diff --git a/SOURCES/qt-bmp-image-handler-check-for-out-of-range-image-size.patch b/SOURCES/qt-bmp-image-handler-check-for-out-of-range-image-size.patch new file mode 100644 index 0000000..d2b24b0 --- /dev/null +++ b/SOURCES/qt-bmp-image-handler-check-for-out-of-range-image-size.patch @@ -0,0 +1,14 @@ +diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp +index 078c5993..5165bf19 100644 +--- a/src/gui/image/qbmphandler.cpp ++++ b/src/gui/image/qbmphandler.cpp +@@ -181,7 +181,8 @@ static bool read_dib_infoheader(QDataStream &s, BMP_INFOHDR &bi) + if (!(comp == BMP_RGB || (nbits == 4 && comp == BMP_RLE4) || + (nbits == 8 && comp == BMP_RLE8) || ((nbits == 16 || nbits == 32) && comp == BMP_BITFIELDS))) + return false; // weird compression type +- ++ if (bi.biWidth < 0 || quint64(bi.biWidth) * qAbs(bi.biHeight) > 16384 * 16384) ++ return false; + return true; + } + diff --git a/SOURCES/qt-check-for-qimage-allocation-failure-in-qgifhandler.patch b/SOURCES/qt-check-for-qimage-allocation-failure-in-qgifhandler.patch new file mode 100644 index 0000000..9ab940e --- /dev/null +++ b/SOURCES/qt-check-for-qimage-allocation-failure-in-qgifhandler.patch @@ -0,0 +1,25 @@ +diff --git a/src/gui/image/qgifhandler.cpp b/src/gui/image/qgifhandler.cpp +index 2a9217a2..28823f84 100644 +--- a/src/gui/image/qgifhandler.cpp ++++ b/src/gui/image/qgifhandler.cpp +@@ -356,7 +356,8 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length, + (*image) = QImage(swidth, sheight, format); + bpl = image->bytesPerLine(); + bits = image->bits(); +- memset(bits, 0, image->byteCount()); ++ if (bits) ++ memset(bits, 0, image->byteCount()); + } + + // Check if the previous attempt to create the image failed. If it +@@ -417,6 +418,10 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length, + backingstore = QImage(qMax(backingstore.width(), w), + qMax(backingstore.height(), h), + QImage::Format_RGB32); ++ if (backingstore.isNull()) { ++ state = Error; ++ return -1; ++ } + memset(bits, 0, image->byteCount()); + } + const int dest_bpl = backingstore.bytesPerLine(); diff --git a/SOURCES/qt-fix-crash-in-qppmhandler-for-certain-malformed-images.patch b/SOURCES/qt-fix-crash-in-qppmhandler-for-certain-malformed-images.patch new file mode 100644 index 0000000..674622d --- /dev/null +++ b/SOURCES/qt-fix-crash-in-qppmhandler-for-certain-malformed-images.patch @@ -0,0 +1,13 @@ +diff --git a/src/gui/image/qppmhandler.cpp b/src/gui/image/qppmhandler.cpp +index 9cacfab2..6ab58b25 100644 +--- a/src/gui/image/qppmhandler.cpp ++++ b/src/gui/image/qppmhandler.cpp +@@ -108,7 +108,7 @@ static bool read_pbm_header(QIODevice *device, char& type, int& w, int& h, int& + else + mcc = read_pbm_int(device); // get max color component + +- if (w <= 0 || w > 32767 || h <= 0 || h > 32767 || mcc <= 0) ++ if (w <= 0 || w > 32767 || h <= 0 || h > 32767 || mcc <= 0 || mcc > 0xffff) + return false; // weird P.M image + + return true; diff --git a/SOURCES/qt-fix-possible-heap-corruption-in-qxmlstream.patch b/SOURCES/qt-fix-possible-heap-corruption-in-qxmlstream.patch new file mode 100644 index 0000000..9dbc2c3 --- /dev/null +++ b/SOURCES/qt-fix-possible-heap-corruption-in-qxmlstream.patch @@ -0,0 +1,13 @@ +diff --git a/src/corelib/xml/qxmlstream_p.h b/src/corelib/xml/qxmlstream_p.h +index 3539e1b7..f637e2d5 100644 +--- a/src/corelib/xml/qxmlstream_p.h ++++ b/src/corelib/xml/qxmlstream_p.h +@@ -1242,7 +1242,7 @@ bool QXmlStreamReaderPrivate::parse() + state_stack[tos] = 0; + return true; + } else if (act > 0) { +- if (++tos == stack_size-1) ++ if (++tos >= stack_size-1) + reallocateStack(); + + Value &val = sym_stack[tos]; diff --git a/SOURCES/qt-tga-handler-check-for-out-of-range-image-size.patch b/SOURCES/qt-tga-handler-check-for-out-of-range-image-size.patch new file mode 100644 index 0000000..3562951 --- /dev/null +++ b/SOURCES/qt-tga-handler-check-for-out-of-range-image-size.patch @@ -0,0 +1,25 @@ +diff --git a/src/plugins/imageformats/tga/qtgafile.cpp b/src/plugins/imageformats/tga/qtgafile.cpp +index 205e60b6..0f84864e 100644 +--- a/src/plugins/imageformats/tga/qtgafile.cpp ++++ b/src/plugins/imageformats/tga/qtgafile.cpp +@@ -166,6 +166,11 @@ QTgaFile::QTgaFile(QIODevice *device) + { + mErrorMessage = QObject::tr("Image depth not valid"); + } ++ if (quint64(width()) * quint64(height()) > (8192 * 8192)) ++ { ++ mErrorMessage = QObject::tr("Image size exceeds limit"); ++ return; ++ } + int fileBytes = mDevice->size(); + if (!mDevice->seek(fileBytes - FooterSize)) + { +@@ -237,6 +242,8 @@ QImage QTgaFile::readImage() + unsigned char yCorner = desc & 0x20; // 0 = lower, 1 = upper + + QImage im(imageWidth, imageHeight, QImage::Format_ARGB32); ++ if (im.isNull()) ++ return QImage(); + TgaReader *reader = 0; + if (bitsPerPixel == 16) + reader = new Tga16Reader(); diff --git a/SOURCES/qtsvg-fix-crash-when-parsing-malformed-url-reference.patch b/SOURCES/qtsvg-fix-crash-when-parsing-malformed-url-reference.patch new file mode 100644 index 0000000..338800d --- /dev/null +++ b/SOURCES/qtsvg-fix-crash-when-parsing-malformed-url-reference.patch @@ -0,0 +1,27 @@ +diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp +index 77af8161..7378e962 100644 +--- a/src/svg/qsvghandler.cpp ++++ b/src/svg/qsvghandler.cpp +@@ -746,16 +746,17 @@ static QVector parsePercentageList(const QChar *&str) + static QString idFromUrl(const QString &url) + { + QString::const_iterator itr = url.constBegin(); +- while ((*itr).isSpace()) ++ QString::const_iterator end = url.constEnd(); ++ while (itr != end && (*itr).isSpace()) + ++itr; +- if ((*itr) == QLatin1Char('(')) ++ if (itr != end && (*itr) == QLatin1Char('(')) + ++itr; +- while ((*itr).isSpace()) ++ while (itr != end && (*itr).isSpace()) + ++itr; +- if ((*itr) == QLatin1Char('#')) ++ if (itr != end && (*itr) == QLatin1Char('#')) + ++itr; + QString id; +- while ((*itr) != QLatin1Char(')')) { ++ while (itr != end && (*itr) != QLatin1Char(')')) { + id += *itr; + ++itr; + } diff --git a/SPECS/qt.spec b/SPECS/qt.spec index 1445784..a2b08a0 100644 --- a/SPECS/qt.spec +++ b/SPECS/qt.spec @@ -26,7 +26,7 @@ Summary: Qt toolkit Name: qt Epoch: 1 Version: 4.8.7 -Release: 4%{?dist} +Release: 8%{?dist} # See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT @@ -201,9 +201,22 @@ Patch114: qt-revert-QTBUG-15319-fix-shortcuts-with-secondary-Xkb.patch Patch115: qt-everywhere-opensource-src-4.8.5-do-not-close-apps-on-gnome-shutdown-dialog.patch + ## upstream git # security patches +# Bug 1667861 - CVE-2018-15518 qt: qt5-qtbase: Double free in QXmlStreamReader +Patch200: qt-fix-possible-heap-corruption-in-qxmlstream.patch +# Bug 1702031 - CVE-2018-19872 qt: malformed PPM image causing division by zero and crash in qppmhandler.cpp +Patch201: qt-fix-crash-in-qppmhandler-for-certain-malformed-images.patch +# Bug 1667882 - CVE-2018-19869 qt: qt5-qtsvg: Invalid parsing of malformed url reference resulting in a denial of service +Patch202: qtsvg-fix-crash-when-parsing-malformed-url-reference.patch +# Bug 1667863 - CVE-2018-19870 qt: qt5-qtbase: QImage allocation failure in qgifhandler +Patch203: qt-check-for-qimage-allocation-failure-in-qgifhandler.patch +# Bug 1667879 - CVE-2018-19871 qt: qt5-qtimageformats: QTgaFile CPU exhaustion +Patch204: qt-tga-handler-check-for-out-of-range-image-size.patch +# Bug 1667862 - CVE-2018-19873 qt: qt5-qtbase: QBmpHandler segmentation fault on malformed BMP file +Patch205: qt-bmp-image-handler-check-for-out-of-range-image-size.patch # desktop files Source20: assistant.desktop @@ -611,6 +624,12 @@ rm -rf src/3rdparty/clucene # upstream git # security fixes +%patch200 -p1 -b .qt-fix-possible-heap-corruption-in-qxmlstream +%patch201 -p1 -b .qt-fix-crash-in-qppmhandler-for-certain-malformed-images +%patch202 -p1 -b .fix-crash-when-parsing-malformed-url-reference +%patch203 -p1 -b .check-for-qimage-allocation-failure-in-qgifhandler.patch +%patch204 -p1 -b .tga-handler-check-for-out-of-range-image-size.patch +%patch205 -p1 -b .bmp-image-handler-check-for-out-of-range-image-size.patch %define platform linux-g++ @@ -1328,10 +1347,27 @@ fi %changelog -* Tue Jul 23 2019 Jan Grulich - 1:4.8.7-4 -- Bump build version for RPM to not consider z-stream build as newer - Revert fix for font cache check in QFontEngineFT::recalcAdvances() - Resolves: bz#1684167 +* Fri Dec 06 2019 Jan Grulich - 1:4.8.7-8 +- Fix QImage allocation failure in qgifhandler + Resolves: bz#1667863 + +- Fix QTgaFile CPU exhaustion + Resolves: bz#1667879 + +- Fix QBmpHandler segmentation fault on malformed BMP file + Resolves: bz#1667862 + +* Tue Oct 29 2019 Jan Grulich - 1:4.8.7-7 +- Fix crash when parsing malformed url reference in svg + Resolves: bz#1667882 + +* Wed Oct 23 2019 Jan Grulich - 1:4.8.7-6 +- Fix crash in qppmhandler for certain malformed image files + Resolves: bz#1702031 + +* Wed Oct 23 2019 Jan Grulich - 1:4.8.7-5 +- Fix possible heap corruption in QXmlStream + Resolves: bz#1667861 * Thu Mar 21 2019 Jan Grulich - 1:4.8.7-3 - Revert fix for font cache check in QFontEngineFT::recalcAdvances() @@ -1348,8 +1384,6 @@ fi - Don't close Qt apps in Gnome on shutdown dialog Resolves: bz#1378865 -* Wed May 24 2017 Jan Grulich - 1:4.8.5-14 - * Mon May 02 2016 Jan Grulich - 1:4.8.5-13 - Prefer adwaita-qt theme over gtk Resolves: bz#1332094