diff options
author | Bart Ribbers <bribbers@disroot.org> | 2020-08-18 12:45:58 +0200 |
---|---|---|
committer | Rasmus Thomsen <oss@cogitri.dev> | 2020-08-18 14:41:59 +0000 |
commit | c6a543eb06cdeff705ec91ae868c989911309ad4 (patch) | |
tree | d1a9b46fe4af9baa5a26380d1a1779b09940a13b | |
parent | d7c6c098a815569aee6bdd7cba73299572519050 (diff) |
community/qt5-qtbase: fix CVE-2020-17507
Part of a fix for #11871
-rw-r--r-- | community/qt5-qtbase/APKBUILD | 10 | ||||
-rw-r--r-- | community/qt5-qtbase/fix-buffer-overflow-in-xbm-parser.patch | 88 |
2 files changed, 96 insertions, 2 deletions
diff --git a/community/qt5-qtbase/APKBUILD b/community/qt5-qtbase/APKBUILD index d3f17c84802..1aa11e8897d 100644 --- a/community/qt5-qtbase/APKBUILD +++ b/community/qt5-qtbase/APKBUILD @@ -1,7 +1,7 @@ # Maintainer: Bart Ribbers <bribbers@disroot.org> pkgname=qt5-qtbase pkgver=5.15.0 -pkgrel=1 +pkgrel=2 pkgdesc="Qt5 - QtBase components" url="https://qt.io/developers/" arch="all" @@ -56,6 +56,7 @@ esac source="https://download.qt.io/$_rel/qt/${pkgver%.*}/$pkgver/submodules/qtbase-everywhere-src-$pkgver.tar.xz qt-musl-iconv-no-bom.patch time64.patch + fix-buffer-overflow-in-xbm-parser.patch " _qt5_prefix=/usr/lib/qt5 @@ -66,6 +67,10 @@ case "$CTARGET_ARCH" in *) _opengl="-opengl";; esac +# secfixes: +# 5.15.0-r2: +# - CVE-2020-17507 + prepare() { default_prepare @@ -211,4 +216,5 @@ x11() { sha512sums="c584d69e49f4959d9b8541f820f5ff1e6d1599697ad16976b47cbaaa902fc83e1ca4ae57d56d13574e42e5f602d4420245ad7fcfc13e224e10d4bbad6a537d1a qtbase-everywhere-src-5.15.0.tar.xz 7d68421a14f0259535c977d8a521c98918193c107b76ac664571b12f5b0d7588a0d0e1297af412a26753a393b21f3f44c3274fa8ab5bc87f03705a3a03acb444 qt-musl-iconv-no-bom.patch -436f0bb7a89a88aa62c7b0398c4e91c325e78542e96f747c903f7e96dbf9d9b693d9688c722f2a74e287fb9ab31e861bd5ed8deb172ed28f56a1b8757663771c time64.patch" +436f0bb7a89a88aa62c7b0398c4e91c325e78542e96f747c903f7e96dbf9d9b693d9688c722f2a74e287fb9ab31e861bd5ed8deb172ed28f56a1b8757663771c time64.patch +61f9d1ee6395a9617b940121a4112bbaa76c2300c66cbfc89118b2e704e3d0e8216b86a29dc0adc95ac87461d2299d4e5767ec43bfaf5ae67b39612ede0a7d06 fix-buffer-overflow-in-xbm-parser.patch" diff --git a/community/qt5-qtbase/fix-buffer-overflow-in-xbm-parser.patch b/community/qt5-qtbase/fix-buffer-overflow-in-xbm-parser.patch new file mode 100644 index 00000000000..16a0cef1278 --- /dev/null +++ b/community/qt5-qtbase/fix-buffer-overflow-in-xbm-parser.patch @@ -0,0 +1,88 @@ +From 1616c71921b73b227f56ccb3f2c49a994ec23440 Mon Sep 17 00:00:00 2001 +From: Allan Sandfeld Jensen <allan.jensen@qt.io> +Date: Thu, 23 Jul 2020 11:48:48 +0200 +Subject: [PATCH] Fix buffer overflow in XBM parser + +Avoid parsing over the buffer limit, or interpreting non-hex +as hex. + +This still leaves parsing of lines longer than 300 chars +unreliable + +Change-Id: I1c57a7e530c4380f6f9040b2ec729ccd7dc7a5fb +Reviewed-by: Robert Loehning <robert.loehning@qt.io> +Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io> +(cherry picked from commit c562c1fc19629fb505acd0f6380604840b634211) +Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> +--- + +diff --git a/src/gui/image/qxbmhandler.cpp b/src/gui/image/qxbmhandler.cpp +index f065616..72ce7f7 100644 +--- a/src/gui/image/qxbmhandler.cpp ++++ b/src/gui/image/qxbmhandler.cpp +@@ -159,7 +159,9 @@ + w = (w+7)/8; // byte width + + while (y < h) { // for all encoded bytes... +- if (p) { // p = "0x.." ++ if (p && p < (buf + readBytes - 3)) { // p = "0x.." ++ if (!isxdigit(p[2]) || !isxdigit(p[3])) ++ return false; + *b++ = hex2byte(p+2); + p += 2; + if (++x == w && ++y < h) { +diff --git a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp +index cf8a0d1..984a7c7 100644 +--- a/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp ++++ b/tests/auto/gui/image/qimagereader/tst_qimagereader.cpp +@@ -175,6 +175,8 @@ + + void xpmBufferOverflow(); + ++ void xbmBufferHandling(); ++ + private: + QString prefix; + QTemporaryDir m_temporaryDir; +@@ -2055,5 +2057,41 @@ + QImageReader(":/images/oss-fuzz-23988.xpm").read(); + } + ++void tst_QImageReader::xbmBufferHandling() ++{ ++ uint8_t original_buffer[256]; ++ for (int i = 0; i < 256; ++i) ++ original_buffer[i] = i; ++ ++ QImage image(original_buffer, 256, 8, QImage::Format_MonoLSB); ++ image.setColorTable({0xff000000, 0xffffffff}); ++ ++ QByteArray buffer; ++ { ++ QBuffer buf(&buffer); ++ QImageWriter writer(&buf, "xbm"); ++ writer.write(image); ++ } ++ ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++ ++ auto i = buffer.indexOf(','); ++ buffer.insert(i + 1, " "); ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++ buffer.insert(i + 1, " "); ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++ buffer.insert(i + 1, " "); ++#if 0 // Lines longer than 300 chars not supported currently ++ QCOMPARE(QImage::fromData(buffer, "xbm"), image); ++#endif ++ ++ i = buffer.lastIndexOf("\n "); ++ buffer.truncate(i + 1); ++ buffer.append(QByteArray(297, ' ')); ++ buffer.append("0x"); ++ // Only check we get no buffer overflow ++ QImage::fromData(buffer, "xbm"); ++} ++ + QTEST_MAIN(tst_QImageReader) + #include "tst_qimagereader.moc" |