--- Begin Message ---
Package: release.debian.org
Severity: normal
Tags: bookworm
User: release.debian....@packages.debian.org
Usertags: pu
The attached debdiff for qtbase-opensource-src fixes several CVEs in
Bookworm. All CVEs are marked as no-dsa by the security team.
The debdiff is based on version 5.15.8+dfsg-11+deb12u1, which is already
in s-p-u.
Thorsten
diff -Nru qtbase-opensource-src-5.15.8+dfsg/debian/changelog
qtbase-opensource-src-5.15.8+dfsg/debian/changelog
--- qtbase-opensource-src-5.15.8+dfsg/debian/changelog 2024-04-07
11:45:51.000000000 +0200
+++ qtbase-opensource-src-5.15.8+dfsg/debian/changelog 2024-04-28
20:48:02.000000000 +0200
@@ -1,3 +1,13 @@
+qtbase-opensource-src (5.15.8+dfsg-11+deb12u2) bookworm; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2024-25580 (Closes: #1064053)
+ fix buffer overflow due to crafted KTX image file
+ * CVE-2023-51714 (Closes: #1060694)
+ fix incorrect HPack integer overflow check.
+
+ -- Thorsten Alteholz <deb...@alteholz.de> Sun, 28 Apr 2024 20:48:02 +0200
+
qtbase-opensource-src (5.15.8+dfsg-11+deb12u1) bookworm; urgency=medium
[ Alexander Volkov ]
diff -Nru qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2023-51714.diff
qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2023-51714.diff
--- qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2023-51714.diff
1970-01-01 01:00:00.000000000 +0100
+++ qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2023-51714.diff
2024-04-28 20:48:02.000000000 +0200
@@ -0,0 +1,61 @@
+From 23c3fc483e8b6e21012a61f0bea884446f727776 Mon Sep 17 00:00:00 2001
+From: Marc Mutz <marc.m...@qt.io>
+Date: Tue, 12 Dec 2023 22:08:07 +0100
+Subject: [PATCH] HPack: fix incorrect integer overflow check
+
+This code never worked:
+
+For the comparison with max() - 32 to trigger, on 32-bit platforms (or
+Qt 5) signed interger overflow would have had to happen in the
+addition of the two sizes. The compiler can therefore remove the
+overflow check as dead code.
+
+On Qt 6 and 64-bit platforms, the signed integer addition would be
+very unlikely to overflow, but the following truncation to uint32
+would yield the correct result only in a narrow 32-value window just
+below UINT_MAX, if even that.
+
+Fix by using the proper tool, qAddOverflow.
+
+Manual conflict resolutions:
+ - qAddOverflow doesn't exist in Qt 5, use private add_overflow
+ predecessor API instead
+
+Change-Id: I7599f2e75ff7f488077b0c60b81022591005661c
+Reviewed-by: Allan Sandfeld Jensen <allan.jen...@qt.io>
+(cherry picked from commit ee5da1f2eaf8932aeca02ffea6e4c618585e29e3)
+Reviewed-by: Qt Cherry-pick Bot <cherrypick_...@qt-project.org>
+(cherry picked from commit debeb8878da2dc706ead04b6072ecbe7e5313860)
+Reviewed-by: Thiago Macieira <thiago.macie...@intel.com>
+Reviewed-by: Marc Mutz <marc.m...@qt.io>
+(cherry picked from commit 811b9eef6d08d929af8708adbf2a5effb0eb62d7)
+(cherry picked from commit f931facd077ce945f1e42eaa3bead208822d3e00)
+(cherry picked from commit 9ef4ca5ecfed771dab890856130e93ef5ceabef5)
+Reviewed-by: MÃ¥rten Nordheim <marten.nordh...@qt.io>
+---
+
+Index:
qtbase-opensource-src-5.15.8+dfsg/src/network/access/http2/hpacktable.cpp
+===================================================================
+---
qtbase-opensource-src-5.15.8+dfsg.orig/src/network/access/http2/hpacktable.cpp
2024-04-24 16:08:28.259865332 +0200
++++ qtbase-opensource-src-5.15.8+dfsg/src/network/access/http2/hpacktable.cpp
2024-04-24 16:09:16.163853040 +0200
+@@ -40,6 +40,7 @@
+ #include "hpacktable_p.h"
+
+ #include <QtCore/qdebug.h>
++#include <QtCore/private/qnumeric_p.h>
+
+ #include <algorithm>
+ #include <cstddef>
+@@ -62,8 +63,10 @@
+ // for counting the number of references to the name and value would have
+ // 32 octets of overhead."
+
+- const unsigned sum = unsigned(name.size() + value.size());
+- if (std::numeric_limits<unsigned>::max() - 32 < sum)
++ size_t sum;
++ if (add_overflow(size_t(name.size()), size_t(value.size()), &sum))
++ return HeaderSize();
++ if (sum > (std::numeric_limits<unsigned>::max() - 32))
+ return HeaderSize();
+ return HeaderSize(true, quint32(sum + 32));
+ }
diff -Nru qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2024-25580.diff
qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2024-25580.diff
--- qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2024-25580.diff
1970-01-01 01:00:00.000000000 +0100
+++ qtbase-opensource-src-5.15.8+dfsg/debian/patches/CVE-2024-25580.diff
2024-04-28 20:48:02.000000000 +0200
@@ -0,0 +1,197 @@
+diff --git a/src/gui/util/qktxhandler.cpp b/src/gui/util/qktxhandler.cpp
+index 0d98e97453..6a79e55109 100644
+--- a/src/gui/util/qktxhandler.cpp
++++ b/src/gui/util/qktxhandler.cpp
+@@ -73,7 +73,7 @@ struct KTXHeader {
+ quint32 bytesOfKeyValueData;
+ };
+
+-static const quint32 headerSize = sizeof(KTXHeader);
++static constexpr quint32 qktxh_headerSize = sizeof(KTXHeader);
+
+ // Currently unused, declared for future reference
+ struct KTXKeyValuePairItem {
+@@ -103,11 +103,36 @@ struct KTXMipmapLevel {
+ */
+ };
+
+-bool QKtxHandler::canRead(const QByteArray &suffix, const QByteArray &block)
++static bool qAddOverflow(quint32 v1, quint32 v2, quint32 *r) {
++ // unsigned additions are well-defined
++ *r = v1 + v2;
++ return v1 > quint32(v1 + v2);
++}
++
++// Returns the nearest multiple of 4 greater than or equal to 'value'
++static bool nearestMultipleOf4(quint32 value, quint32 *result)
++{
++ constexpr quint32 rounding = 4;
++ *result = 0;
++ if (qAddOverflow(value, rounding - 1, result))
++ return true;
++ *result &= ~(rounding - 1);
++ return false;
++}
++
++// Returns a slice with prechecked bounds
++static QByteArray safeSlice(const QByteArray& array, quint32 start, quint32
length)
+ {
+- Q_UNUSED(suffix)
++ quint32 end = 0;
++ if (qAddOverflow(start, length, &end) || end > quint32(array.length()))
++ return {};
++ return QByteArray(array.data() + start, length);
++}
+
+- return (qstrncmp(block.constData(), ktxIdentifier, KTX_IDENTIFIER_LENGTH)
== 0);
++bool QKtxHandler::canRead(const QByteArray &suffix, const QByteArray &block)
++{
++ Q_UNUSED(suffix);
++ return block.startsWith(QByteArray::fromRawData(ktxIdentifier,
KTX_IDENTIFIER_LENGTH));
+ }
+
+ QTextureFileData QKtxHandler::read()
+@@ -115,42 +140,97 @@ QTextureFileData QKtxHandler::read()
+ if (!device())
+ return QTextureFileData();
+
+- QByteArray buf = device()->readAll();
+- const quint32 dataSize = quint32(buf.size());
+- if (dataSize < headerSize || !canRead(QByteArray(), buf)) {
+- qCDebug(lcQtGuiTextureIO, "Invalid KTX file %s",
logName().constData());
++ const QByteArray buf = device()->readAll();
++ if (size_t(buf.size()) > std::numeric_limits<quint32>::max()) {
++ qWarning(lcQtGuiTextureIO, "Too big KTX file %s",
logName().constData());
++ return QTextureFileData();
++ }
++
++ if (!canRead(QByteArray(), buf)) {
++ qWarning(lcQtGuiTextureIO, "Invalid KTX file %s",
logName().constData());
++ return QTextureFileData();
++ }
++
++ if (buf.size() < qsizetype(qktxh_headerSize)) {
++ qWarning(lcQtGuiTextureIO, "Invalid KTX header size in %s",
logName().constData());
+ return QTextureFileData();
+ }
+
+- const KTXHeader *header = reinterpret_cast<const KTXHeader
*>(buf.constData());
+- if (!checkHeader(*header)) {
+- qCDebug(lcQtGuiTextureIO, "Unsupported KTX file format in %s",
logName().constData());
++ KTXHeader header;
++ memcpy(&header, buf.data(), qktxh_headerSize);
++ if (!checkHeader(header)) {
++ qWarning(lcQtGuiTextureIO, "Unsupported KTX file format in %s",
logName().constData());
+ return QTextureFileData();
+ }
+
+ QTextureFileData texData;
+ texData.setData(buf);
+
+- texData.setSize(QSize(decode(header->pixelWidth),
decode(header->pixelHeight)));
+- texData.setGLFormat(decode(header->glFormat));
+- texData.setGLInternalFormat(decode(header->glInternalFormat));
+- texData.setGLBaseInternalFormat(decode(header->glBaseInternalFormat));
+-
+- texData.setNumLevels(decode(header->numberOfMipmapLevels));
+- quint32 offset = headerSize + decode(header->bytesOfKeyValueData);
+- const int maxLevels = qMin(texData.numLevels(), 32); // Cap
iterations in case of corrupt file.
+- for (int i = 0; i < maxLevels; i++) {
+- if (offset + sizeof(KTXMipmapLevel) > dataSize) //
Corrupt file; avoid oob read
+- break;
+- const KTXMipmapLevel *level = reinterpret_cast<const KTXMipmapLevel
*>(buf.constData() + offset);
+- quint32 levelLen = decode(level->imageSize);
+- texData.setDataOffset(offset + sizeof(KTXMipmapLevel::imageSize), i);
+- texData.setDataLength(levelLen, i);
+- offset += sizeof(KTXMipmapLevel::imageSize) + levelLen + (3 -
((levelLen + 3) % 4));
++ texData.setSize(QSize(decode(header.pixelWidth),
decode(header.pixelHeight)));
++ texData.setGLFormat(decode(header.glFormat));
++ texData.setGLInternalFormat(decode(header.glInternalFormat));
++ texData.setGLBaseInternalFormat(decode(header.glBaseInternalFormat));
++
++ texData.setNumLevels(decode(header.numberOfMipmapLevels));
++
++ const quint32 bytesOfKeyValueData = decode(header.bytesOfKeyValueData);
++ quint32 headerKeyValueSize;
++ if (qAddOverflow(qktxh_headerSize, bytesOfKeyValueData,
&headerKeyValueSize)) {
++ qWarning(lcQtGuiTextureIO, "Overflow in size of key value data in
header of KTX file %s",
++ logName().constData());
++ return QTextureFileData();
++ }
++
++ if (headerKeyValueSize >= quint32(buf.size())) {
++ qWarning(lcQtGuiTextureIO, "OOB request in KTX file %s",
logName().constData());
++ return QTextureFileData();
++ }
++
++ // Technically, any number of levels is allowed but if the value is
bigger than
++ // what is possible in KTX V2 (and what makes sense) we return an error.
++ // maxLevels = log2(max(width, height, depth))
++ const int maxLevels = (sizeof(quint32) * 8)
++ - qCountLeadingZeroBits(std::max(
++ { header.pixelWidth, header.pixelHeight,
header.pixelDepth }));
++
++ if (texData.numLevels() > maxLevels) {
++ qWarning(lcQtGuiTextureIO, "Too many levels in KTX file %s",
logName().constData());
++ return QTextureFileData();
++ }
++
++ quint32 offset = headerKeyValueSize;
++ for (int level = 0; level < texData.numLevels(); level++) {
++ const auto imageSizeSlice = safeSlice(buf, offset, sizeof(quint32));
++ if (imageSizeSlice.isEmpty()) {
++ qWarning(lcQtGuiTextureIO, "OOB request in KTX file %s",
logName().constData());
++ return QTextureFileData();
++ }
++
++ const quint32 imageSize =
decode(qFromUnaligned<quint32>(imageSizeSlice.data()));
++ offset += sizeof(quint32); // overflow checked indirectly above
++
++ texData.setDataOffset(offset, level);
++ texData.setDataLength(imageSize, level);
++
++ // Add image data and padding to offset
++ quint32 padded = 0;
++ if (nearestMultipleOf4(imageSize, &padded)) {
++ qWarning(lcQtGuiTextureIO, "Overflow in KTX file %s",
logName().constData());
++ return QTextureFileData();
++ }
++
++ quint32 offsetNext;
++ if (qAddOverflow(offset, padded, &offsetNext)) {
++ qWarning(lcQtGuiTextureIO, "OOB request in KTX file %s",
logName().constData());
++ return QTextureFileData();
++ }
++
++ offset = offsetNext;
+ }
+
+ if (!texData.isValid()) {
+- qCDebug(lcQtGuiTextureIO, "Invalid values in header of KTX file %s",
logName().constData());
++ qWarning(lcQtGuiTextureIO, "Invalid values in header of KTX file %s",
++ logName().constData());
+ return QTextureFileData();
+ }
+
+@@ -191,7 +271,7 @@ bool QKtxHandler::checkHeader(const KTXHeader &header)
+ (decode(header.numberOfFaces) == 1));
+ }
+
+-quint32 QKtxHandler::decode(quint32 val)
++quint32 QKtxHandler::decode(quint32 val) const
+ {
+ return inverseEndian ? qbswap<quint32>(val) : val;
+ }
+diff --git a/src/gui/util/qktxhandler_p.h b/src/gui/util/qktxhandler_p.h
+index f831e59d95..cdf1b2eaf8 100644
+--- a/src/gui/util/qktxhandler_p.h
++++ b/src/gui/util/qktxhandler_p.h
+@@ -68,7 +68,7 @@ public:
+
+ private:
+ bool checkHeader(const KTXHeader &header);
+- quint32 decode(quint32 val);
++ quint32 decode(quint32 val) const;
+
+ bool inverseEndian = false;
+ };
diff -Nru qtbase-opensource-src-5.15.8+dfsg/debian/patches/series
qtbase-opensource-src-5.15.8+dfsg/debian/patches/series
--- qtbase-opensource-src-5.15.8+dfsg/debian/patches/series 2024-04-07
11:45:51.000000000 +0200
+++ qtbase-opensource-src-5.15.8+dfsg/debian/patches/series 2024-04-28
20:48:02.000000000 +0200
@@ -24,6 +24,9 @@
CVE-2023-37369.diff
CVE-2023-38197.diff
+CVE-2023-51714.diff
+CVE-2024-25580.diff
+
# Debian specific.
gnukfreebsd.diff
no_htmlinfo_example.diff
--- End Message ---
