rpms
/
qt5-qtbase
7
0
Fork 0
Code Issues Pull Requests Releases Activity

import qt5-qtbase-5.12.5-5.el8

This commit is contained in:
CentOS Sources 2020-07-28 08:14:14 -04:00 committed by Stepan Oksanichenko
parent 55bde29df1
commit ebe55effab
4 changed files with 251 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

146
SOURCES/qtbase-add-expansion-limit-for-entities.patch Normal file
View File

@ -0,0 +1,146 @@
From f432c08882ffebe5074ea28de871559a98a4d094 Mon Sep 17 00:00:00 2001
From: Lars Knoll <lars.knoll@qt.io>
Date: Wed, 26 Feb 2020 10:42:10 +0100
Subject: Add an expansion limit for entities
Recursively defined entities can easily exhaust all available
memory. Limit entity expansion to a default of 4096 characters to
avoid DoS attacks when a user loads untrusted content.
[ChangeLog][QtCore][QXmlStream] QXmlStreamReader does now
limit the expansion of entities to 4096 characters. Documents where
a single entity expands to more characters than the limit are not
considered well formed. The limit is there to avoid DoS attacks through
recursively expanding entities when loading untrusted content. Qt 5.15
will add methods that allow changing that limit.
Fixes: QTBUG-47417
Change-Id: I94387815d74fcf34783e136387ee57fac5ded0c9
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
(cherry picked from commit fd4be84d23a0db4186cb42e736a9de3af722c7f7)
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
---
src/corelib/serialization/qxmlstream.g | 14 ++++++++++++-
src/corelib/serialization/qxmlstream_p.h | 14 ++++++++++++-
.../serialization/qxmlstream/tst_qxmlstream.cpp | 23 ++++++++++++++++++++--
3 files changed, 47 insertions(+), 4 deletions(-)
diff --git a/src/corelib/serialization/qxmlstream.g b/src/corelib/serialization/qxmlstream.g
index 10bfcd491c..5726bafb26 100644
--- a/src/corelib/serialization/qxmlstream.g
+++ b/src/corelib/serialization/qxmlstream.g
@@ -277,9 +277,19 @@ public:
QHash<QStringView, Entity> entityHash;
QHash<QStringView, Entity> parameterEntityHash;
QXmlStreamSimpleStack<Entity *>entityReferenceStack;
+ int entityExpansionLimit = 4096;
+ int entityLength = 0;
inline bool referenceEntity(Entity &entity) {
if (entity.isCurrentlyReferenced) {
- raiseWellFormedError(QXmlStream::tr("Recursive entity detected."));
+ raiseWellFormedError(QXmlStream::tr("Self-referencing entity detected."));
+ return false;
+ }
+ // entityLength represents the amount of additional characters the
+ // entity expands into (can be negative for e.g. &amp;). It's used to
+ // avoid DoS attacks through recursive entity expansions
+ entityLength += entity.value.size() - entity.name.size() - 2;
+ if (entityLength > entityExpansionLimit) {
+ raiseWellFormedError(QXmlStream::tr("Entity expands to more characters than the entity expansion limit."));
return false;
}
entity.isCurrentlyReferenced = true;
@@ -830,6 +840,8 @@ entity_done ::= ENTITY_DONE;
/.
case $rule_number:
entityReferenceStack.pop()->isCurrentlyReferenced = false;
+ if (entityReferenceStack.isEmpty())
+ entityLength = 0;
clearSym();
break;
./
diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h
index 61f501f81b..31053f8e0b 100644
--- a/src/corelib/serialization/qxmlstream_p.h
+++ b/src/corelib/serialization/qxmlstream_p.h
@@ -774,9 +774,19 @@ public:
QHash<QStringView, Entity> entityHash;
QHash<QStringView, Entity> parameterEntityHash;
QXmlStreamSimpleStack<Entity *>entityReferenceStack;
+ int entityExpansionLimit = 4096;
+ int entityLength = 0;
inline bool referenceEntity(Entity &entity) {
if (entity.isCurrentlyReferenced) {
- raiseWellFormedError(QXmlStream::tr("Recursive entity detected."));
+ raiseWellFormedError(QXmlStream::tr("Self-referencing entity detected."));
+ return false;
+ }
+ // entityLength represents the amount of additional characters the
+ // entity expands into (can be negative for e.g. &amp;). It's used to
+ // avoid DoS attacks through recursive entity expansions
+ entityLength += entity.value.size() - entity.name.size() - 2;
+ if (entityLength > entityExpansionLimit) {
+ raiseWellFormedError(QXmlStream::tr("Entity expands to more characters than the entity expansion limit."));
return false;
}
entity.isCurrentlyReferenced = true;
@@ -1308,6 +1318,8 @@ bool QXmlStreamReaderPrivate::parse()
case 10:
entityReferenceStack.pop()->isCurrentlyReferenced = false;
+ if (entityReferenceStack.isEmpty())
+ entityLength = 0;
clearSym();
break;
diff --git a/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp b/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp
index 8fdf91b090..1f9a0d575d 100644
--- a/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp
+++ b/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp
@@ -393,8 +393,6 @@ public:
return true;
}
- QXmlStreamReader reader(&inputFile);
-
/* See testcases.dtd which reads: 'Nonvalidating parsers
* must also accept "invalid" testcases, but validating ones must reject them.' */
if(type == QLatin1String("invalid") || type == QLatin1String("valid"))
@@ -580,6 +578,8 @@ private slots:
void roundTrip() const;
void roundTrip_data() const;
+ void entityExpansionLimit() const;
+
private:
static QByteArray readFile(const QString &filename);
@@ -1756,6 +1756,25 @@ void tst_QXmlStream::roundTrip_data() const
"</root>\n";
}
+void tst_QXmlStream::entityExpansionLimit() const
+{
+ QString xml = QStringLiteral("<?xml version=\"1.0\"?>"
+ "<!DOCTYPE foo ["
+ "<!ENTITY a \"0123456789\" >"
+ "<!ENTITY b \"&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;\" >"
+ "<!ENTITY c \"&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;\" >"
+ "<!ENTITY d \"&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;\" >"
+ "]>"
+ "<foo>&d;&d;&d;</foo>");
+ {
+ QXmlStreamReader reader(xml);
+ do {
+ reader.readNext();
+ } while (!reader.atEnd());
+ QCOMPARE(reader.error(), QXmlStreamReader::NotWellFormedError);
+ }
+}
+
void tst_QXmlStream::roundTrip() const
{
QFETCH(QString, in);
--
cgit v1.2.1

28
SOURCES/qtbase-do-not-load-plugin-from-pwd.patch Normal file
View File

@ -0,0 +1,28 @@
From bf131e8d2181b3404f5293546ed390999f760404 Mon Sep 17 00:00:00 2001
From: Olivier Goffart <ogoffart@woboq.com>
Date: Fri, 8 Nov 2019 11:30:40 +0100
Subject: Do not load plugin from the $PWD
I see no reason why this would make sense to look for plugins in the current
directory. And when there are plugins there, it may actually be wrong
Change-Id: I5f5aa168021fedddafce90effde0d5762cd0c4c5
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
---
src/corelib/plugin/qpluginloader.cpp | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/corelib/plugin/qpluginloader.cpp b/src/corelib/plugin/qpluginloader.cpp
index cadff4f32b..c2443dbdda 100644
--- a/src/corelib/plugin/qpluginloader.cpp
+++ b/src/corelib/plugin/qpluginloader.cpp
@@ -305,7 +305,6 @@ static QString locatePlugin(const QString& fileName)
paths.append(fileName.left(slash)); // don't include the '/'
} else {
paths = QCoreApplication::libraryPaths();
- paths.prepend(QStringLiteral(".")); // search in current dir first
}
for (const QString &path : qAsConst(paths)) {
--
cgit v1.2.1

52
SOURCES/qtbase-qlibrary-do-not-attempt-to-load-library-relative-to-pwd.patch Normal file
View File

@ -0,0 +1,52 @@
From e6f1fde24f77f63fb16b2df239f82a89d2bf05dd Mon Sep 17 00:00:00 2001
From: Thiago Macieira <thiago.macieira@intel.com>
Date: Fri, 10 Jan 2020 09:26:27 -0800
Subject: QLibrary/Unix: do not attempt to load a library relative to $PWD
I added the code in commit 5219c37f7c98f37f078fee00fe8ca35d83ff4f5d to
find libraries in a haswell/ subdir of the main path, but we only need
to do that transformation if the library is contains at least one
directory seprator. That is, if the user asks to load "lib/foo", then we
should try "lib/haswell/foo" (often, the path prefix will be absolute).
When the library name the user requested has no directory separators, we
let dlopen() do the transformation for us. Testing on Linux confirms
glibc does so:
$ LD_DEBUG=libs /lib64/ld-linux-x86-64.so.2 --inhibit-cache ./qml -help |& grep Xcursor
1972475: find library=libXcursor.so.1 [0]; searching
1972475: trying file=/usr/lib64/haswell/avx512_1/libXcursor.so.1
1972475: trying file=/usr/lib64/haswell/libXcursor.so.1
1972475: trying file=/usr/lib64/libXcursor.so.1
1972475: calling init: /usr/lib64/libXcursor.so.1
1972475: calling fini: /usr/lib64/libXcursor.so.1 [0]
Fixes: QTBUG-81272
Change-Id: I596aec77785a4e4e84d5fffd15e89689bb91ffbb
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
---
src/corelib/plugin/qlibrary_unix.cpp | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/corelib/plugin/qlibrary_unix.cpp b/src/corelib/plugin/qlibrary_unix.cpp
index e0381498..7cc7c8e3 100644
--- a/src/corelib/plugin/qlibrary_unix.cpp
+++ b/src/corelib/plugin/qlibrary_unix.cpp
@@ -1,7 +1,7 @@
/****************************************************************************
**
** Copyright (C) 2016 The Qt Company Ltd.
-** Copyright (C) 2018 Intel Corporation
+** Copyright (C) 2020 Intel Corporation
** Contact: https://www.qt.io/licensing/
**
** This file is part of the QtCore module of the Qt Toolkit.
@@ -208,6 +208,8 @@ bool QLibraryPrivate::load_sys()
for(int suffix = 0; retry && !pHnd && suffix < suffixes.size(); suffix++) {
if (!prefixes.at(prefix).isEmpty() && name.startsWith(prefixes.at(prefix)))
continue;
+ if (path.isEmpty() && prefixes.at(prefix).contains(QLatin1Char('/')))
+ continue;
if (!suffixes.at(suffix).isEmpty() && name.endsWith(suffixes.at(suffix)))
continue;
if (loadHints & QLibrary::LoadArchiveMemberHint) {

26
SPECS/qt5-qtbase.spec
View File

@ -42,7 +42,7 @@ BuildRequires: pkgconfig(libsystemd)
Name: qt5-qtbase
Summary: Qt5 - QtBase components
Version: 5.12.5
Release: 4%{?dist}
Release: 5%{?dist}
# See LGPL_EXCEPTIONS.txt, for exception details
License: LGPLv2 with exceptions or GPLv3 with exceptions
@ -116,6 +116,17 @@ Patch68: qtbase-ambiguous-python-shebang.patch
Patch101: qtbase-allow-dbus-not-running-during-build.patch
# Security fixes
# CVE-2020-0570 qt5: qt: files placed by attacker can influence the working directory and lead to malicious code execution
Patch200: qtbase-qlibrary-do-not-attempt-to-load-library-relative-to-pwd.patch
# CVE-2020-0569 qt5-qtbase: qt: files placed by attacker can influence the working directory and lead to malicious code execution
Patch201: qtbase-do-not-load-plugin-from-pwd.patch
# CVE-2015-9541 qt5: qt: XML entity expansion vulnerability
Patch202: qtbase-add-expansion-limit-for-entities.patch
# Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires.
# Those themes are there for platform integration. If the required libraries are
# not there, the platform to integrate with isn't either. Then Qt will just
@ -379,6 +390,11 @@ Qt5 libraries used for drawing widgets and OpenGL items.
%patch101 -p1 -b .qtbase-allow-dbus-not-running-during-build
# Security fixes
%patch200 -p1 -b .qlibrary-do-not-attempt-to-load-library-relative-to-pwd
%patch201 -p1 -b .do-not-load-plugin-from-pwd
%patch202 -p1 -b .add-expansion-limit-for-entities
# move some bundled libs to ensure they're not accidentally used
pushd src/3rdparty
mkdir UNUSED
@ -1013,6 +1029,14 @@ fi
%changelog
* Mon May 11 2020 Jan Grulich <jgrulich@redhat.com> - 5.12-5-5
- Fix: Files placed by attacker can influence the working directory and lead to malicious code execution
Resolves: bz#1814739
Resolves: bz#1814683
- Fix: XML entity expansion vulnerability
Resolves: bz#1822193
* Wed Nov 27 2019 Jan Grulich <jgrulich@redhat.com> - 5.12-5-4
- Fix build on RHEL 7 kernel
Resolves: bz#1733135