diff --git a/SOURCES/qtbase-fix-buffer-overflow-in-xbm-parser.patch b/SOURCES/qtbase-fix-buffer-overflow-in-xbm-parser.patch new file mode 100644 index 0000000..2b33f3b --- /dev/null +++ b/SOURCES/qtbase-fix-buffer-overflow-in-xbm-parser.patch @@ -0,0 +1,70 @@ +diff --git a/src/gui/image/qxbmhandler.cpp b/src/gui/image/qxbmhandler.cpp +index 7ba44049..8c4be4f0 100644 +--- a/src/gui/image/qxbmhandler.cpp ++++ b/src/gui/image/qxbmhandler.cpp +@@ -158,7 +158,9 @@ static bool read_xbm_body(QIODevice *device, int w, int h, QImage *outImage) + w = (w+7)/8; // byte width + + while (y < h) { // for all encoded bytes... +- if (p) { // p = "0x.." ++ if (p && p < (buf + readBytes - 3)) { // p = "0x.." ++ if (!isxdigit(p[2]) || !isxdigit(p[3])) ++ return false; + *b++ = hex2byte(p+2); + p += 2; + if (++x == w && ++y < h) { +diff --git a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp +index 1eee2f27..f801f3cd 100644 +--- a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp ++++ b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp +@@ -167,6 +167,8 @@ private slots: + void devicePixelRatio_data(); + void devicePixelRatio(); + ++ void xbmBufferHandling(); ++ + private: + QString prefix; + QTemporaryDir m_temporaryDir; +@@ -2002,5 +2004,41 @@ void tst_QImageReader::devicePixelRatio() + QCOMPARE(img.devicePixelRatio(), dpr); + } + ++void tst_QImageReader::xbmBufferHandling() ++{ ++ uint8_t original_buffer[256]; ++ for (int i = 0; i < 256; ++i) ++ original_buffer[i] = i; ++ ++ QImage image(original_buffer, 256, 8, QImage::Format_MonoLSB); ++ image.setColorTable({0xff000000, 0xffffffff}); ++ ++ QByteArray buffer; ++ { ++ QBuffer buf(&buffer); ++ QImageWriter writer(&buf, "xbm"); ++ writer.write(image); ++ } ++ ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++ ++ auto i = buffer.indexOf(','); ++ buffer.insert(i + 1, " "); ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++ buffer.insert(i + 1, " "); ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++ buffer.insert(i + 1, " "); ++#if 0 // Lines longer than 300 chars not supported currently ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++#endif ++ ++ i = buffer.lastIndexOf("\n "); ++ buffer.truncate(i + 1); ++ buffer.append(QByteArray(297, ' ')); ++ buffer.append("0x"); ++ // Only check we get no buffer overflow ++ QImage::fromData(buffer, "xbm"); ++} ++ + QTEST_MAIN(tst_QImageReader) + #include "tst_qimagereader.moc" diff --git a/SOURCES/qtbase-openssl-handle-ssl-shutdown-errors-properly.patch b/SOURCES/qtbase-openssl-handle-ssl-shutdown-errors-properly.patch new file mode 100644 index 0000000..44db0dc --- /dev/null +++ b/SOURCES/qtbase-openssl-handle-ssl-shutdown-errors-properly.patch @@ -0,0 +1,161 @@ +From 36a8bdbc8417506513207daf4f36533a3d6632f3 Mon Sep 17 00:00:00 2001 +From: Timur Pocheptsov +Date: Mon, 13 Apr 2020 20:31:34 +0200 +Subject: [PATCH] OpenSSL: handle SSL_shutdown's errors properly + +Do not call SSL_shutdown on a session that is in handshake state (SSL_in_init(s) +returns 1). Also, do not call SSL_shutdown if a session encountered a fatal +error (SSL_ERROR_SYSCALL or SSL_ERROR_SSL was found before). If SSL_shutdown +was unsuccessful (returned code != 1), we have to clear the error(s) it queued. +Unfortunately, SSL_in_init was a macro in OpenSSL 1.0.x. We have to +resolve SSL_state to implement SSL_in_init. + +Fixes: QTBUG-83450 +Change-Id: I6326119f4e79605429263045ac20605c30dccca3 +Reviewed-by: MÃ¥rten Nordheim +(cherry picked from commit 8907635da59c2ae0e8db01f27b24a841b830e655) +(cherry picked from commit 8ddffc6ba4f38bb8dbeb0cf61b6b10ee73505bbb) +--- + +diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp +index 4f49a71..9f9eaf3 100644 +--- a/src/network/ssl/qsslsocket.cpp ++++ b/src/network/ssl/qsslsocket.cpp +@@ -2108,7 +2108,7 @@ + shutdown = false; + pendingClose = false; + flushTriggered = false; +- ++ systemOrSslErrorDetected = false; + // we don't want to clear the ignoreErrorsList, so + // that it is possible setting it before connecting + // ignoreErrorsList.clear(); +diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp +index ec772dd..c4abc1e 100644 +--- a/src/network/ssl/qsslsocket_openssl.cpp ++++ b/src/network/ssl/qsslsocket_openssl.cpp +@@ -471,10 +471,16 @@ + void QSslSocketBackendPrivate::destroySslContext() + { + if (ssl) { +- // We do not send a shutdown alert here. Just mark the session as +- // resumable for qhttpnetworkconnection's "optimization", otherwise +- // OpenSSL won't start a session resumption. +- q_SSL_shutdown(ssl); ++ if (!q_SSL_in_init(ssl) && !systemOrSslErrorDetected) { ++ // We do not send a shutdown alert here. Just mark the session as ++ // resumable for qhttpnetworkconnection's "optimization", otherwise ++ // OpenSSL won't start a session resumption. ++ if (q_SSL_shutdown(ssl) != 1) { ++ // Some error may be queued, clear it. ++ const auto errors = getErrorsFromOpenSsl(); ++ Q_UNUSED(errors); ++ } ++ } + q_SSL_free(ssl); + ssl = nullptr; + } +@@ -909,6 +915,7 @@ + case SSL_ERROR_SSL: // error in the SSL library + // we do not know exactly what the error is, nor whether we can recover from it, + // so just return to prevent an endless loop in the outer "while" statement ++ systemOrSslErrorDetected = true; + { + const ScopedBool bg(inSetAndEmitError, true); + setErrorAndEmit(QAbstractSocket::SslInternalError, +@@ -1309,8 +1316,12 @@ + void QSslSocketBackendPrivate::disconnectFromHost() + { + if (ssl) { +- if (!shutdown) { +- q_SSL_shutdown(ssl); ++ if (!shutdown && !q_SSL_in_init(ssl) && !systemOrSslErrorDetected) { ++ if (q_SSL_shutdown(ssl) != 1) { ++ // Some error may be queued, clear it. ++ const auto errors = getErrorsFromOpenSsl(); ++ Q_UNUSED(errors); ++ } + shutdown = true; + transmit(); + } +diff --git a/src/network/ssl/qsslsocket_openssl11_symbols_p.h b/src/network/ssl/qsslsocket_openssl11_symbols_p.h +index 0c32b0a..c80baa2 100644 +--- a/src/network/ssl/qsslsocket_openssl11_symbols_p.h ++++ b/src/network/ssl/qsslsocket_openssl11_symbols_p.h +@@ -186,4 +186,11 @@ + } + void q_SSL_set_psk_use_session_callback(SSL *s, q_SSL_psk_use_session_cb_func_t); + ++#if OPENSSL_VERSION_NUMBER < 0x10101000L ++// What a mess! ++int q_SSL_in_init(SSL *s); ++#else ++int q_SSL_in_init(const SSL *s); ++#endif // 1.1.1 or 1.1.0 ++ + #endif +diff --git a/src/network/ssl/qsslsocket_openssl_symbols.cpp b/src/network/ssl/qsslsocket_openssl_symbols.cpp +index 62ac228..60ba3a0 100644 +--- a/src/network/ssl/qsslsocket_openssl_symbols.cpp ++++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp +@@ -161,6 +161,11 @@ + DEFINEFUNC2(void *, OPENSSL_sk_value, OPENSSL_STACK *a, a, int b, b, return nullptr, return) + DEFINEFUNC(int, SSL_session_reused, SSL *a, a, return 0, return) + DEFINEFUNC2(unsigned long, SSL_CTX_set_options, SSL_CTX *ctx, ctx, unsigned long op, op, return 0, return) ++#if OPENSSL_VERSION_NUMBER < 0x10101000L ++DEFINEFUNC(int, SSL_in_init, SSL *a, a, return 0, return) ++#else ++DEFINEFUNC(int, SSL_in_init, const SSL *a, a, return 0, return) ++#endif + #ifdef TLS1_3_VERSION + DEFINEFUNC2(int, SSL_CTX_set_ciphersuites, SSL_CTX *ctx, ctx, const char *str, str, return 0, return) + DEFINEFUNC2(void, SSL_set_psk_use_session_callback, SSL *ssl, ssl, q_SSL_psk_use_session_cb_func_t callback, callback, return, DUMMYARG) +@@ -213,6 +218,7 @@ + // Functions below are either deprecated or removed in OpenSSL >= 1.1: + + DEFINEFUNC(unsigned char *, ASN1_STRING_data, ASN1_STRING *a, a, return nullptr, return) ++DEFINEFUNC(int, SSL_state, const SSL *a, a, return 0, return) + + #ifdef SSLEAY_MACROS + DEFINEFUNC3(void *, ASN1_dup, i2d_of_void *a, a, d2i_of_void *b, b, char *c, c, return nullptr, return) +@@ -988,6 +994,7 @@ + #if QT_CONFIG(opensslv11) + + RESOLVEFUNC(OPENSSL_init_ssl) ++ RESOLVEFUNC(SSL_in_init) + RESOLVEFUNC(OPENSSL_init_crypto) + RESOLVEFUNC(ASN1_STRING_get0_data) + RESOLVEFUNC(EVP_CIPHER_CTX_reset) +@@ -1060,6 +1067,7 @@ + #else // !opensslv11 + + RESOLVEFUNC(ASN1_STRING_data) ++ RESOLVEFUNC(SSL_state) + + #ifdef SSLEAY_MACROS + RESOLVEFUNC(ASN1_dup) +diff --git a/src/network/ssl/qsslsocket_opensslpre11_symbols_p.h b/src/network/ssl/qsslsocket_opensslpre11_symbols_p.h +index 48364ce..c139ecb 100644 +--- a/src/network/ssl/qsslsocket_opensslpre11_symbols_p.h ++++ b/src/network/ssl/qsslsocket_opensslpre11_symbols_p.h +@@ -132,6 +132,8 @@ + + int q_SSL_library_init(); + void q_SSL_load_error_strings(); ++int q_SSL_state(const SSL *a); ++#define q_SSL_in_init(a) (q_SSL_state(a) & SSL_ST_INIT) + + #if OPENSSL_VERSION_NUMBER >= 0x10001000L + int q_SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); +diff --git a/src/network/ssl/qsslsocket_p.h b/src/network/ssl/qsslsocket_p.h +index 6f34c6c..e657987 100644 +--- a/src/network/ssl/qsslsocket_p.h ++++ b/src/network/ssl/qsslsocket_p.h +@@ -220,6 +220,7 @@ + bool verifyErrorsHaveBeenIgnored(); + bool paused; + bool flushTriggered; ++ bool systemOrSslErrorDetected = false; + }; + + QT_END_NAMESPACE diff --git a/SPECS/qt5-qtbase.spec b/SPECS/qt5-qtbase.spec index 8160c7c..ee87039 100644 --- a/SPECS/qt5-qtbase.spec +++ b/SPECS/qt5-qtbase.spec @@ -3,9 +3,7 @@ %global multilib_basearchs x86_64 %{?mips64} ppc64 s390x sparc64 # support openssl-1.1 -%if 0%{?fedora} > 26 %global openssl11 1 -%endif %global openssl -openssl-linked %global no_feature_statx -no-feature-statx @@ -42,7 +40,7 @@ BuildRequires: pkgconfig(libsystemd) Name: qt5-qtbase Summary: Qt5 - QtBase components Version: 5.12.5 -Release: 5%{?dist} +Release: 8%{?dist} # See LGPL_EXCEPTIONS.txt, for exception details License: LGPLv2 with exceptions or GPLv3 with exceptions @@ -127,6 +125,12 @@ Patch201: qtbase-do-not-load-plugin-from-pwd.patch # CVE-2015-9541 qt5: qt: XML entity expansion vulnerability Patch202: qtbase-add-expansion-limit-for-entities.patch +# CVE-2020-13962 qt5-qtbase: qt5: incorrectly calls SSL_shutdown() in OpenSSL mid-handshake causing denial of service in TLS applications +Patch203: qtbase-openssl-handle-ssl-shutdown-errors-properly.patch + +# CVE-2020-17507 qt5-qtbase: qt: buffer over-read in read_xbm_body in gui/image/qxbmhandler.cpp +Patch204: qtbase-fix-buffer-overflow-in-xbm-parser.patch + # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires. # Those themes are there for platform integration. If the required libraries are # not there, the platform to integrate with isn't either. Then Qt will just @@ -163,24 +167,12 @@ BuildRequires: pkgconfig(libproxy-1.0) BuildRequires: pkgconfig(ice) pkgconfig(sm) BuildRequires: pkgconfig(libpng) BuildRequires: pkgconfig(libudev) -%if 0%{?fedora} == 26 -BuildRequires: compat-openssl10-devel -%else -BuildRequires: openssl-devel%{?openssl11: >= 1.1} -%endif +BuildRequires: openssl-devel BuildRequires: pkgconfig(libpulse) pkgconfig(libpulse-mainloop-glib) -%if 0%{?fedora} BuildRequires: pkgconfig(libinput) BuildRequires: pkgconfig(xcb-xkb) >= 1.10 BuildRequires: pkgconfig(xkbcommon) >= 0.4.1 BuildRequires: pkgconfig(xkbcommon-x11) >= 0.4.1 -%else -# not Fedora -%if 0%{?rhel} == 6 -%global xcb -qt-xcb -%endif -Provides: bundled(libxkbcommon) = 0.4.1 -%endif BuildRequires: pkgconfig(xkeyboard-config) %if 0%{?fedora} || 0%{?rhel} > 6 %global egl 1 @@ -394,6 +386,9 @@ Qt5 libraries used for drawing widgets and OpenGL items. %patch200 -p1 -b .qlibrary-do-not-attempt-to-load-library-relative-to-pwd %patch201 -p1 -b .do-not-load-plugin-from-pwd %patch202 -p1 -b .add-expansion-limit-for-entities +%patch203 -p1 -b .openssl-handle-ssl-shutdown-errors-properly +%patch204 -p1 -b .fix-buffer-overflow-in-xbm-parser + # move some bundled libs to ensure they're not accidentally used pushd src/3rdparty @@ -751,6 +746,7 @@ fi %dir %{_qt5_plugindir}/script/ %dir %{_qt5_plugindir}/sqldrivers/ %dir %{_qt5_plugindir}/styles/ +%{_qt5_plugindir}/generic/libqlibinputplugin.so %{_qt5_plugindir}/sqldrivers/libqsqlite.so %{_qt5_libdir}/cmake/Qt5Sql/Qt5Sql_QSQLiteDriverPlugin.cmake @@ -836,6 +832,7 @@ fi %{_qt5_libdir}/cmake/Qt5DBus/Qt5DBusConfig*.cmake %{_qt5_libdir}/cmake/Qt5DBus/Qt5DBusMacros.cmake %{_qt5_libdir}/cmake/Qt5Gui/Qt5GuiConfig*.cmake +%{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QLibInputPlugin.cmake %{_qt5_libdir}/cmake/Qt5Network/Qt5NetworkConfig*.cmake %{_qt5_libdir}/cmake/Qt5OpenGL/Qt5OpenGLConfig*.cmake %{_qt5_libdir}/cmake/Qt5PrintSupport/Qt5PrintSupportConfig*.cmake @@ -1029,7 +1026,19 @@ fi %changelog -* Mon May 11 2020 Jan Grulich - 5.12-5-5 +* Mon Oct 05 2020 Jan Grulich - 5.12.5-8 +- Build against system xkb and openssl 1.1 + Resolves: bz#1882375 + +* Thu Sep 24 2020 Jan Grulich - 5.12.5-7 +- Fix buffer overflow in XBM parser + Resolves: bz#1870364 + +* Tue Jul 14 2020 Jan Grulich - 5.12.5-6 +- OpenSSL: handle SSL_shutdown's errors properly + Resolves: bz#1851538 + +* Mon May 11 2020 Jan Grulich - 5.12.5-5 - Fix: Files placed by attacker can influence the working directory and lead to malicious code execution Resolves: bz#1814739 Resolves: bz#1814683 @@ -1037,19 +1046,19 @@ fi - Fix: XML entity expansion vulnerability Resolves: bz#1822193 -* Wed Nov 27 2019 Jan Grulich - 5.12-5-4 +* Wed Nov 27 2019 Jan Grulich - 5.12.5-4 - Fix build on RHEL 7 kernel Resolves: bz#1733135 -* Thu Nov 07 2019 Jan Grulich - 5.12-5-2 +* Thu Nov 07 2019 Jan Grulich - 5.12.5-2 - Remove Android specific test to avoid unnecessary dependencies Resolves: bz#1733135 -* Tue Oct 29 2019 Jan Grulich - 5.12-5-1 +* Tue Oct 29 2019 Jan Grulich - 5.12.5-1 - 5.12.5 + sync with Fedora Resolves: bz#1733135 -* Wed May 22 2019 Jan Grulich - 5.11-1-7 +* Wed May 22 2019 Jan Grulich - 5.11.1-7 - Move libQt5EglFSDeviceIntegration lib out of the -devel subpkg Resolves: bz#1692970