Package: release.debian.org Severity: normal X-Debbugs-Cc: qtbase-opensource-...@packages.debian.org Control: affects -1 + src:qtbase-opensource-src User: release.debian....@packages.debian.org Usertags: unblock
Dear Release Team, Please unblock package qtbase-opensource-src. It fixes the same CVE as qt6-base 6.8.2+dfsg-8, so I took the liberty to copy some wording from qt6-base unblock bug (#1108624). [ Reason ] This upload backports a patch fixing CVE-2025-5455 (#1108475). [ Impact ] If malformed data is sent and a specific function in the Qt API (qDecodeDataUrl()) is used, it could result in a denial of service. [ Tests ] No manual tests were conducted, but the patch is directly from upstream Qt where it's been part of the 5.15.19 release and has therefore gone through the normal QA. [ Risks ] I deem the risks to be low. The patch is taken directly from upstream and has been part of the 5.15.19 release. The patch in itself is rather simple, just 4 deletions and 5 insertions. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock qtbase-opensource-src/5.15.15+dfsg-6 -- Dmitry Shachnev
--- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +qtbase-opensource-src (5.15.15+dfsg-6) unstable; urgency=medium + + * Backport upstream patch to fix assertion errors in data: URL parsing + (CVE-2025-5455, closes: #1108475). + + -- Dmitry Shachnev <mity...@debian.org> Sun, 29 Jun 2025 22:50:45 +0300 + qtbase-opensource-src (5.15.15+dfsg-5) unstable; urgency=medium * Backport upstream patch to add null checks in table iface methods in --- /dev/null +++ b/debian/patches/CVE-2025-5455.diff @@ -0,0 +1,30 @@ +Description: qDecodeDataUrl(): fix precondition violation in call to QByteArrayView::at() + It is a precondition violation to call QByteArrayView::at() with + size() as argument. The code used that, though, as an implicit + end-of-string check, assuming == ' ' and == '=' would both fail for + null bytes. Besides, QByteArrays (but most certainly QByteArrayViews) + need not be null-terminated, so this could read even past size(). + . + To fix, use higher-level API (startsWith()), consuming parsed tokens + along the way. +Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2025-5455-qtbase-5.15.patch +Last-Update: 2025-06-29 + +--- a/src/corelib/io/qdataurl.cpp ++++ b/src/corelib/io/qdataurl.cpp +@@ -76,10 +76,11 @@ Q_CORE_EXPORT bool qDecodeDataUrl(const + } + + if (data.toLower().startsWith("charset")) { +- int i = 7; // strlen("charset") +- while (data.at(i) == ' ') +- ++i; +- if (data.at(i) == '=') ++ int prefixSize = 7; // strlen("charset") ++ QLatin1String copy(data.constData() + prefixSize, data.size() - prefixSize); ++ while (copy.startsWith(QLatin1String(" "))) ++ copy = copy.mid(1); ++ if (copy.startsWith(QLatin1String("="))) + data.prepend("text/plain;"); + } + --- a/debian/patches/series +++ b/debian/patches/series @@ -19,6 +19,7 @@ revert_statusnotifierhost_checking.diff dont_fallback_to_x11_tray_on_non_x11.diff check_dbus_tray_availability_every_time.diff a11y_null_checks.diff +CVE-2025-5455.diff # Debian specific. no_htmlinfo_example.diff
signature.asc
Description: PGP signature
