diff --git a/SOURCES/qtbase-fix-buffer-overflow-in-xbm-parser.patch b/SOURCES/qtbase-fix-buffer-overflow-in-xbm-parser.patch new file mode 100644 index 0000000..b1fe825 --- /dev/null +++ b/SOURCES/qtbase-fix-buffer-overflow-in-xbm-parser.patch @@ -0,0 +1,69 @@ +diff --git a/src/gui/image/qxbmhandler.cpp b/src/gui/image/qxbmhandler.cpp +index 155a4f88..39bffc89 100644 +--- a/src/gui/image/qxbmhandler.cpp ++++ b/src/gui/image/qxbmhandler.cpp +@@ -154,7 +154,9 @@ static bool read_xbm_body(QIODevice *device, int w, int h, QImage *outImage) + w = (w+7)/8; // byte width + + while (y < h) { // for all encoded bytes... +- if (p) { // p = "0x.." ++ if (p && p < (buf + readBytes - 3)) { // p = "0x.." ++ if (!isxdigit(p[2]) || !isxdigit(p[3])) ++ return false; + *b++ = hex2byte(p+2); + p += 2; + if (++x == w && ++y < h) { +diff --git a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp +index 170f551d..0f6c91bd 100644 +--- a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp ++++ b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp +@@ -164,6 +164,7 @@ private slots: + void preserveTexts_data(); + void preserveTexts(); + ++ void xbmBufferHandling(); + private: + QString prefix; + QTemporaryDir m_temporaryDir; +@@ -1967,5 +1968,41 @@ void tst_QImageReader::preserveTexts() + } + + ++void tst_QImageReader::xbmBufferHandling() ++{ ++ uint8_t original_buffer[256]; ++ for (int i = 0; i < 256; ++i) ++ original_buffer[i] = i; ++ ++ QImage image(original_buffer, 256, 8, QImage::Format_MonoLSB); ++ image.setColorTable({0xff000000, 0xffffffff}); ++ ++ QByteArray buffer; ++ { ++ QBuffer buf(&buffer); ++ QImageWriter writer(&buf, "xbm"); ++ writer.write(image); ++ } ++ ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++ ++ auto i = buffer.indexOf(','); ++ buffer.insert(i + 1, " "); ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++ buffer.insert(i + 1, " "); ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++ buffer.insert(i + 1, " "); ++#if 0 // Lines longer than 300 chars not supported currently ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++#endif ++ ++ i = buffer.lastIndexOf("\n "); ++ buffer.truncate(i + 1); ++ buffer.append(QByteArray(297, ' ')); ++ buffer.append("0x"); ++ // Only check we get no buffer overflow ++ QImage::fromData(buffer, "xbm"); ++} ++ + QTEST_MAIN(tst_QImageReader) + #include "tst_qimagereader.moc" diff --git a/SPECS/qt5-qtbase.spec b/SPECS/qt5-qtbase.spec index c378a04..e5ad5f3 100644 --- a/SPECS/qt5-qtbase.spec +++ b/SPECS/qt5-qtbase.spec @@ -57,7 +57,7 @@ BuildRequires: pkgconfig(libsystemd) Summary: Qt5 - QtBase components Name: qt5-qtbase Version: 5.9.7 -Release: 4%{?dist} +Release: 5%{?dist} # See LGPL_EXCEPTIONS.txt, for exception details License: LGPLv2 with exceptions or GPLv3 with exceptions @@ -115,6 +115,9 @@ Patch200: qtbase-qlibrary-do-not-attempt-to-load-library-relative-to-pwd.patch # CVE-2020-0569 qt5-qtbase: qt: files placed by attacker can influence the working directory and lead to malicious code execution Patch201: qtbase-do-not-load-plugin-from-pwd.patch +# CVE-2020-17507 qt5-qtbase: qt: buffer over-read in read_xbm_body in gui/image/qxbmhandler.cpp +Patch202: qtbase-fix-buffer-overflow-in-xbm-parser.patch + # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires. # Those themes are there for platform integration. If the required libraries are # not there, the platform to integrate with isn't either. Then Qt will just @@ -382,6 +385,7 @@ RPM macros for building Qt5 packages. # Security fixes %patch200 -p1 -b .qlibrary-do-not-attempt-to-load-library-relative-to-pwd %patch201 -p1 -b .do-not-load-plugin-from-pwd +%patch202 -p1 -b .fix-buffer-overflow-in-xbm-parser %if 0%{?inject_optflags} ## adjust $RPM_OPT_FLAGS @@ -1037,6 +1041,10 @@ fi %changelog +* Thu Sep 24 2020 Jan Grulich - 5.9.7-5 +- Fix buffer overflow in XBM parser + Resolves: bz#1870365 + * Tue May 19 2020 Jan Grulich - 5.9.7-4 - Fix: Files placed by attacker can influence the working directory and lead to malicious code execution Resolves: bz#1814740