From faf561abce7f0796876876d35fd808c0c8201d2b Mon Sep 17 00:00:00 2001 From: Jan Grulich Date: Tue, 19 May 2026 07:48:47 +0000 Subject: [PATCH] VectorImage: sanitize source string used in output (CVE-2025-14576) Resolves: RHEL-173495 --- qt6-qtdeclarative.spec | 10 +++- ...anitize-source-string-used-in-output.patch | 55 +++++++++++++++++++ 2 files changed, 63 insertions(+), 2 deletions(-) create mode 100644 qtdeclarative-vectorimage-sanitize-source-string-used-in-output.patch diff --git a/qt6-qtdeclarative.spec b/qt6-qtdeclarative.spec index 257c4b2..7685cd9 100644 --- a/qt6-qtdeclarative.spec +++ b/qt6-qtdeclarative.spec @@ -17,7 +17,7 @@ Summary: Qt6 - QtDeclarative component Name: qt6-%{qt_module} Version: 6.10.1 -Release: 1%{?dist} +Release: 2%{?dist} License: LGPL-3.0-only OR GPL-3.0-only WITH Qt-GPL-exception-1.0 Url: http://www.qt.io @@ -38,7 +38,9 @@ Source5: qv4global_p-multilib.h # https://codereview.qt-project.org/c/qt/qtdeclarative/+/678924 Patch0: qtdeclarative-quickshapes-make-module-public.patch -## upstreamable patches +# CVE-2025-14576 +# https://codereview.qt-project.org/c/qt/qtdeclarative/+/697273 +Patch1: qtdeclarative-vectorimage-sanitize-source-string-used-in-output.patch # filter qml provides %global __provides_exclude_from ^%{_qt6_qmldir}/.*\\.so$ @@ -769,6 +771,10 @@ make check -k -C tests ||: %endif %changelog +* Tue May 19 2026 Jan Grulich - 6.10.1-2 +- VectorImage: sanitize source string used in output (CVE-2025-14576) + Resolves: RHEL-173495 + * Mon Nov 24 2025 Jan Grulich - 6.10.1-1 - 6.10.1 Resolves: RHEL-109197 diff --git a/qtdeclarative-vectorimage-sanitize-source-string-used-in-output.patch b/qtdeclarative-vectorimage-sanitize-source-string-used-in-output.patch new file mode 100644 index 0000000..a0040b5 --- /dev/null +++ b/qtdeclarative-vectorimage-sanitize-source-string-used-in-output.patch @@ -0,0 +1,55 @@ +From 1f35339b03fcb8787028e1301012a559328815fb Mon Sep 17 00:00:00 2001 +From: Eskil Abrahamsen Blomfeldt +Date: Tue, 09 Dec 2025 07:39:32 +0100 +Subject: [PATCH] VectorImage: Sanitize source string used in output + +The source string is used as an object name in the output, so it gets +sanitized to prevent illegal characters. While SVG already mandates a +limited character set, rather than relying on the parser, sanitization +happens before passing to the generator -- consistent with how the +Lottie visitor handles it. + +Fixes: QTBUG-142556 +Pick-to: 6.8 +Change-Id: I0684e726ab69a0735dcb5f91369b090d58a90b7b +Reviewed-by: Eirik Aavitsland +--- + .../generator/qsvgvisitorimpl.cpp | 20 ++++++++++++++++++- + 1 file changed, 19 insertions(+), 1 deletion(-) + +diff --git a/src/quickvectorimage/generator/qsvgvisitorimpl.cpp b/src/quickvectorimage/generator/qsvgvisitorimpl.cpp +index 87ce1e80..b7c0dbfe 100644 +--- a/src/quickvectorimage/generator/qsvgvisitorimpl.cpp ++++ b/src/quickvectorimage/generator/qsvgvisitorimpl.cpp +@@ -1101,9 +1101,27 @@ void QSvgVisitorImpl::visitDocumentNodeEnd(const QSvgTinyDocument *node) + m_generator->generateRootNode(info); + } + ++static QString scrub(const QString &raw) ++{ ++ QString res(raw.left(80)); ++ ++ if (!res.isEmpty()) { ++ constexpr QLatin1StringView legalSymbols("_-.:"); ++ qsizetype i = 0; ++ do { ++ if (res.at(i).isLetterOrNumber() || legalSymbols.contains(res.at(i))) ++ i++; ++ else ++ res.remove(i, 1); ++ } while (i < res.size()); ++ } ++ ++ return res; ++} ++ + void QSvgVisitorImpl::fillCommonNodeInfo(const QSvgNode *node, NodeInfo &info) + { +- info.nodeId = node->nodeId(); ++ info.nodeId = scrub(node->nodeId()); + info.typeName = node->typeName(); + info.isDefaultTransform = node->style().transform.isDefault(); + info.transform.setDefaultValue(QVariant::fromValue(!info.isDefaultTransform +-- +2.53.0 +