VectorImage: sanitize source string used in output (CVE-2025-14576)

Resolves: RHEL-173495
2026-05-19 07:48:47 +00:00 · 2026-05-19 07:48:47 +00:00 · faf561abce
commit faf561abce
parent e650d7289b
2 changed files with 63 additions and 2 deletions
--- a/qt6-qtdeclarative.spec
+++ b/qt6-qtdeclarative.spec
@ -17,7 +17,7 @@
 Summary: Qt6 - QtDeclarative component
 Name:    qt6-%{qt_module}
 Version: 6.10.1
-Release: 1%{?dist}
+Release: 2%{?dist}

 License: LGPL-3.0-only OR GPL-3.0-only WITH Qt-GPL-exception-1.0
 Url:     http://www.qt.io
@ -38,7 +38,9 @@ Source5: qv4global_p-multilib.h
 # https://codereview.qt-project.org/c/qt/qtdeclarative/+/678924
 Patch0:  qtdeclarative-quickshapes-make-module-public.patch

-## upstreamable patches
+# CVE-2025-14576
+# https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273
+Patch1:  qtdeclarative-vectorimage-sanitize-source-string-used-in-output.patch

 # filter qml provides
 %global __provides_exclude_from ^%{_qt6_qmldir}/.*\\.so$
@ -769,6 +771,10 @@ make check -k -C tests ||:
 %endif

 %changelog
+* Tue May 19 2026 Jan Grulich <jgrulich@redhat.com> - 6.10.1-2
+- VectorImage: sanitize source string used in output (CVE-2025-14576)
+  Resolves: RHEL-173495
+
 * Mon Nov 24 2025 Jan Grulich <jgrulich@redhat.com> - 6.10.1-1
 - 6.10.1
  Resolves: RHEL-109197
--- a/qtdeclarative-vectorimage-sanitize-source-string-used-in-output.patch
+++ b/qtdeclarative-vectorimage-sanitize-source-string-used-in-output.patch
@ -0,0 +1,55 @@
+From 1f35339b03fcb8787028e1301012a559328815fb Mon Sep 17 00:00:00 2001
+From: Eskil Abrahamsen Blomfeldt <eskil.abrahamsen-blomfeldt@qt.io>
+Date: Tue, 09 Dec 2025 07:39:32 +0100
+Subject: [PATCH] VectorImage: Sanitize source string used in output
+
+The source string is used as an object name in the output, so it gets
+sanitized to prevent illegal characters. While SVG already mandates a
+limited character set, rather than relying on the parser, sanitization
+happens before passing to the generator -- consistent with how the
+Lottie visitor handles it.
+
+Fixes: QTBUG-142556
+Pick-to: 6.8
+Change-Id: I0684e726ab69a0735dcb5f91369b090d58a90b7b
+Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
+---
+ .../generator/qsvgvisitorimpl.cpp             | 20 ++++++++++++++++++-
+ 1 file changed, 19 insertions(+), 1 deletion(-)
+
+diff --git a/src/quickvectorimage/generator/qsvgvisitorimpl.cpp b/src/quickvectorimage/generator/qsvgvisitorimpl.cpp
+index 87ce1e80..b7c0dbfe 100644
+--- a/src/quickvectorimage/generator/qsvgvisitorimpl.cpp
+++ b/src/quickvectorimage/generator/qsvgvisitorimpl.cpp
+@@ -1101,9 +1101,27 @@ void QSvgVisitorImpl::visitDocumentNodeEnd(const QSvgTinyDocument *node)
+     m_generator->generateRootNode(info);
+ }
+
+static QString scrub(const QString &raw)
+{
+    QString res(raw.left(80));
+
+    if (!res.isEmpty()) {
+        constexpr QLatin1StringView legalSymbols("_-.:");
+        qsizetype i = 0;
+        do {
+            if (res.at(i).isLetterOrNumber() || legalSymbols.contains(res.at(i)))
+                i++;
+            else
+                res.remove(i, 1);
+        } while (i < res.size());
+    }
+
+    return res;
+}
+
+ void QSvgVisitorImpl::fillCommonNodeInfo(const QSvgNode *node, NodeInfo &info)
+ {
+-    info.nodeId = node->nodeId();
+    info.nodeId = scrub(node->nodeId());
+     info.typeName = node->typeName();
+     info.isDefaultTransform = node->style().transform.isDefault();
+     info.transform.setDefaultValue(QVariant::fromValue(!info.isDefaultTransform
+--
+2.53.0
+