf6899ad63a0d section-header.patch" diff --git a/user/qt5-qtbase/CVE-2020-0569.patch b/user/qt5-qtbase/CVE-2020-0569.patch deleted file mode 100644 index fa0efdce3..000000000 --- a/user/qt5-qtbase/CVE-2020-0569.patch +++ /dev/null @@ -1,29 +0,0 @@ -From bf131e8d2181b3404f5293546ed390999f760404 Mon Sep 17 00:00:00 2001 -From: Olivier Goffart <ogoffart@woboq.com> -Date: Fri, 8 Nov 2019 11:30:40 +0100 -Subject: Do not load plugin from the $PWD - -I see no reason why this would make sense to look for plugins in the current -directory. And when there are plugins there, it may actually be wrong - -Change-Id: I5f5aa168021fedddafce90effde0d5762cd0c4c5 -Reviewed-by: Thiago Macieira <thiago.macieira@intel.com> ---- - src/corelib/plugin/qpluginloader.cpp | 1 - - 1 file changed, 1 deletion(-) - -diff --git a/src/corelib/plugin/qpluginloader.cpp b/src/corelib/plugin/qpluginloader.cpp -index cadff4f32b..c2443dbdda 100644 ---- a/src/corelib/plugin/qpluginloader.cpp -+++ b/src/corelib/plugin/qpluginloader.cpp -@@ -305,7 +305,6 @@ static QString locatePlugin(const QString& fileName) - paths.append(fileName.left(slash)); // don't include the '/' - } else { - paths = QCoreApplication::libraryPaths(); -- paths.prepend(QStringLiteral(".")); // search in current dir first - } - - for (const QString &path : qAsConst(paths)) { --- -cgit v1.2.1 - diff --git a/user/qt5-qtbase/CVE-2020-0570.patch b/user/qt5-qtbase/CVE-2020-0570.patch deleted file mode 100644 index dcf507c0d..000000000 --- a/user/qt5-qtbase/CVE-2020-0570.patch +++ /dev/null @@ -1,55 +0,0 @@ -From e6f1fde24f77f63fb16b2df239f82a89d2bf05dd Mon Sep 17 00:00:00 2001 -From: Thiago Macieira <thiago.macieira@intel.com> -Date: Fri, 10 Jan 2020 09:26:27 -0800 -Subject: QLibrary/Unix: do not attempt to load a library relative to $PWD - -I added the code in commit 5219c37f7c98f37f078fee00fe8ca35d83ff4f5d to -find libraries in a haswell/ subdir of the main path, but we only need -to do that transformation if the library is contains at least one -directory seprator. That is, if the user asks to load "lib/foo", then we -should try "lib/haswell/foo" (often, the path prefix will be absolute). - -When the library name the user requested has no directory separators, we -let dlopen() do the transformation for us. Testing on Linux confirms -glibc does so: - -$ LD_DEBUG=libs /lib64/ld-linux-x86-64.so.2 --inhibit-cache ./qml -help |& grep Xcursor - 1972475: find library=libXcursor.so.1 [0]; searching - 1972475: trying file=/usr/lib64/haswell/avx512_1/libXcursor.so.1 - 1972475: trying file=/usr/lib64/haswell/libXcursor.so.1 - 1972475: trying file=/usr/lib64/libXcursor.so.1 - 1972475: calling init: /usr/lib64/libXcursor.so.1 - 1972475: calling fini: /usr/lib64/libXcursor.so.1 [0] - -Fixes: QTBUG-81272 -Change-Id: I596aec77785a4e4e84d5fffd15e89689bb91ffbb -Reviewed-by: Thiago Macieira <thiago.macieira@intel.com> ---- - src/corelib/plugin/qlibrary_unix.cpp | 4 +++- - 1 file changed, 3 insertions(+), 1 deletion(-) - -diff --git a/src/corelib/plugin/qlibrary_unix.cpp b/src/corelib/plugin/qlibrary_unix.cpp -index f0de1010d7..135b82cd37 100644 ---- a/src/corelib/plugin/qlibrary_unix.cpp -+++ b/src/corelib/plugin/qlibrary_unix.cpp -@@ -1,7 +1,7 @@ - /**************************************************************************** - ** - ** Copyright (C) 2016 The Qt Company Ltd. --** Copyright (C) 2018 Intel Corporation -+** Copyright (C) 2020 Intel Corporation - ** Contact: https://www.qt.io/licensing/ - ** - ** This file is part of the QtCore module of the Qt Toolkit. -@@ -218,6 +218,8 @@ bool QLibraryPrivate::load_sys() - for(int suffix = 0; retry && !pHnd && suffix < suffixes.size(); suffix++) { - if (!prefixes.at(prefix).isEmpty() && name.startsWith(prefixes.at(prefix))) - continue; -+ if (path.isEmpty() && prefixes.at(prefix).contains(QLatin1Char('/'))) -+ continue; - if (!suffixes.at(suffix).isEmpty() && name.endsWith(suffixes.at(suffix))) - continue; - if (loadHints & QLibrary::LoadArchiveMemberHint) { --- -cgit v1.2.1 - diff --git a/user/qt5-qtbase/CVE-2020-17507.patch b/user/qt5-qtbase/CVE-2020-17507.patch new file mode 100644 index 000000000..126b55c96 --- /dev/null +++ b/user/qt5-qtbase/CVE-2020-17507.patch @@ -0,0 +1,159 @@ +From 5b2f75388424995925a0e45654a0d509b290aaa0 Mon Sep 17 00:00:00 2001 +From: Robert Loehning <robert.loehning@qt.io> +Date: Thu, 9 Jul 2020 13:33:34 +0200 +Subject: [PATCH] Fix buffer overflow + +Fixes: oss-fuzz-23988 +Change-Id: I4efdbfc3c0a96917c0c8224642896088ade99f35 +Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io> +(cherry picked from commit e80be8a43da78b9544f12fbac47e92c7f1f64366) +Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> +--- + src/gui/image/qxpmhandler.cpp | 2 +- + tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm | 1 + + tests/auto/gui/image/qimagereader/tst_qimagereader.cpp | 8 ++++++++ + 3 files changed, 10 insertions(+), 1 deletion(-) + create mode 100644 tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm + +diff --git a/src/gui/image/qxpmhandler.cpp b/src/gui/image/qxpmhandler.cpp +index 17272ffe69b..417dab7ce3f 100644 +--- a/src/gui/image/qxpmhandler.cpp ++++ b/src/gui/image/qxpmhandler.cpp +@@ -973,7 +973,7 @@ static bool read_xpm_body( + } else { + char b[16]; + b[cpp] = '\0'; +- for (x=0; x<w && d<end; x++) { ++ for (x=0; x<w && d+cpp<end; x++) { + memcpy(b, (char *)d, cpp); + *p++ = (uchar)colorMap[xpmHash(b)]; + d += cpp; +diff --git a/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm b/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm +new file mode 100644 +index 00000000000..7e6c1e4ca2e +--- /dev/null ++++ b/tests/auto/gui/image/qimagereader/images/oss-fuzz-23988.xpm +@@ -0,0 +1 @@ ++/* XPM "20 8 1 7"" ÿÿ c ÿ" " ÿÿÿÿÿÿÿ " +\ No newline at end of file +diff --git a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp +index 1eee2f273ef..0135e48c7df 100644 +--- a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp ++++ b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp +@@ -167,6 +167,8 @@ private slots: + void devicePixelRatio_data(); + void devicePixelRatio(); + ++ void xpmBufferOverflow(); ++ + private: + QString prefix; + QTemporaryDir m_temporaryDir; +@@ -2002,5 +2004,11 @@ void tst_QImageReader::devicePixelRatio() + QCOMPARE(img.devicePixelRatio(), dpr); + } + ++void tst_QImageReader::xpmBufferOverflow() ++{ ++ // Please note that the overflow only showed when Qt was configured with "-sanitize address". ++ QImageReader(":/images/oss-fuzz-23988.xpm").read(); ++} ++ + QTEST_MAIN(tst_QImageReader) + #include "tst_qimagereader.moc" +-- +2.16.3 + +From 35ecd0b69d58bcc8113afc5e449aef841c73e26c Mon Sep 17 00:00:00 2001 +From: Allan Sandfeld Jensen <allan.jensen@qt.io> +Date: Thu, 23 Jul 2020 11:48:48 +0200 +Subject: [PATCH] Fix buffer overflow in XBM parser + +Avoid parsing over the buffer limit, or interpreting non-hex +as hex. + +This still leaves parsing of lines longer than 300 chars +unreliable + +Change-Id: I1c57a7e530c4380f6f9040b2ec729ccd7dc7a5fb +Reviewed-by: Robert Loehning <robert.loehning@qt.io> +Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io> +(cherry picked from commit c562c1fc19629fb505acd0f6380604840b634211) +Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io> +--- + src/gui/image/qxbmhandler.cpp | 4 ++- + .../gui/image/qimagereader/tst_qimagereader.cpp | 37 ++++++++++++++++++++++ + 2 files changed, 40 insertions(+), 1 deletion(-) + +diff --git a/src/gui/image/qxbmhandler.cpp b/src/gui/image/qxbmhandler.cpp +index 7ba44049b48..8c4be4f0eda 100644 +--- a/src/gui/image/qxbmhandler.cpp ++++ b/src/gui/image/qxbmhandler.cpp +@@ -158,7 +158,9 @@ static bool read_xbm_body(QIODevice *device, int w, int h, QImage *outImage) + w = (w+7)/8; // byte width + + while (y < h) { // for all encoded bytes... +- if (p) { // p = "0x.." ++ if (p && p < (buf + readBytes - 3)) { // p = "0x.." ++ if (!isxdigit(p[2]) || !isxdigit(p[3])) ++ return false; + *b++ = hex2byte(p+2); + p += 2; + if (++x == w && ++y < h) { +diff --git a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp +index 0135e48c7df..61b11a77794 100644 +--- a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp ++++ b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp +@@ -168,6 +168,7 @@ private slots: + void devicePixelRatio(); + + void xpmBufferOverflow(); ++ void xbmBufferHandling(); + + private: + QString prefix; +@@ -2010,5 +2011,41 @@ void tst_QImageReader::xpmBufferOverflow() + QImageReader(":/images/oss-fuzz-23988.xpm").read(); + } + ++void tst_QImageReader::xbmBufferHandling() ++{ ++ uint8_t original_buffer[256]; ++ for (int i = 0; i < 256; ++i) ++ original_buffer[i] = i; ++ ++ QImage image(original_buffer, 256, 8, QImage::Format_MonoLSB); ++ image.setColorTable({0xff000000, 0xffffffff}); ++ ++ QByteArray buffer; ++ { ++ QBuffer buf(&buffer); ++ QImageWriter writer(&buf, "xbm"); ++ writer.write(image); ++ } ++ ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++ ++ auto i = buffer.indexOf(','); ++ buffer.insert(i + 1, " "); ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++ buffer.insert(i + 1, " "); ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++ buffer.insert(i + 1, " "); ++#if 0 // Lines longer than 300 chars not supported currently ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++#endif ++ ++ i = buffer.lastIndexOf("\n "); ++ buffer.truncate(i + 1); ++ buffer.append(QByteArray(297, ' ')); ++ buffer.append("0x"); ++ // Only check we get no buffer overflow ++ QImage::fromData(buffer, "xbm"); ++} ++ + QTEST_MAIN(tst_QImageReader) + #include "tst_qimagereader.moc" +-- +2.16.3 + |