Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: qtbase-opensource-...@packages.debian.org
Control: affects -1 + src:qtbase-opensource-src

Please unblock package qtbase-opensource-src.

[ Reason ]
One more CVE was published for qtbase, CVE-2023-33285 [1].

[ Impact ]
QDnsLookup has a buffer over-read via a crafted reply from a DNS server.

[ Tests ]
No automated tests are run for this package. But QDnsLookup is covered by
tests which are run as part of upstream CI:
tests/auto/network/kernel/qdnslookup/tst_qdnslookup.cpp.

[ Risks ]
This change passed the upstream tests, so it should be safe.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
Also I added DEP-3 headers to the patches from previous upload and renamed
them in a consistent way. This will not affect the binary packages in any way.

The reported piuparts regression is in piuparts itself [2].

unblock qtbase-opensource-src/5.15.8+dfsg-11

[1]: https://security-tracker.debian.org/tracker/CVE-2023-33285
[2]: https://salsa.debian.org/debian/piuparts/-/merge_requests/42

--
Dmitry Shachnev
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+qtbase-opensource-src (5.15.8+dfsg-11) unstable; urgency=medium
+
+  * Rename the patches for consistency and add DEP-3 headers.
+  * Add a patch to fix buffer overflow in QDnsLookup (CVE-2023-33285).
+
+ -- Dmitry Shachnev <mity...@debian.org>  Thu, 25 May 2023 13:45:05 +0300
+
 qtbase-opensource-src (5.15.8+dfsg-10) unstable; urgency=medium
 
   * Add patches to fix CVE-2023-32762 and CVE-2023-32763.
--- a/debian/patches/CVE-2023-32762.patch
+++ b/debian/patches/CVE-2023-32762.diff
@@ -1,6 +1,7 @@
----
- src/network/access/qhsts.cpp |    4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
+Description: hsts: match header names case insensitively
+ Header field names are always considered to be case-insensitive.
+Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2023-32762-qtbase-5.15.diff
+Last-Update: 2023-05-22
 
 --- a/src/network/access/qhsts.cpp
 +++ b/src/network/access/qhsts.cpp
--- a/debian/patches/cve-2023-32763.diff
+++ b/debian/patches/CVE-2023-32763.diff
@@ -1,7 +1,7 @@
----
- src/gui/painting/qfixed_p.h  |    9 +++++++++
- src/gui/text/qtextlayout.cpp |    9 ++++++---
- 2 files changed, 15 insertions(+), 3 deletions(-)
+Description: fix buffer overflow in Qt SVG
+ Adds qAddOverflow and qMulOverflow definitions to QFixed.
+Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2023-32763-qtbase-5.15.diff
+Last-Update: 2023-05-22
 
 --- a/src/gui/painting/qfixed_p.h
 +++ b/src/gui/painting/qfixed_p.h
--- /dev/null
+++ b/debian/patches/CVE-2023-33285.diff
@@ -0,0 +1,77 @@
+Description: QDnsLookup/Unix: make sure we don't overflow the buffer
+ The DNS Records are variable length and encode their size in 16 bits
+ before the Record Data (RDATA). Ensure that both the RDATA and the
+ Record header fields before it fall inside the buffer we have.
+ .
+ Additionally reject any replies containing more than one query records.
+Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=7dba2c87619d558a
+Last-Update: 2023-05-25
+
+--- a/src/network/kernel/qdnslookup_unix.cpp
++++ b/src/network/kernel/qdnslookup_unix.cpp
+@@ -227,7 +227,6 @@ void QDnsLookupRunnable::query(const int
+     // responseLength in case of error, we still can extract the
+     // exact error code from the response.
+     HEADER *header = (HEADER*)response;
+-    const int answerCount = ntohs(header->ancount);
+     switch (header->rcode) {
+     case NOERROR:
+         break;
+@@ -260,18 +259,31 @@ void QDnsLookupRunnable::query(const int
+         return;
+     }
+ 
+-    // Skip the query host, type (2 bytes) and class (2 bytes).
+     char host[PACKETSZ], answer[PACKETSZ];
+     unsigned char *p = response + sizeof(HEADER);
+-    int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
+-    if (status < 0) {
++    int status;
++
++    if (ntohs(header->qdcount) == 1) {
++        // Skip the query host, type (2 bytes) and class (2 bytes).
++        status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
++        if (status < 0) {
++            reply->error = QDnsLookup::InvalidReplyError;
++            reply->errorString = tr("Could not expand domain name");
++            return;
++        }
++        if ((p - response) + status + 4 >= responseLength)
++            header->qdcount = 0xffff;   // invalid reply below
++        else
++            p += status + 4;
++    }
++    if (ntohs(header->qdcount) > 1) {
+         reply->error = QDnsLookup::InvalidReplyError;
+-        reply->errorString = tr("Could not expand domain name");
++        reply->errorString = tr("Invalid reply received");
+         return;
+     }
+-    p += status + 4;
+ 
+     // Extract results.
++    const int answerCount = ntohs(header->ancount);
+     int answerIndex = 0;
+     while ((p < response + responseLength) && (answerIndex < answerCount)) {
+         status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
+@@ -283,6 +295,11 @@ void QDnsLookupRunnable::query(const int
+         const QString name = QUrl::fromAce(host);
+ 
+         p += status;
++
++        if ((p - response) + 10 > responseLength) {
++            // probably just a truncated reply, return what we have
++            return;
++        }
+         const quint16 type = (p[0] << 8) | p[1];
+         p += 2; // RR type
+         p += 2; // RR class
+@@ -290,6 +307,8 @@ void QDnsLookupRunnable::query(const int
+         p += 4;
+         const quint16 size = (p[0] << 8) | p[1];
+         p += 2;
++        if ((p - response) + size > responseLength)
++            return;             // truncated
+ 
+         if (type == QDnsLookup::A) {
+             if (size != 4) {
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,8 +15,9 @@ image_deletion_order.diff
 qxcbwindow_set_geometry.diff
 CVE-2023-24607.diff
 qshapedpixmapwindow_no_tooltip.diff
-cve-2023-32763.diff
-CVE-2023-32762.patch
+CVE-2023-32763.diff
+CVE-2023-32762.diff
+CVE-2023-33285.diff
 
 # Debian specific.
 gnukfreebsd.diff

Attachment: signature.asc
Description: PGP signature

Reply via email to