Fix CVE-2023-32762 and CVE-2023-32763
This commit is contained in:
Jan Grulich
parent
ec0745b673
commit
32a41acce3
13
CVE-2023-32762-qtbase-5.15.patch
Normal file
13
CVE-2023-32762-qtbase-5.15.patch
Normal file
@ -0,0 +1,13 @@
|
||||
--- a/src/network/access/qhsts.cpp
|
||||
+++ b/src/network/access/qhsts.cpp
|
||||
@@ -364,8 +364,8 @@ quoted-pair = "\" CHAR
|
||||
bool QHstsHeaderParser::parse(const QList<QPair<QByteArray, QByteArray>> &headers)
|
||||
{
|
||||
for (const auto &h : headers) {
|
||||
- // We use '==' since header name was already 'trimmed' for us:
|
||||
- if (h.first == "Strict-Transport-Security") {
|
||||
+ // We compare directly because header name was already 'trimmed' for us:
|
||||
+ if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) {
|
||||
header = h.second;
|
||||
// RFC6797, 8.1:
|
||||
//
|
||||
49
CVE-2023-32763-qtbase-5.15.patch
Normal file
49
CVE-2023-32763-qtbase-5.15.patch
Normal file
@ -0,0 +1,49 @@
|
||||
diff --git a/src/gui/painting/qfixed_p.h b/src/gui/painting/qfixed_p.h
|
||||
index 84659288..57d750a4 100644
|
||||
--- a/src/gui/painting/qfixed_p.h
|
||||
+++ b/src/gui/painting/qfixed_p.h
|
||||
@@ -54,6 +54,7 @@
|
||||
#include <QtGui/private/qtguiglobal_p.h>
|
||||
#include "QtCore/qdebug.h"
|
||||
#include "QtCore/qpoint.h"
|
||||
+#include <QtCore/private/qnumeric_p.h>
|
||||
#include "QtCore/qsize.h"
|
||||
|
||||
QT_BEGIN_NAMESPACE
|
||||
@@ -182,6 +183,14 @@ Q_DECL_CONSTEXPR inline bool operator<(int i, const QFixed &f) { return i * 64 <
|
||||
Q_DECL_CONSTEXPR inline bool operator>(const QFixed &f, int i) { return f.value() > i * 64; }
|
||||
Q_DECL_CONSTEXPR inline bool operator>(int i, const QFixed &f) { return i * 64 > f.value(); }
|
||||
|
||||
+inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
|
||||
+{
|
||||
+ int val;
|
||||
+ bool result = add_overflow(v1.value(), v2.value(), &val);
|
||||
+ r->setValue(val);
|
||||
+ return result;
|
||||
+}
|
||||
+
|
||||
#ifndef QT_NO_DEBUG_STREAM
|
||||
inline QDebug &operator<<(QDebug &dbg, const QFixed &f)
|
||||
{ return dbg << f.toReal(); }
|
||||
diff --git a/src/gui/text/qtextlayout.cpp b/src/gui/text/qtextlayout.cpp
|
||||
index 26ac37b0..f6c69ff4 100644
|
||||
--- a/src/gui/text/qtextlayout.cpp
|
||||
+++ b/src/gui/text/qtextlayout.cpp
|
||||
@@ -2150,11 +2150,14 @@ found:
|
||||
eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
|
||||
} else {
|
||||
eng->minWidth = qMax(eng->minWidth, lbh.minw);
|
||||
- eng->maxWidth += line.textWidth;
|
||||
+ if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth))
|
||||
+ eng->maxWidth = QFIXED_MAX;
|
||||
}
|
||||
|
||||
- if (line.textWidth > 0 && item < eng->layoutData->items.size())
|
||||
- eng->maxWidth += lbh.spaceData.textWidth;
|
||||
+ if (line.textWidth > 0 && item < eng->layoutData->items.size()) {
|
||||
+ if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, &eng->maxWidth))
|
||||
+ eng->maxWidth = QFIXED_MAX;
|
||||
+ }
|
||||
|
||||
line.textWidth += trailingSpace;
|
||||
if (lbh.spaceData.length) {
|
||||
@ -57,7 +57,7 @@
|
||||
Name: qt5-qtbase
|
||||
Summary: Qt5 - QtBase components
|
||||
Version: 5.15.9
|
||||
Release: 2%{?dist}
|
||||
Release: 3%{?dist}
|
||||
|
||||
# See LGPL_EXCEPTIONS.txt, for exception details
|
||||
License: LGPL-3.0-only OR GPL-3.0-only WITH Qt-GPL-exception-1.0
|
||||
@ -151,6 +151,9 @@ Patch103: qtbase-QTBUG-112136.patch
|
||||
# IBus input method cannot set panel position correctly with DPI scaling
|
||||
# https://bugreports.qt.io/browse/QTBUG-103393
|
||||
Patch104: qtbase-QTBUG-103393.patch
|
||||
Patch105: CVE-2023-32762-qtbase-5.15.patch
|
||||
Patch106: CVE-2023-32763-qtbase-5.15.patch
|
||||
|
||||
|
||||
# Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires.
|
||||
# Those themes are there for platform integration. If the required libraries are
|
||||
@ -429,6 +432,7 @@ Qt5 libraries used for drawing widgets and OpenGL items.
|
||||
%patch -P102 -p1
|
||||
%patch -P103 -p1
|
||||
%patch -P104 -p1
|
||||
%patch -P105 -p1
|
||||
|
||||
# move some bundled libs to ensure they're not accidentally used
|
||||
pushd src/3rdparty
|
||||
@ -1108,6 +1112,9 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Mon May 15 2023 Jan Grulich <jgrulich@redhat.com> - 5.15.9-3
|
||||
- Fix CVE-2023-32762 and CVE-2023-32763
|
||||
|
||||
* Fri May 05 2023 Than Ngo <than@redhat.com> - 5.15.9-2
|
||||
- backport, IBus input method cannot set panel position correctly with DPI scaling
|
||||
|
||||
|
||||
@ -1,11 +0,0 @@
|
||||
diff -up qtbase-everywhere-src-5.15.2/src/corelib/text/qbytearray.h.foo qtbase-everywhere-src-5.15.2/src/corelib/text/qbytearray.h
|
||||
--- qtbase-everywhere-src-5.15.2/src/corelib/text/qbytearray.h.foo 2020-10-27 03:02:11.000000000 -0500
|
||||
+++ qtbase-everywhere-src-5.15.2/src/corelib/text/qbytearray.h 2021-02-06 17:05:04.879201352 -0600
|
||||
@@ -51,6 +49,7 @@
|
||||
|
||||
#include <string>
|
||||
#include <iterator>
|
||||
+#include <limits>
|
||||
|
||||
#ifdef truncate
|
||||
#error qbytearray.h must be included before any header file that defines truncate
|
||||
@ -1,23 +0,0 @@
|
||||
diff -up qtbase-everywhere-src-5.15.2/src/corelib/global/qendian.h.QTBUG-90395 qtbase-everywhere-src-5.15.2/src/corelib/global/qendian.h
|
||||
--- qtbase-everywhere-src-5.15.2/src/corelib/global/qendian.h.QTBUG-90395 2020-10-27 03:02:11.000000000 -0500
|
||||
+++ qtbase-everywhere-src-5.15.2/src/corelib/global/qendian.h 2021-02-06 16:36:27.072105717 -0600
|
||||
@@ -44,6 +44,8 @@
|
||||
#include <QtCore/qfloat16.h>
|
||||
#include <QtCore/qglobal.h>
|
||||
|
||||
+#include <limits>
|
||||
+
|
||||
// include stdlib.h and hope that it defines __GLIBC__ for glibc-based systems
|
||||
#include <stdlib.h>
|
||||
#include <string.h>
|
||||
diff -up qtbase-everywhere-src-5.15.2/src/corelib/global/qfloat16.h.QTBUG-90395 qtbase-everywhere-src-5.15.2/src/corelib/global/qfloat16.h
|
||||
--- qtbase-everywhere-src-5.15.2/src/corelib/global/qfloat16.h.QTBUG-90395 2021-02-06 16:36:27.074105730 -0600
|
||||
+++ qtbase-everywhere-src-5.15.2/src/corelib/global/qfloat16.h 2021-02-06 16:37:19.212440114 -0600
|
||||
@@ -43,6 +43,7 @@
|
||||
|
||||
#include <QtCore/qglobal.h>
|
||||
#include <QtCore/qmetatype.h>
|
||||
+#include <limits>
|
||||
#include <string.h>
|
||||
|
||||
#if defined(QT_COMPILER_SUPPORTS_F16C) && defined(__AVX2__) && !defined(__F16C__)
|
||||
@ -1,31 +0,0 @@
|
||||
From 659f7a06e91c04b239e3f4c0bcfccbe3581af1c3 Mon Sep 17 00:00:00 2001
|
||||
From: Sona Kurazyan <sona.kurazyan@qt.io>
|
||||
Date: Wed, 17 Mar 2021 16:04:00 +0100
|
||||
Subject: [PATCH] Remove the unnecessary template parameter from the class specialization
|
||||
|
||||
This seems to cause errors when compiling with gcc-11. Although this is
|
||||
most likely a compiler bug, specifiying the template parameter type in
|
||||
this case isn't necessary.
|
||||
|
||||
Fixes: QTBUG-91909
|
||||
Fixes: QTBUG-90568
|
||||
Pick-to: 6.0 6.1 5.15
|
||||
Change-Id: Ib231257ccb2e16cc533f23ca5840d31e26a66d53
|
||||
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
|
||||
---
|
||||
|
||||
diff --git a/src/concurrent/qtconcurrentthreadengine.h b/src/concurrent/qtconcurrentthreadengine.h
|
||||
index cbd8ad04..4cd5b85 100644
|
||||
--- a/src/concurrent/qtconcurrentthreadengine.h
|
||||
+++ b/src/concurrent/qtconcurrentthreadengine.h
|
||||
@@ -256,8 +256,8 @@
|
||||
class ThreadEngineStarter<void> : public ThreadEngineStarterBase<void>
|
||||
{
|
||||
public:
|
||||
- ThreadEngineStarter<void>(ThreadEngine<void> *_threadEngine)
|
||||
- :ThreadEngineStarterBase<void>(_threadEngine) {}
|
||||
+ ThreadEngineStarter(ThreadEngine<void> *_threadEngine)
|
||||
+ : ThreadEngineStarterBase<void>(_threadEngine) {}
|
||||
|
||||
void startBlocking()
|
||||
{
|
||||
@ -1,56 +0,0 @@
|
||||
diff --git a/src/gui/kernel/qguiapplication.cpp b/src/gui/kernel/qguiapplication.cpp
|
||||
index d294cc38..dd31e31c 100644
|
||||
--- a/src/gui/kernel/qguiapplication.cpp
|
||||
+++ b/src/gui/kernel/qguiapplication.cpp
|
||||
@@ -3155,13 +3155,14 @@ void QGuiApplicationPrivate::processScreenGeometryChange(QWindowSystemInterfaceP
|
||||
bool availableGeometryChanged = e->availableGeometry != s->d_func()->availableGeometry;
|
||||
s->d_func()->availableGeometry = e->availableGeometry;
|
||||
|
||||
- if (geometryChanged) {
|
||||
- Qt::ScreenOrientation primaryOrientation = s->primaryOrientation();
|
||||
+ const Qt::ScreenOrientation primaryOrientation = s->primaryOrientation();
|
||||
+ if (geometryChanged)
|
||||
s->d_func()->updatePrimaryOrientation();
|
||||
|
||||
- emit s->geometryChanged(s->geometry());
|
||||
+ s->d_func()->emitGeometryChangeSignals(geometryChanged, availableGeometryChanged);
|
||||
+
|
||||
+ if (geometryChanged) {
|
||||
emit s->physicalSizeChanged(s->physicalSize());
|
||||
- emit s->physicalDotsPerInchChanged(s->physicalDotsPerInch());
|
||||
emit s->logicalDotsPerInchChanged(s->logicalDotsPerInch());
|
||||
|
||||
if (s->primaryOrientation() != primaryOrientation)
|
||||
@@ -3171,8 +3172,6 @@ void QGuiApplicationPrivate::processScreenGeometryChange(QWindowSystemInterfaceP
|
||||
updateFilteredScreenOrientation(s);
|
||||
}
|
||||
|
||||
- s->d_func()->emitGeometryChangeSignals(geometryChanged, availableGeometryChanged);
|
||||
-
|
||||
resetCachedDevicePixelRatio();
|
||||
}
|
||||
|
||||
diff --git a/src/gui/kernel/qscreen.cpp b/src/gui/kernel/qscreen.cpp
|
||||
index df628fcc..a1afc1ba 100644
|
||||
--- a/src/gui/kernel/qscreen.cpp
|
||||
+++ b/src/gui/kernel/qscreen.cpp
|
||||
@@ -88,6 +88,9 @@ void QScreenPrivate::updateGeometriesWithSignals()
|
||||
void QScreenPrivate::emitGeometryChangeSignals(bool geometryChanged, bool availableGeometryChanged)
|
||||
{
|
||||
Q_Q(QScreen);
|
||||
+ if (geometryChanged)
|
||||
+ emit q->geometryChanged(geometry);
|
||||
+
|
||||
if (availableGeometryChanged)
|
||||
emit q->availableGeometryChanged(availableGeometry);
|
||||
|
||||
@@ -96,6 +99,9 @@ void QScreenPrivate::emitGeometryChangeSignals(bool geometryChanged, bool availa
|
||||
for (QScreen* sibling : siblings)
|
||||
emit sibling->virtualGeometryChanged(sibling->virtualGeometry());
|
||||
}
|
||||
+
|
||||
+ if (geometryChanged)
|
||||
+ emit q->physicalDotsPerInchChanged(q->physicalDotsPerInch());
|
||||
}
|
||||
|
||||
void QScreenPrivate::setPlatformScreen(QPlatformScreen *screen)
|
||||
@ -1,26 +0,0 @@
|
||||
From acaabc9108dfe75530960cf8e3ec4f3602cd82e0 Mon Sep 17 00:00:00 2001
|
||||
From: Jan Grulich <jgrulich@redhat.com>
|
||||
Date: Mon, 08 Mar 2021 12:29:21 +0100
|
||||
Subject: [PATCH] FileChooser portal: send window id in hex
|
||||
|
||||
We send window id in decimal, however, it is expected to be send in hex.
|
||||
This causes a mismatch and makes portal dialog to show in background.
|
||||
|
||||
Pick-to: 5.15 6.0 6.1
|
||||
Change-Id: Ibd77199bbb4a2ad4782a0457ddc5506c6b5608fe
|
||||
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
|
||||
---
|
||||
|
||||
diff --git a/src/plugins/platformthemes/xdgdesktopportal/qxdgdesktopportalfiledialog.cpp b/src/plugins/platformthemes/xdgdesktopportal/qxdgdesktopportalfiledialog.cpp
|
||||
index ec153f6..85bdd1a 100644
|
||||
--- a/src/plugins/platformthemes/xdgdesktopportal/qxdgdesktopportalfiledialog.cpp
|
||||
+++ b/src/plugins/platformthemes/xdgdesktopportal/qxdgdesktopportalfiledialog.cpp
|
||||
@@ -185,7 +185,7 @@
|
||||
QLatin1String("/org/freedesktop/portal/desktop"),
|
||||
QLatin1String("org.freedesktop.portal.FileChooser"),
|
||||
d->saveFile ? QLatin1String("SaveFile") : QLatin1String("OpenFile"));
|
||||
- QString parentWindowId = QLatin1String("x11:") + QString::number(d->winId);
|
||||
+ QString parentWindowId = QLatin1String("x11:") + QString::number(d->winId, 16);
|
||||
|
||||
QVariantMap options;
|
||||
if (!d->acceptLabel.isEmpty())
|
||||
Loading…
Reference in New Issue
Block a user