diff --git a/SOURCES/qtbase-fix-buffer-overflow-in-xbm-parser.patch b/SOURCES/qtbase-fix-buffer-overflow-in-xbm-parser.patch new file mode 100644 index 0000000..2b33f3b --- /dev/null +++ b/SOURCES/qtbase-fix-buffer-overflow-in-xbm-parser.patch @@ -0,0 +1,70 @@ +diff --git a/src/gui/image/qxbmhandler.cpp b/src/gui/image/qxbmhandler.cpp +index 7ba44049..8c4be4f0 100644 +--- a/src/gui/image/qxbmhandler.cpp ++++ b/src/gui/image/qxbmhandler.cpp +@@ -158,7 +158,9 @@ static bool read_xbm_body(QIODevice *device, int w, int h, QImage *outImage) + w = (w+7)/8; // byte width + + while (y < h) { // for all encoded bytes... +- if (p) { // p = "0x.." ++ if (p && p < (buf + readBytes - 3)) { // p = "0x.." ++ if (!isxdigit(p[2]) || !isxdigit(p[3])) ++ return false; + *b++ = hex2byte(p+2); + p += 2; + if (++x == w && ++y < h) { +diff --git a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp +index 1eee2f27..f801f3cd 100644 +--- a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp ++++ b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp +@@ -167,6 +167,8 @@ private slots: + void devicePixelRatio_data(); + void devicePixelRatio(); + ++ void xbmBufferHandling(); ++ + private: + QString prefix; + QTemporaryDir m_temporaryDir; +@@ -2002,5 +2004,41 @@ void tst_QImageReader::devicePixelRatio() + QCOMPARE(img.devicePixelRatio(), dpr); + } + ++void tst_QImageReader::xbmBufferHandling() ++{ ++ uint8_t original_buffer[256]; ++ for (int i = 0; i < 256; ++i) ++ original_buffer[i] = i; ++ ++ QImage image(original_buffer, 256, 8, QImage::Format_MonoLSB); ++ image.setColorTable({0xff000000, 0xffffffff}); ++ ++ QByteArray buffer; ++ { ++ QBuffer buf(&buffer); ++ QImageWriter writer(&buf, "xbm"); ++ writer.write(image); ++ } ++ ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++ ++ auto i = buffer.indexOf(','); ++ buffer.insert(i + 1, " "); ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++ buffer.insert(i + 1, " "); ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++ buffer.insert(i + 1, " "); ++#if 0 // Lines longer than 300 chars not supported currently ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++#endif ++ ++ i = buffer.lastIndexOf("\n "); ++ buffer.truncate(i + 1); ++ buffer.append(QByteArray(297, ' ')); ++ buffer.append("0x"); ++ // Only check we get no buffer overflow ++ QImage::fromData(buffer, "xbm"); ++} ++ + QTEST_MAIN(tst_QImageReader) + #include "tst_qimagereader.moc" diff --git a/SPECS/qt5-qtbase.spec b/SPECS/qt5-qtbase.spec index d90a23e..ee87039 100644 --- a/SPECS/qt5-qtbase.spec +++ b/SPECS/qt5-qtbase.spec @@ -3,9 +3,7 @@ %global multilib_basearchs x86_64 %{?mips64} ppc64 s390x sparc64 # support openssl-1.1 -%if 0%{?fedora} > 26 %global openssl11 1 -%endif %global openssl -openssl-linked %global no_feature_statx -no-feature-statx @@ -42,7 +40,7 @@ BuildRequires: pkgconfig(libsystemd) Name: qt5-qtbase Summary: Qt5 - QtBase components Version: 5.12.5 -Release: 6%{?dist} +Release: 8%{?dist} # See LGPL_EXCEPTIONS.txt, for exception details License: LGPLv2 with exceptions or GPLv3 with exceptions @@ -130,6 +128,8 @@ Patch202: qtbase-add-expansion-limit-for-entities.patch # CVE-2020-13962 qt5-qtbase: qt5: incorrectly calls SSL_shutdown() in OpenSSL mid-handshake causing denial of service in TLS applications Patch203: qtbase-openssl-handle-ssl-shutdown-errors-properly.patch +# CVE-2020-17507 qt5-qtbase: qt: buffer over-read in read_xbm_body in gui/image/qxbmhandler.cpp +Patch204: qtbase-fix-buffer-overflow-in-xbm-parser.patch # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires. # Those themes are there for platform integration. If the required libraries are @@ -167,24 +167,12 @@ BuildRequires: pkgconfig(libproxy-1.0) BuildRequires: pkgconfig(ice) pkgconfig(sm) BuildRequires: pkgconfig(libpng) BuildRequires: pkgconfig(libudev) -%if 0%{?fedora} == 26 -BuildRequires: compat-openssl10-devel -%else -BuildRequires: openssl-devel%{?openssl11: >= 1.1} -%endif +BuildRequires: openssl-devel BuildRequires: pkgconfig(libpulse) pkgconfig(libpulse-mainloop-glib) -%if 0%{?fedora} BuildRequires: pkgconfig(libinput) BuildRequires: pkgconfig(xcb-xkb) >= 1.10 BuildRequires: pkgconfig(xkbcommon) >= 0.4.1 BuildRequires: pkgconfig(xkbcommon-x11) >= 0.4.1 -%else -# not Fedora -%if 0%{?rhel} == 6 -%global xcb -qt-xcb -%endif -Provides: bundled(libxkbcommon) = 0.4.1 -%endif BuildRequires: pkgconfig(xkeyboard-config) %if 0%{?fedora} || 0%{?rhel} > 6 %global egl 1 @@ -399,6 +387,8 @@ Qt5 libraries used for drawing widgets and OpenGL items. %patch201 -p1 -b .do-not-load-plugin-from-pwd %patch202 -p1 -b .add-expansion-limit-for-entities %patch203 -p1 -b .openssl-handle-ssl-shutdown-errors-properly +%patch204 -p1 -b .fix-buffer-overflow-in-xbm-parser + # move some bundled libs to ensure they're not accidentally used pushd src/3rdparty @@ -756,6 +746,7 @@ fi %dir %{_qt5_plugindir}/script/ %dir %{_qt5_plugindir}/sqldrivers/ %dir %{_qt5_plugindir}/styles/ +%{_qt5_plugindir}/generic/libqlibinputplugin.so %{_qt5_plugindir}/sqldrivers/libqsqlite.so %{_qt5_libdir}/cmake/Qt5Sql/Qt5Sql_QSQLiteDriverPlugin.cmake @@ -841,6 +832,7 @@ fi %{_qt5_libdir}/cmake/Qt5DBus/Qt5DBusConfig*.cmake %{_qt5_libdir}/cmake/Qt5DBus/Qt5DBusMacros.cmake %{_qt5_libdir}/cmake/Qt5Gui/Qt5GuiConfig*.cmake +%{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QLibInputPlugin.cmake %{_qt5_libdir}/cmake/Qt5Network/Qt5NetworkConfig*.cmake %{_qt5_libdir}/cmake/Qt5OpenGL/Qt5OpenGLConfig*.cmake %{_qt5_libdir}/cmake/Qt5PrintSupport/Qt5PrintSupportConfig*.cmake @@ -1034,6 +1026,14 @@ fi %changelog +* Mon Oct 05 2020 Jan Grulich - 5.12.5-8 +- Build against system xkb and openssl 1.1 + Resolves: bz#1882375 + +* Thu Sep 24 2020 Jan Grulich - 5.12.5-7 +- Fix buffer overflow in XBM parser + Resolves: bz#1870364 + * Tue Jul 14 2020 Jan Grulich - 5.12.5-6 - OpenSSL: handle SSL_shutdown's errors properly Resolves: bz#1851538