commit f20d311cca4dfca1e551b06286edb3e95183a070 Author: Jan Palus <at...@pld-linux.org> Date: Sun May 26 11:05:02 2024 +0200
up to 5.15.14 CVE-2023-32762-qtbase-5.15.diff | 13 -------- CVE-2023-33285-qtbase-5.15.diff | 68 ----------------------------------------- qt5-qtbase.spec | 10 ++---- 3 files changed, 3 insertions(+), 88 deletions(-) --- diff --git a/qt5-qtbase.spec b/qt5-qtbase.spec index b3b1fd8..9f34fa1 100644 --- a/qt5-qtbase.spec +++ b/qt5-qtbase.spec @@ -70,20 +70,18 @@ Summary: Qt5 - base components Summary(pl.UTF-8): Biblioteka Qt5 - podstawowe komponenty Name: qt5-%{orgname} -Version: 5.15.13 +Version: 5.15.14 Release: 1 License: LGPL v3 or GPL v2 or GPL v3 or commercial Group: X11/Libraries Source0: https://download.qt.io/official_releases/qt/5.15/%{version}/submodules/%{orgname}-everywhere-opensource-src-%{version}.tar.xz -# Source0-md5: 119446a119bea7640314067775f27802 +# Source0-md5: 2e207979cea96dac37bdd784db31b51b Source1: https://download.qt.io/official_releases/qt/5.15/%{version}/submodules/qttranslations-everywhere-opensource-src-%{version}.tar.xz -# Source1-md5: a7fe34c317fbba74a9f97c36679fec47 +# Source1-md5: 6f4f2fdf3466f8bc97a074258f124c13 Patch0: %{name}-system_cacerts.patch Patch1: parallel-install.patch Patch2: egl-x11.patch Patch3: CVE-2023-32763-qtbase-5.15.diff -Patch4: CVE-2023-32762-qtbase-5.15.diff -Patch5: CVE-2023-33285-qtbase-5.15.diff Patch6: CVE-2023-34410-qtbase-5.15.diff Patch7: CVE-2023-37369-qtbase-5.15.diff Patch8: CVE-2023-38197-qtbase-5.15.diff @@ -1185,8 +1183,6 @@ Generator plików makefile dla aplikacji Qt5. %patch1 -p1 %patch2 -p1 %patch3 -p1 -%patch4 -p1 -%patch5 -p1 %patch6 -p1 %patch7 -p1 %patch8 -p1 diff --git a/CVE-2023-32762-qtbase-5.15.diff b/CVE-2023-32762-qtbase-5.15.diff deleted file mode 100644 index f0bc00f..0000000 --- a/CVE-2023-32762-qtbase-5.15.diff +++ /dev/null @@ -1,13 +0,0 @@ ---- a/src/network/access/qhsts.cpp -+++ b/src/network/access/qhsts.cpp -@@ -364,8 +364,8 @@ quoted-pair = "\" CHAR - bool QHstsHeaderParser::parse(const QList<QPair<QByteArray, QByteArray>> &headers) - { - for (const auto &h : headers) { -- // We use '==' since header name was already 'trimmed' for us: -- if (h.first == "Strict-Transport-Security") { -+ // We compare directly because header name was already 'trimmed' for us: -+ if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) { - header = h.second; - // RFC6797, 8.1: - // diff --git a/CVE-2023-33285-qtbase-5.15.diff b/CVE-2023-33285-qtbase-5.15.diff deleted file mode 100644 index ec33777..0000000 --- a/CVE-2023-33285-qtbase-5.15.diff +++ /dev/null @@ -1,68 +0,0 @@ ---- a/src/network/kernel/qdnslookup_unix.cpp -+++ b/src/network/kernel/qdnslookup_unix.cpp -@@ -227,7 +227,6 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN - // responseLength in case of error, we still can extract the - // exact error code from the response. - HEADER *header = (HEADER*)response; -- const int answerCount = ntohs(header->ancount); - switch (header->rcode) { - case NOERROR: - break; -@@ -260,18 +259,31 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN - return; - } - -- // Skip the query host, type (2 bytes) and class (2 bytes). - char host[PACKETSZ], answer[PACKETSZ]; - unsigned char *p = response + sizeof(HEADER); -- int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); -- if (status < 0) { -+ int status; -+ -+ if (ntohs(header->qdcount) == 1) { -+ // Skip the query host, type (2 bytes) and class (2 bytes). -+ status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); -+ if (status < 0) { -+ reply->error = QDnsLookup::InvalidReplyError; -+ reply->errorString = tr("Could not expand domain name"); -+ return; -+ } -+ if ((p - response) + status + 4 >= responseLength) -+ header->qdcount = 0xffff; // invalid reply below -+ else -+ p += status + 4; -+ } -+ if (ntohs(header->qdcount) > 1) { - reply->error = QDnsLookup::InvalidReplyError; -- reply->errorString = tr("Could not expand domain name"); -+ reply->errorString = tr("Invalid reply received"); - return; - } -- p += status + 4; - - // Extract results. -+ const int answerCount = ntohs(header->ancount); - int answerIndex = 0; - while ((p < response + responseLength) && (answerIndex < answerCount)) { - status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); -@@ -283,6 +295,11 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN - const QString name = QUrl::fromAce(host); - - p += status; -+ -+ if ((p - response) + 10 > responseLength) { -+ // probably just a truncated reply, return what we have -+ return; -+ } - const quint16 type = (p[0] << 8) | p[1]; - p += 2; // RR type - p += 2; // RR class -@@ -290,6 +307,8 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN - p += 4; - const quint16 size = (p[0] << 8) | p[1]; - p += 2; -+ if ((p - response) + size > responseLength) -+ return; // truncated - - if (type == QDnsLookup::A) { - if (size != 4) { ================================================================ ---- gitweb: http://git.pld-linux.org/gitweb.cgi/packages/qt5-qtbase.git/commitdiff/f20d311cca4dfca1e551b06286edb3e95183a070 _______________________________________________ pld-cvs-commit mailing list pld-cvs-commit@lists.pld-linux.org http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit