Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: qtbase-opensource-...@packages.debian.org Control: affects -1 + src:qtbase-opensource-src
Please unblock package qtbase-opensource-src. [ Reason ] One more CVE was published for qtbase, CVE-2023-33285 [1]. [ Impact ] QDnsLookup has a buffer over-read via a crafted reply from a DNS server. [ Tests ] No automated tests are run for this package. But QDnsLookup is covered by tests which are run as part of upstream CI: tests/auto/network/kernel/qdnslookup/tst_qdnslookup.cpp. [ Risks ] This change passed the upstream tests, so it should be safe. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing [ Other info ] Also I added DEP-3 headers to the patches from previous upload and renamed them in a consistent way. This will not affect the binary packages in any way. The reported piuparts regression is in piuparts itself [2]. unblock qtbase-opensource-src/5.15.8+dfsg-11 [1]: https://security-tracker.debian.org/tracker/CVE-2023-33285 [2]: https://salsa.debian.org/debian/piuparts/-/merge_requests/42 -- Dmitry Shachnev
--- a/debian/changelog +++ b/debian/changelog @@ -1,3 +1,10 @@ +qtbase-opensource-src (5.15.8+dfsg-11) unstable; urgency=medium + + * Rename the patches for consistency and add DEP-3 headers. + * Add a patch to fix buffer overflow in QDnsLookup (CVE-2023-33285). + + -- Dmitry Shachnev <mity...@debian.org> Thu, 25 May 2023 13:45:05 +0300 + qtbase-opensource-src (5.15.8+dfsg-10) unstable; urgency=medium * Add patches to fix CVE-2023-32762 and CVE-2023-32763. --- a/debian/patches/CVE-2023-32762.patch +++ b/debian/patches/CVE-2023-32762.diff @@ -1,6 +1,7 @@ ---- - src/network/access/qhsts.cpp | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) +Description: hsts: match header names case insensitively + Header field names are always considered to be case-insensitive. +Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2023-32762-qtbase-5.15.diff +Last-Update: 2023-05-22 --- a/src/network/access/qhsts.cpp +++ b/src/network/access/qhsts.cpp --- a/debian/patches/cve-2023-32763.diff +++ b/debian/patches/CVE-2023-32763.diff @@ -1,7 +1,7 @@ ---- - src/gui/painting/qfixed_p.h | 9 +++++++++ - src/gui/text/qtextlayout.cpp | 9 ++++++--- - 2 files changed, 15 insertions(+), 3 deletions(-) +Description: fix buffer overflow in Qt SVG + Adds qAddOverflow and qMulOverflow definitions to QFixed. +Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2023-32763-qtbase-5.15.diff +Last-Update: 2023-05-22 --- a/src/gui/painting/qfixed_p.h +++ b/src/gui/painting/qfixed_p.h --- /dev/null +++ b/debian/patches/CVE-2023-33285.diff @@ -0,0 +1,77 @@ +Description: QDnsLookup/Unix: make sure we don't overflow the buffer + The DNS Records are variable length and encode their size in 16 bits + before the Record Data (RDATA). Ensure that both the RDATA and the + Record header fields before it fall inside the buffer we have. + . + Additionally reject any replies containing more than one query records. +Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=7dba2c87619d558a +Last-Update: 2023-05-25 + +--- a/src/network/kernel/qdnslookup_unix.cpp ++++ b/src/network/kernel/qdnslookup_unix.cpp +@@ -227,7 +227,6 @@ void QDnsLookupRunnable::query(const int + // responseLength in case of error, we still can extract the + // exact error code from the response. + HEADER *header = (HEADER*)response; +- const int answerCount = ntohs(header->ancount); + switch (header->rcode) { + case NOERROR: + break; +@@ -260,18 +259,31 @@ void QDnsLookupRunnable::query(const int + return; + } + +- // Skip the query host, type (2 bytes) and class (2 bytes). + char host[PACKETSZ], answer[PACKETSZ]; + unsigned char *p = response + sizeof(HEADER); +- int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); +- if (status < 0) { ++ int status; ++ ++ if (ntohs(header->qdcount) == 1) { ++ // Skip the query host, type (2 bytes) and class (2 bytes). ++ status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); ++ if (status < 0) { ++ reply->error = QDnsLookup::InvalidReplyError; ++ reply->errorString = tr("Could not expand domain name"); ++ return; ++ } ++ if ((p - response) + status + 4 >= responseLength) ++ header->qdcount = 0xffff; // invalid reply below ++ else ++ p += status + 4; ++ } ++ if (ntohs(header->qdcount) > 1) { + reply->error = QDnsLookup::InvalidReplyError; +- reply->errorString = tr("Could not expand domain name"); ++ reply->errorString = tr("Invalid reply received"); + return; + } +- p += status + 4; + + // Extract results. ++ const int answerCount = ntohs(header->ancount); + int answerIndex = 0; + while ((p < response + responseLength) && (answerIndex < answerCount)) { + status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); +@@ -283,6 +295,11 @@ void QDnsLookupRunnable::query(const int + const QString name = QUrl::fromAce(host); + + p += status; ++ ++ if ((p - response) + 10 > responseLength) { ++ // probably just a truncated reply, return what we have ++ return; ++ } + const quint16 type = (p[0] << 8) | p[1]; + p += 2; // RR type + p += 2; // RR class +@@ -290,6 +307,8 @@ void QDnsLookupRunnable::query(const int + p += 4; + const quint16 size = (p[0] << 8) | p[1]; + p += 2; ++ if ((p - response) + size > responseLength) ++ return; // truncated + + if (type == QDnsLookup::A) { + if (size != 4) { --- a/debian/patches/series +++ b/debian/patches/series @@ -15,8 +15,9 @@ image_deletion_order.diff qxcbwindow_set_geometry.diff CVE-2023-24607.diff qshapedpixmapwindow_no_tooltip.diff -cve-2023-32763.diff -CVE-2023-32762.patch +CVE-2023-32763.diff +CVE-2023-32762.diff +CVE-2023-33285.diff # Debian specific. gnukfreebsd.diff
signature.asc
Description: PGP signature
