Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: qtbase-opensource-...@packages.debian.org, mity...@debian.org, lisan...@debian.org Control: affects -1 + src:qtbase-opensource-src
Please unblock package qtbase-opensource-src [ Reason ] This upload: - Fixes CVE-2023-32762 and CVE-2023-32763. One prevents a crash with SVG (not related to the one in qtsvg-opensource-src) and the other one related to a security heade parsing in the network module. - Adds a Break/Replaces in order to allow proper handling of systems that still had libqtcore4 around (#1035790). - Backports a patch in order to solve an issue with KWin: - https://bugreports.qt.io/browse/QTBUG-98048 - https://lists.debian.org/debian-kde/2022/11/msg00019.html [ Impact ] - Lack of security fixes. - Breaks the bullseye → bookworm update on some systems. - Nasty visual effects while drag and dropping. [ Tests ] All the patches have been tested by upstream. The security patches are quite straightforward. The B/R issue is also straightforward, with a specific Qt4 version allowing users to keep libqt4 around if necessary. Drag and dropping just works as expected. [ Risks ] Sincerely I don't think there are risks here. [ Checklist ] [X] all changes are documented in the d/changelog [X] I reviewed all changes and I approve them [X] attach debdiff against the package in testing unblock qtbase-opensource-src/5.15.8+dfsg-10
diff --git a/debian/changelog b/debian/changelog index 8c172cff..1f5b73f0 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,17 @@ +qtbase-opensource-src (5.15.8+dfsg-10) unstable; urgency=medium + + * Add patches to fix CVE-2023-32762 and CVE-2023-32763. + + -- Lisandro Damián Nicanor Pérez Meyer <lisan...@debian.org> Mon, 22 May 2023 11:31:55 -0300 + +qtbase-opensource-src (5.15.8+dfsg-9) unstable; urgency=medium + + * Backport upstream patch to fix laggy drag-and-drop with KWin. See: + - https://bugreports.qt.io/browse/QTBUG-98048 + - https://lists.debian.org/debian-kde/2022/11/msg00019.html + + -- Dmitry Shachnev <mity...@debian.org> Sun, 21 May 2023 12:19:31 +0300 + qtbase-opensource-src (5.15.8+dfsg-8) unstable; urgency=medium * Add back Breaks/Replaces for libqtcore4 (closes: #1035790). diff --git a/debian/patches/CVE-2023-32762.patch b/debian/patches/CVE-2023-32762.patch new file mode 100644 index 00000000..d0deff76 --- /dev/null +++ b/debian/patches/CVE-2023-32762.patch @@ -0,0 +1,17 @@ +--- + src/network/access/qhsts.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +--- a/src/network/access/qhsts.cpp ++++ b/src/network/access/qhsts.cpp +@@ -364,8 +364,8 @@ quoted-pair = "\" CHAR + bool QHstsHeaderParser::parse(const QList<QPair<QByteArray, QByteArray>> &headers) + { + for (const auto &h : headers) { +- // We use '==' since header name was already 'trimmed' for us: +- if (h.first == "Strict-Transport-Security") { ++ // We compare directly because header name was already 'trimmed' for us: ++ if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) { + header = h.second; + // RFC6797, 8.1: + // diff --git a/debian/patches/cve-2023-32763.diff b/debian/patches/cve-2023-32763.diff new file mode 100644 index 00000000..b74413dc --- /dev/null +++ b/debian/patches/cve-2023-32763.diff @@ -0,0 +1,50 @@ +--- + src/gui/painting/qfixed_p.h | 9 +++++++++ + src/gui/text/qtextlayout.cpp | 9 ++++++--- + 2 files changed, 15 insertions(+), 3 deletions(-) + +--- a/src/gui/painting/qfixed_p.h ++++ b/src/gui/painting/qfixed_p.h +@@ -54,6 +54,7 @@ + #include <QtGui/private/qtguiglobal_p.h> + #include "QtCore/qdebug.h" + #include "QtCore/qpoint.h" ++#include <QtCore/private/qnumeric_p.h> + #include "QtCore/qsize.h" + + QT_BEGIN_NAMESPACE +@@ -182,6 +183,14 @@ Q_DECL_CONSTEXPR inline bool operator<(i + Q_DECL_CONSTEXPR inline bool operator>(const QFixed &f, int i) { return f.value() > i * 64; } + Q_DECL_CONSTEXPR inline bool operator>(int i, const QFixed &f) { return i * 64 > f.value(); } + ++inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r) ++{ ++ int val; ++ bool result = add_overflow(v1.value(), v2.value(), &val); ++ r->setValue(val); ++ return result; ++} ++ + #ifndef QT_NO_DEBUG_STREAM + inline QDebug &operator<<(QDebug &dbg, const QFixed &f) + { return dbg << f.toReal(); } +--- a/src/gui/text/qtextlayout.cpp ++++ b/src/gui/text/qtextlayout.cpp +@@ -2150,11 +2150,14 @@ found: + eng->maxWidth = qMax(eng->maxWidth, line.textWidth); + } else { + eng->minWidth = qMax(eng->minWidth, lbh.minw); +- eng->maxWidth += line.textWidth; ++ if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth)) ++ eng->maxWidth = QFIXED_MAX; + } + +- if (line.textWidth > 0 && item < eng->layoutData->items.size()) +- eng->maxWidth += lbh.spaceData.textWidth; ++ if (line.textWidth > 0 && item < eng->layoutData->items.size()) { ++ if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, &eng->maxWidth)) ++ eng->maxWidth = QFIXED_MAX; ++ } + + line.textWidth += trailingSpace; + if (lbh.spaceData.length) { diff --git a/debian/patches/qshapedpixmapwindow_no_tooltip.diff b/debian/patches/qshapedpixmapwindow_no_tooltip.diff new file mode 100644 index 00000000..7e4dabfb --- /dev/null +++ b/debian/patches/qshapedpixmapwindow_no_tooltip.diff @@ -0,0 +1,25 @@ +Description: do not set Qt::ToolTip flag for QShapedPixmapWindow + This hint is not really needed in the first place and only causes + problems in some environments. + . + For example in KDE, the compositor animates changes in position and size + for all ToolTip windows. However, this is not wanted here because we use + this window as a thumbnail for a drag-and-drop operation. + Before this patch the dragged element would lag significantly behind the + cursor. Now it works as expected, i.e. the dragged element follows the + cursor immediately. +Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=180b496b537089b8 +Bug: https://bugreports.qt.io/browse/QTBUG-98048 +Last-Update: 2023-05-20 + +--- a/src/gui/kernel/qshapedpixmapdndwindow.cpp ++++ b/src/gui/kernel/qshapedpixmapdndwindow.cpp +@@ -56,7 +56,7 @@ QShapedPixmapWindow::QShapedPixmapWindow + QSurfaceFormat format; + format.setAlphaBufferSize(8); + setFormat(format); +- setFlags(Qt::ToolTip | Qt::FramelessWindowHint | Qt::X11BypassWindowManagerHint ++ setFlags(Qt::FramelessWindowHint | Qt::BypassWindowManagerHint + | Qt::WindowTransparentForInput | Qt::WindowDoesNotAcceptFocus); + } + diff --git a/debian/patches/series b/debian/patches/series index 521474ab..afbb7882 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -14,6 +14,9 @@ fix_alt_backtick.diff image_deletion_order.diff qxcbwindow_set_geometry.diff CVE-2023-24607.diff +qshapedpixmapwindow_no_tooltip.diff +cve-2023-32763.diff +CVE-2023-32762.patch # Debian specific. gnukfreebsd.diff
