[gentoo-commits] repo/gentoo:master commit in: dev-qt/qtnetwork/, dev-qt/qtnetwork/files/

Sat, 20 May 2023 11:03:23 -0700 

commit:     44d3661b4981baaa12699edc40dfe06858f911f7
Author:     Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
AuthorDate: Sat May 20 17:59:01 2023 +0000
Commit:     Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
CommitDate: Sat May 20 18:02:35 2023 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=44d3661b

dev-qt/qtnetwork: QDnsLookup: make sure we don't overflow the buffer

Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org>

 ....15.9-QDnsLookup-dont-overflow-the-buffer.patch | 103 +++++++++++++++++++++
 dev-qt/qtnetwork/qtnetwork-5.15.9-r1.ebuild        |  76 +++++++++++++++
 2 files changed, 179 insertions(+)

diff --git 
a/dev-qt/qtnetwork/files/qtnetwork-5.15.9-QDnsLookup-dont-overflow-the-buffer.patch
 
b/dev-qt/qtnetwork/files/qtnetwork-5.15.9-QDnsLookup-dont-overflow-the-buffer.patch
new file mode 100644
index 000000000000..433dc678ad2d
--- /dev/null
+++ 
b/dev-qt/qtnetwork/files/qtnetwork-5.15.9-QDnsLookup-dont-overflow-the-buffer.patch
@@ -0,0 +1,103 @@
+From 2103f2487f709dd9546c503820d9ad509e9a63b3 Mon Sep 17 00:00:00 2001
+From: Thiago Macieira <thiago.macie...@intel.com>
+Date: Thu, 11 May 2023 21:40:15 -0700
+Subject: [PATCH] QDnsLookup/Unix: make sure we don't overflow the buffer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The DNS Records are variable length and encode their size in 16 bits
+before the Record Data (RDATA). Ensure that both the RDATA and the
+Record header fields before it fall inside the buffer we have.
+
+Additionally reject any replies containing more than one query records.
+
+[ChangeLog][QtNetwork][QDnsLookup] Fixed a bug that could cause a buffer
+overflow in Unix systems while parsing corrupt, malicious, or truncated
+replies.
+
+Pick-to: 5.15 6.2 6.5 6.5.1
+Change-Id: I3e3bfef633af4130a03afffd175e4b9547654b95
+Reviewed-by: MÃ¥rten Nordheim <marten.nordh...@qt.io>
+Reviewed-by: Jani Heikkinen <jani.heikki...@qt.io>
+(cherry picked from commit 7dba2c87619d558a61a30eb30cc1d9c3fe6df94c)
+
+* asturmlechner 2023-05-18: Resolve conflict with dev branch commit
+  68b625901f9eb7c34e3d7aa302e1c0a454d3190b
+---
+ src/network/kernel/qdnslookup_unix.cpp | 31 +++++++++++++++++++++-----
+ 1 file changed, 25 insertions(+), 6 deletions(-)
+
+diff --git a/src/network/kernel/qdnslookup_unix.cpp 
b/src/network/kernel/qdnslookup_unix.cpp
+index 12b40fc35dd..99e999d436c 100644
+--- a/src/network/kernel/qdnslookup_unix.cpp
++++ b/src/network/kernel/qdnslookup_unix.cpp
+@@ -227,7 +227,6 @@ void QDnsLookupRunnable::query(const int requestType, 
const QByteArray &requestN
+     // responseLength in case of error, we still can extract the
+     // exact error code from the response.
+     HEADER *header = (HEADER*)response;
+-    const int answerCount = ntohs(header->ancount);
+     switch (header->rcode) {
+     case NOERROR:
+         break;
+@@ -260,18 +259,31 @@ void QDnsLookupRunnable::query(const int requestType, 
const QByteArray &requestN
+         return;
+     }
+ 
+-    // Skip the query host, type (2 bytes) and class (2 bytes).
+     char host[PACKETSZ], answer[PACKETSZ];
+     unsigned char *p = response + sizeof(HEADER);
+-    int status = local_dn_expand(response, response + responseLength, p, 
host, sizeof(host));
+-    if (status < 0) {
++    int status;
++
++    if (ntohs(header->qdcount) == 1) {
++        // Skip the query host, type (2 bytes) and class (2 bytes).
++        status = local_dn_expand(response, response + responseLength, p, 
host, sizeof(host));
++        if (status < 0) {
++            reply->error = QDnsLookup::InvalidReplyError;
++            reply->errorString = tr("Could not expand domain name");
++            return;
++        }
++        if ((p - response) + status + 4 >= responseLength)
++            header->qdcount = 0xffff;   // invalid reply below
++        else
++            p += status + 4;
++    }
++    if (ntohs(header->qdcount) > 1) {
+         reply->error = QDnsLookup::InvalidReplyError;
+-        reply->errorString = tr("Could not expand domain name");
++        reply->errorString = tr("Invalid reply received");
+         return;
+     }
+-    p += status + 4;
+ 
+     // Extract results.
++    const int answerCount = ntohs(header->ancount);
+     int answerIndex = 0;
+     while ((p < response + responseLength) && (answerIndex < answerCount)) {
+         status = local_dn_expand(response, response + responseLength, p, 
host, sizeof(host));
+@@ -283,6 +295,11 @@ void QDnsLookupRunnable::query(const int requestType, 
const QByteArray &requestN
+         const QString name = QUrl::fromAce(host);
+ 
+         p += status;
++
++        if ((p - response) + 10 > responseLength) {
++            // probably just a truncated reply, return what we have
++            return;
++        }
+         const quint16 type = (p[0] << 8) | p[1];
+         p += 2; // RR type
+         p += 2; // RR class
+@@ -290,6 +307,8 @@ void QDnsLookupRunnable::query(const int requestType, 
const QByteArray &requestN
+         p += 4;
+         const quint16 size = (p[0] << 8) | p[1];
+         p += 2;
++        if ((p - response) + size > responseLength)
++            return;             // truncated
+ 
+         if (type == QDnsLookup::A) {
+             if (size != 4) {
+-- 
+GitLab
+

diff --git a/dev-qt/qtnetwork/qtnetwork-5.15.9-r1.ebuild 
b/dev-qt/qtnetwork/qtnetwork-5.15.9-r1.ebuild
new file mode 100644
index 000000000000..0566a4dd3c02
--- /dev/null
+++ b/dev-qt/qtnetwork/qtnetwork-5.15.9-r1.ebuild
@@ -0,0 +1,76 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+if [[ ${PV} != *9999* ]]; then
+       QT5_KDEPATCHSET_REV=1
+       KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~loong ~ppc ~ppc64 ~riscv ~sparc 
~x86"
+fi
+
+QT5_MODULE="qtbase"
+inherit qt5-build
+
+DESCRIPTION="Network abstraction library for the Qt5 framework"
+
+IUSE="connman gssapi libproxy networkmanager sctp +ssl"
+
+DEPEND="
+       =dev-qt/qtcore-${QT5_PV}*:5=
+       sys-libs/zlib:=
+       connman? ( =dev-qt/qtdbus-${QT5_PV}* )
+       gssapi? ( virtual/krb5 )
+       libproxy? ( net-libs/libproxy )
+       networkmanager? ( =dev-qt/qtdbus-${QT5_PV}* )
+       sctp? ( kernel_linux? ( net-misc/lksctp-tools ) )
+       ssl? ( >=dev-libs/openssl-1.1.1:0= )
+"
+RDEPEND="${DEPEND}
+       connman? ( net-misc/connman )
+       networkmanager? ( net-misc/networkmanager )
+"
+
+PATCHES=( "${FILESDIR}/${P}-QDnsLookup-dont-overflow-the-buffer.patch" )
+
+QT5_TARGET_SUBDIRS=(
+       src/network
+       src/plugins/bearer/generic
+)
+
+QT5_GENTOO_CONFIG=(
+       libproxy:libproxy:
+       ssl::SSL
+       ssl::OPENSSL
+       ssl:openssl-linked:LINKED_OPENSSL
+)
+
+QT5_GENTOO_PRIVATE_CONFIG=(
+       :network
+)
+
+pkg_setup() {
+       use connman && QT5_TARGET_SUBDIRS+=(src/plugins/bearer/connman)
+       use networkmanager && 
QT5_TARGET_SUBDIRS+=(src/plugins/bearer/networkmanager)
+}
+
+src_configure() {
+       local myconf=(
+               $(usev connman -dbus-linked)
+               $(qt_use gssapi feature-gssapi)
+               $(qt_use libproxy)
+               $(usev networkmanager -dbus-linked)
+               $(qt_use sctp)
+               $(usev ssl -openssl-linked)
+       )
+       qt5-build_src_configure
+}
+
+src_install() {
+       qt5-build_src_install
+
+       # workaround for bug 652650
+       if use ssl; then
+               sed -e "/^#define QT_LINKED_OPENSSL/s/$/ true/" \
+                       -i "${D}${QT5_HEADERDIR}"/Gentoo/${PN}-qconfig.h || die
+       fi
+}

Reply via email to