Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package qt6-svg for openSUSE:Factory checked in at 2026-05-10 16:47:04 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/qt6-svg (Old) and /work/SRC/openSUSE:Factory/.qt6-svg.new.1966 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "qt6-svg" Sun May 10 16:47:04 2026 rev:45 rq:1351817 version:6.11.0 Changes: -------- --- /work/SRC/openSUSE:Factory/qt6-svg/qt6-svg.changes 2026-03-28 20:13:23.977543137 +0100 +++ /work/SRC/openSUSE:Factory/.qt6-svg.new.1966/qt6-svg.changes 2026-05-10 16:47:20.870381555 +0200 @@ -1,0 +2,6 @@ +Fri May 8 07:55:54 UTC 2026 - Christophe Marin <[email protected]> + +- Add upstream fix (CVE-2026-6210, boo#1264301) + * 0001-Test-types-of-nodes-before-downcasting-them.patch + +------------------------------------------------------------------- New: ---- 0001-Test-types-of-nodes-before-downcasting-them.patch ----------(New B)---------- New:- Add upstream fix (CVE-2026-6210, boo#1264301) * 0001-Test-types-of-nodes-before-downcasting-them.patch ----------(New E)---------- ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ qt6-svg.spec ++++++ --- /var/tmp/diff_new_pack.VgMojr/_old 2026-05-10 16:47:22.414444745 +0200 +++ /var/tmp/diff_new_pack.VgMojr/_new 2026-05-10 16:47:22.426445237 +0200 @@ -34,6 +34,8 @@ URL: https://www.qt.io Source0: https://download.qt.io/official_releases/qt/%{short_version}/%{real_version}%{tar_suffix}/submodules/%{tar_name}-%{real_version}%{tar_suffix}.tar.xz Source99: qt6-svg-rpmlintrc +# PATCH-FIX-UPSTREAM -- CVE-2026-6210 +Patch0: 0001-Test-types-of-nodes-before-downcasting-them.patch BuildRequires: pkgconfig BuildRequires: cmake(Qt6Core) = %{real_version} BuildRequires: cmake(Qt6CorePrivate) = %{real_version} ++++++ 0001-Test-types-of-nodes-before-downcasting-them.patch ++++++ >From abc6d7100589f83cc018c7f5446c7e93f8262da1 Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Robert=20L=C3=B6hning?= <[email protected]> Date: Thu, 26 Mar 2026 13:42:19 +0100 Subject: [PATCH] Test types of nodes before downcasting them A bad cast in QSvgMarker::drawHelper lead to an endless recursion resulting in a heap overflow. Credit to OSS-Fuzz which found this as issue 496327371. Amends 534d072fe9c060ca3d1b968a717513426c69c956 While fixing that, I found another, similar case and fixed it, too, although it didn't seem to cause a crash. Amends 29b848e9ac4e4e13c5b50116a81b1f2677196939 Pick-to: 6.8 Change-Id: Ia57491aa329fea981307a709c5a6a750125fe2c7 Reviewed-by: Hatem ElKharashy <[email protected]> (cherry picked from commit e488f852fa18c2afc2842a88eff8f66ad4105a45) Reviewed-by: Qt Cherry-pick Bot <[email protected]> --- src/svg/qsvgstructure.cpp | 10 ++++++---- tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp | 11 +++++++++++ 2 files changed, 17 insertions(+), 4 deletions(-) diff --git a/src/svg/qsvgstructure.cpp b/src/svg/qsvgstructure.cpp index 23606e6..5bf485e 100644 --- a/src/svg/qsvgstructure.cpp +++ b/src/svg/qsvgstructure.cpp @@ -426,9 +426,10 @@ void QSvgMarker::drawHelper(const QSvgNode *node, QPainter *p, const bool isPainting = (boundingRect == nullptr); const auto markers = markersForNode(node); for (auto &i : markers) { - QSvgMarker *markNode = static_cast<QSvgMarker*>(node->document()->namedNode(i.markerId)); - if (!markNode) + QSvgNode *referencedNode = node->document()->namedNode(i.markerId); + if (!referencedNode || referencedNode->type() != QSvgNode::Marker) continue; + QSvgMarker *markNode = static_cast<QSvgMarker *>(referencedNode); p->save(); p->translate(i.x, i.y); @@ -729,8 +730,9 @@ QImage QSvgMask::createMask(QPainter *p, QSvgExtraStates &states, const QRectF & // Chrome seems to return the mask of the mask if a mask is set on the mask if (this->hasMask()) { - QSvgMask *maskNode = static_cast<QSvgMask*>(document()->namedNode(this->maskId())); - if (maskNode) { + QSvgNode *referencedNode = document()->namedNode(this->maskId()); + if (referencedNode && referencedNode->type() == QSvgNode::Mask) { + QSvgMask *maskNode = static_cast<QSvgMask *>(referencedNode); QRectF boundsRect; return maskNode->createMask(p, states, localRect, &boundsRect); } diff --git a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp index 4d19b6e..bb805cb 100644 --- a/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp +++ b/tests/auto/qsvgrenderer/tst_qsvgrenderer.cpp @@ -1867,6 +1867,17 @@ void tst_QSvgRenderer::ossFuzzRender_data() // runtime error: signed integer overflow: -2147483648 + -1 cannot be represented in type 'int' QTest::newRow("excessive moveto in path") // id=406541912 << R"(<svg><path stroke="#000" d="M- 7e8t9 ."/><marker id="c"/><use href=" c"/></svg>)"_ba; + // Bad-cast to QSvgMarker from QSvgLine -> Heap-buffer-overflow + QTest::newRow("line-as-marker") // id=496327371 + << R"-(<svg><line x1="4" id="lledr" marker-end="url(#lledr)" stroke="#00f"/></svg>)-"_ba; + QTest::newRow("line-as-mask") // modeled after 496327371 to test similar problem, needs UBSAN + << R"-(<svg> + <defs> + <line x1="4" id="line"/> + <mask id="mask" width="2" height="2" mask="url(#line)"/> + </defs> + <rect width="2" height="2" mask="url(#mask)"/> + </svg>)-"_ba; } void tst_QSvgRenderer::ossFuzzRender() -- 2.54.0
