rpms/qt5-qtbase
6
0
Fork 0
Code Issues Pull Requests Releases Activity

5.15.1

Browse Source
This commit is contained in:
Jan Grulich 2020-09-10 17:13:05 +02:00
parent 51993712f1
commit 904f17ae5f
5 changed files with 11 additions and 263 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
.gitignore vendored
View File

@ -4,3 +4,4 @@
/qtbase-everywhere-src-5.12.5.tar.xz
/qtbase-everywhere-src-5.13.2.tar.xz
/qtbase-everywhere-src-5.14.2.tar.xz
/qtbase-everywhere-src-5.15.1.tar.xz

109
0044-QLibrary-fix-deadlock-caused-by-fix-to-QTBUG-39642.patch
View File

@ -1,109 +0,0 @@
From 276fa8383a7535765be7182883ef4aade17ce013 Mon Sep 17 00:00:00 2001
From: Thiago Macieira <thiago.macieira@intel.com>
Date: Thu, 2 Apr 2020 12:08:41 -0300
Subject: [PATCH 44/49] QLibrary: fix deadlock caused by fix to QTBUG-39642
Commit ae6f73e8566fa76470937aca737141183929a5ec inserted a mutex around
the entire load_sys(). We had reasoed that deadlocks would only occur if
the object creation in instance() recursed into its own instance(),
which was already a bug. But we had forgotten that dlopen()/
LoadLibrary() executes initialization code from the module being loaded,
which could cause a recursion back into the same QPluginLoader or
QLibrary object. This recursion is benign because the module *is* loaded
and dlopen()/LoadLibrary() returns the same handle.
[ChangeLog][QtCore][QLibrary and QPluginLoader] Fixed a deadlock that
would happen if the plugin or library being loaded has load-time
initialization code (C++ global variables) that recursed back into the
same QLibrary or QPluginLoader object.
PS: QLibraryPrivate::loadPlugin() updates pluginState outside a mutex
lock, so pluginState should be made an atomic variable. Once that is
done, we'll only need locking the mutex to update errorString (no
locking before loading).
Fixes: QTBUG-83207
Task-number: QTBUG-39642
Change-Id: Ibdc95e9af7bd456a94ecfffd160209304e5ab2eb
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
Reviewed-by: David Faure <david.faure@kdab.com>
---
src/corelib/plugin/qlibrary.cpp | 2 --
src/corelib/plugin/qlibrary_unix.cpp | 4 ++++
src/corelib/plugin/qlibrary_win.cpp | 3 +++
3 files changed, 7 insertions(+), 2 deletions(-)
diff --git a/src/corelib/plugin/qlibrary.cpp b/src/corelib/plugin/qlibrary.cpp
index ddb053c26f..be9d92b204 100644
--- a/src/corelib/plugin/qlibrary.cpp
+++ b/src/corelib/plugin/qlibrary.cpp
@@ -576,9 +576,7 @@ bool QLibraryPrivate::load()
Q_TRACE(QLibraryPrivate_load_entry, fileName);
- mutex.lock();
bool ret = load_sys();
- mutex.unlock();
if (qt_debug_component()) {
if (ret) {
qDebug() << "loaded library" << fileName;
diff --git a/src/corelib/plugin/qlibrary_unix.cpp b/src/corelib/plugin/qlibrary_unix.cpp
index 017aa97b66..a5c72f81d9 100644
--- a/src/corelib/plugin/qlibrary_unix.cpp
+++ b/src/corelib/plugin/qlibrary_unix.cpp
@@ -123,6 +123,7 @@ QStringList QLibraryPrivate::prefixes_sys()
bool QLibraryPrivate::load_sys()
{
+ QMutexLocker locker(&mutex);
QString attempt;
QFileSystemEntry fsEntry(fileName);
@@ -213,6 +214,7 @@ bool QLibraryPrivate::load_sys()
}
#endif
+ locker.unlock();
bool retry = true;
Handle hnd = nullptr;
for (int prefix = 0; retry && !hnd && prefix < prefixes.size(); prefix++) {
@@ -273,6 +275,8 @@ bool QLibraryPrivate::load_sys()
}
}
#endif
+
+ locker.relock();
if (!hnd) {
errorString = QLibrary::tr("Cannot load library %1: %2").arg(fileName, qdlerror());
}
diff --git a/src/corelib/plugin/qlibrary_win.cpp b/src/corelib/plugin/qlibrary_win.cpp
index 000bf76276..ef58724be8 100644
--- a/src/corelib/plugin/qlibrary_win.cpp
+++ b/src/corelib/plugin/qlibrary_win.cpp
@@ -78,6 +78,7 @@ bool QLibraryPrivate::load_sys()
// fileName
//
// NB If it's a plugin we do not ever try the ".dll" extension
+ QMutexLocker locker(&mutex);
QStringList attempts;
if (pluginState != IsAPlugin)
@@ -95,6 +96,7 @@ bool QLibraryPrivate::load_sys()
attempts.prepend(QDir::rootPath() + fileName);
#endif
+ locker.unlock();
Handle hnd = nullptr;
for (const QString &attempt : qAsConst(attempts)) {
#ifndef Q_OS_WINRT
@@ -115,6 +117,7 @@ bool QLibraryPrivate::load_sys()
#ifndef Q_OS_WINRT
SetErrorMode(oldmode);
#endif
+ locker.relock();
if (!hnd) {
errorString = QLibrary::tr("Cannot load library %1: %2").arg(
QDir::toNativeSeparators(fileName), qt_error_string());
--
2.25.2

146
qt5-qtbase-CVE-2015-9541.patch
View File

@ -1,146 +0,0 @@
From f432c08882ffebe5074ea28de871559a98a4d094 Mon Sep 17 00:00:00 2001
From: Lars Knoll <lars.knoll@qt.io>
Date: Wed, 26 Feb 2020 10:42:10 +0100
Subject: Add an expansion limit for entities
Recursively defined entities can easily exhaust all available
memory. Limit entity expansion to a default of 4096 characters to
avoid DoS attacks when a user loads untrusted content.
[ChangeLog][QtCore][QXmlStream] QXmlStreamReader does now
limit the expansion of entities to 4096 characters. Documents where
a single entity expands to more characters than the limit are not
considered well formed. The limit is there to avoid DoS attacks through
recursively expanding entities when loading untrusted content. Qt 5.15
will add methods that allow changing that limit.
Fixes: QTBUG-47417
Change-Id: I94387815d74fcf34783e136387ee57fac5ded0c9
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
(cherry picked from commit fd4be84d23a0db4186cb42e736a9de3af722c7f7)
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
---
src/corelib/serialization/qxmlstream.g | 14 ++++++++++++-
src/corelib/serialization/qxmlstream_p.h | 14 ++++++++++++-
.../serialization/qxmlstream/tst_qxmlstream.cpp | 23 ++++++++++++++++++++--
3 files changed, 47 insertions(+), 4 deletions(-)
diff --git a/src/corelib/serialization/qxmlstream.g b/src/corelib/serialization/qxmlstream.g
index 10bfcd491c..5726bafb26 100644
--- a/src/corelib/serialization/qxmlstream.g
+++ b/src/corelib/serialization/qxmlstream.g
@@ -277,9 +277,19 @@ public:
QHash<QStringView, Entity> entityHash;
QHash<QStringView, Entity> parameterEntityHash;
QXmlStreamSimpleStack<Entity *>entityReferenceStack;
+ int entityExpansionLimit = 4096;
+ int entityLength = 0;
inline bool referenceEntity(Entity &entity) {
if (entity.isCurrentlyReferenced) {
- raiseWellFormedError(QXmlStream::tr("Recursive entity detected."));
+ raiseWellFormedError(QXmlStream::tr("Self-referencing entity detected."));
+ return false;
+ }
+ // entityLength represents the amount of additional characters the
+ // entity expands into (can be negative for e.g. &amp;). It's used to
+ // avoid DoS attacks through recursive entity expansions
+ entityLength += entity.value.size() - entity.name.size() - 2;
+ if (entityLength > entityExpansionLimit) {
+ raiseWellFormedError(QXmlStream::tr("Entity expands to more characters than the entity expansion limit."));
return false;
}
entity.isCurrentlyReferenced = true;
@@ -830,6 +840,8 @@ entity_done ::= ENTITY_DONE;
/.
case $rule_number:
entityReferenceStack.pop()->isCurrentlyReferenced = false;
+ if (entityReferenceStack.isEmpty())
+ entityLength = 0;
clearSym();
break;
./
diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h
index 61f501f81b..31053f8e0b 100644
--- a/src/corelib/serialization/qxmlstream_p.h
+++ b/src/corelib/serialization/qxmlstream_p.h
@@ -774,9 +774,19 @@ public:
QHash<QStringView, Entity> entityHash;
QHash<QStringView, Entity> parameterEntityHash;
QXmlStreamSimpleStack<Entity *>entityReferenceStack;
+ int entityExpansionLimit = 4096;
+ int entityLength = 0;
inline bool referenceEntity(Entity &entity) {
if (entity.isCurrentlyReferenced) {
- raiseWellFormedError(QXmlStream::tr("Recursive entity detected."));
+ raiseWellFormedError(QXmlStream::tr("Self-referencing entity detected."));
+ return false;
+ }
+ // entityLength represents the amount of additional characters the
+ // entity expands into (can be negative for e.g. &amp;). It's used to
+ // avoid DoS attacks through recursive entity expansions
+ entityLength += entity.value.size() - entity.name.size() - 2;
+ if (entityLength > entityExpansionLimit) {
+ raiseWellFormedError(QXmlStream::tr("Entity expands to more characters than the entity expansion limit."));
return false;
}
entity.isCurrentlyReferenced = true;
@@ -1308,6 +1318,8 @@ bool QXmlStreamReaderPrivate::parse()
case 10:
entityReferenceStack.pop()->isCurrentlyReferenced = false;
+ if (entityReferenceStack.isEmpty())
+ entityLength = 0;
clearSym();
break;
diff --git a/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp b/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp
index 8fdf91b090..1f9a0d575d 100644
--- a/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp
+++ b/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp
@@ -393,8 +393,6 @@ public:
return true;
}
- QXmlStreamReader reader(&inputFile);
-
/* See testcases.dtd which reads: 'Nonvalidating parsers
* must also accept "invalid" testcases, but validating ones must reject them.' */
if(type == QLatin1String("invalid") || type == QLatin1String("valid"))
@@ -580,6 +578,8 @@ private slots:
void roundTrip() const;
void roundTrip_data() const;
+ void entityExpansionLimit() const;
+
private:
static QByteArray readFile(const QString &filename);
@@ -1756,6 +1756,25 @@ void tst_QXmlStream::roundTrip_data() const
"</root>\n";
}
+void tst_QXmlStream::entityExpansionLimit() const
+{
+ QString xml = QStringLiteral("<?xml version=\"1.0\"?>"
+ "<!DOCTYPE foo ["
+ "<!ENTITY a \"0123456789\" >"
+ "<!ENTITY b \"&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;\" >"
+ "<!ENTITY c \"&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;\" >"
+ "<!ENTITY d \"&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;\" >"
+ "]>"
+ "<foo>&d;&d;&d;</foo>");
+ {
+ QXmlStreamReader reader(xml);
+ do {
+ reader.readNext();
+ } while (!reader.atEnd());
+ QCOMPARE(reader.error(), QXmlStreamReader::NotWellFormedError);
+ }
+}
+
void tst_QXmlStream::roundTrip() const
{
QFETCH(QString, in);
--
cgit v0.2.1

16
qt5-qtbase.spec
View File

@ -52,8 +52,8 @@ BuildRequires: pkgconfig(libsystemd)
Name: qt5-qtbase
Summary: Qt5 - QtBase components
Version: 5.14.2
Release: 8%{?dist}
Version: 5.15.1
Release: 1%{?dist}
# See LGPL_EXCEPTIONS.txt, for exception details
License: LGPLv2 with exceptions or GPLv3 with exceptions
@ -128,8 +128,6 @@ Patch80: qtbase-use-wayland-on-gnome.patch
# glibc stat
## upstream patches
Patch100: qt5-qtbase-CVE-2015-9541.patch
Patch144: 0044-QLibrary-fix-deadlock-caused-by-fix-to-QTBUG-39642.patch
# Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires.
# Those themes are there for platform integration. If the required libraries are
@ -401,8 +399,6 @@ Qt5 libraries used for drawing widgets and OpenGL items.
%endif
## upstream patches
%patch100 -p1 -b .CVE-2015-9541
%patch144 -p1 -b .0044
# move some bundled libs to ensure they're not accidentally used
pushd src/3rdparty
@ -546,7 +542,7 @@ translationdir=%{_qt5_translationdir}
Name: Qt5
Description: Qt5 Configuration
Version: %{version}
Version: 5.15.1
EOF
# rpm macros
@ -873,6 +869,9 @@ fi
%{_qt5_libdir}/cmake/Qt5ThemeSupport/Qt5ThemeSupportConfig*.cmake
%{_qt5_libdir}/cmake/Qt5XcbQpa/Qt5XcbQpaConfig*.cmake
%{_qt5_libdir}/cmake/Qt5XkbCommonSupport/Qt5XkbCommonSupportConfig*.cmake
%{_qt5_libdir}/metatypes/qt5core_metatypes.json
%{_qt5_libdir}/metatypes/qt5gui_metatypes.json
%{_qt5_libdir}/metatypes/qt5widgets_metatypes.json
%{_qt5_libdir}/pkgconfig/Qt5.pc
%{_qt5_libdir}/pkgconfig/Qt5Concurrent.pc
%{_qt5_libdir}/pkgconfig/Qt5Core.pc
@ -1054,6 +1053,9 @@ fi
%changelog
* Thu Sep 10 2020 Jan Grulich <jgrulich@redhat.com> - 5.15.1-1
- 5.15.1
* Wed Jul 29 2020 Fedora Release Engineering <releng@fedoraproject.org> - 5.14.2-8
- Rebuilt for https://fedoraproject.org/wiki/Fedora_33_Mass_Rebuild

2
sources
View File

@ -1 +1 @@
SHA512 (qtbase-everywhere-src-5.14.2.tar.xz) = 8c83e06d58b56e9f288e83d6c3dd4ad6cc9f1eb1a32c7b44fb912fda34ed7255766fd9fa60cd740ee001df7d6172f25df05f1f95e986c3e793fbcd9bf4f18de9
SHA512 (qtbase-everywhere-src-5.15.1.tar.xz) = 40b687c046b25a6717834ffe2616ee4f373d75214ec1c7e3a26502cd0cde9f0a872eaee99f06c54c7a3625ae85df5cdd3a3b54a160e8e37c7cfeb5800d026fe4