[packages/qt5-qtbase] upstream fix for CVE-2023-33285; rel 4
atler
atler at pld-linux.org
Thu Jun 1 17:08:49 CEST 2023
commit 2b4adf7a4b1d8eaf8b3919af5e7f6bd9640dbeff
Author: Jan Palus <atler at pld-linux.org>
Date: Thu Jun 1 17:07:00 2023 +0200
upstream fix for CVE-2023-33285; rel 4
as advised in:
https://lists.qt-project.org/pipermail/announce/2023-June/000417.html
CVE-2023-33285-qtbase-5.15.diff | 68 +++++++++++++++++++++++++++++++++++++++++
qt5-qtbase.spec | 4 ++-
2 files changed, 71 insertions(+), 1 deletion(-)
---
diff --git a/qt5-qtbase.spec b/qt5-qtbase.spec
index be7b7df..153ac22 100644
--- a/qt5-qtbase.spec
+++ b/qt5-qtbase.spec
@@ -71,7 +71,7 @@ Summary: Qt5 - base components
Summary(pl.UTF-8): Biblioteka Qt5 - podstawowe komponenty
Name: qt5-%{orgname}
Version: 5.15.9
-Release: 3
+Release: 4
License: LGPL v3 or GPL v2 or GPL v3 or commercial
Group: X11/Libraries
Source0: https://download.qt.io/official_releases/qt/5.15/%{version}/submodules/%{orgname}-everywhere-opensource-src-%{version}.tar.xz
@@ -83,6 +83,7 @@ Patch1: parallel-install.patch
Patch2: egl-x11.patch
Patch3: CVE-2023-32763-qtbase-5.15.diff
Patch4: CVE-2023-32762-qtbase-5.15.diff
+Patch5: CVE-2023-33285-qtbase-5.15.diff
URL: https://www.qt.io/
%{?with_directfb:BuildRequires: DirectFB-devel}
BuildRequires: EGL-devel
@@ -1180,6 +1181,7 @@ Generator plików makefile dla aplikacji Qt5.
%patch2 -p1
%patch3 -p1
%patch4 -p1
+%patch5 -p1
%{__sed} -i -e 's,usr/X11R6/,usr/,g' mkspecs/linux-g++-64/qmake.conf
diff --git a/CVE-2023-33285-qtbase-5.15.diff b/CVE-2023-33285-qtbase-5.15.diff
new file mode 100644
index 0000000..ec33777
--- /dev/null
+++ b/CVE-2023-33285-qtbase-5.15.diff
@@ -0,0 +1,68 @@
+--- a/src/network/kernel/qdnslookup_unix.cpp
++++ b/src/network/kernel/qdnslookup_unix.cpp
+@@ -227,7 +227,6 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+ // responseLength in case of error, we still can extract the
+ // exact error code from the response.
+ HEADER *header = (HEADER*)response;
+- const int answerCount = ntohs(header->ancount);
+ switch (header->rcode) {
+ case NOERROR:
+ break;
+@@ -260,18 +259,31 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+ return;
+ }
+
+- // Skip the query host, type (2 bytes) and class (2 bytes).
+ char host[PACKETSZ], answer[PACKETSZ];
+ unsigned char *p = response + sizeof(HEADER);
+- int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
+- if (status < 0) {
++ int status;
++
++ if (ntohs(header->qdcount) == 1) {
++ // Skip the query host, type (2 bytes) and class (2 bytes).
++ status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
++ if (status < 0) {
++ reply->error = QDnsLookup::InvalidReplyError;
++ reply->errorString = tr("Could not expand domain name");
++ return;
++ }
++ if ((p - response) + status + 4 >= responseLength)
++ header->qdcount = 0xffff; // invalid reply below
++ else
++ p += status + 4;
++ }
++ if (ntohs(header->qdcount) > 1) {
+ reply->error = QDnsLookup::InvalidReplyError;
+- reply->errorString = tr("Could not expand domain name");
++ reply->errorString = tr("Invalid reply received");
+ return;
+ }
+- p += status + 4;
+
+ // Extract results.
++ const int answerCount = ntohs(header->ancount);
+ int answerIndex = 0;
+ while ((p < response + responseLength) && (answerIndex < answerCount)) {
+ status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
+@@ -283,6 +295,11 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+ const QString name = QUrl::fromAce(host);
+
+ p += status;
++
++ if ((p - response) + 10 > responseLength) {
++ // probably just a truncated reply, return what we have
++ return;
++ }
+ const quint16 type = (p[0] << 8) | p[1];
+ p += 2; // RR type
+ p += 2; // RR class
+@@ -290,6 +307,8 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+ p += 4;
+ const quint16 size = (p[0] << 8) | p[1];
+ p += 2;
++ if ((p - response) + size > responseLength)
++ return; // truncated
+
+ if (type == QDnsLookup::A) {
+ if (size != 4) {
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/qt5-qtbase.git/commitdiff/2b4adf7a4b1d8eaf8b3919af5e7f6bd9640dbeff
More information about the pld-cvs-commit
mailing list