[packages/qt6] upstream fix for CVE-2023-51714; rel 3

atler atler at pld-linux.org
Tue Jan 2 23:19:44 CET 2024 

commit c1d249e81a07211fcbbf73ddd7a08bce3db279c5
Author: Jan Palus <atler at pld-linux.org>
Date:   Tue Jan 2 23:19:11 2024 +0100

    upstream fix for CVE-2023-51714; rel 3
    
    as advised in:
    ttps://lists.qt-project.org/pipermail/announce/2024-January/000465.html

 CVE-2023-51714.patch | 80 ++++++++++++++++++++++++++++++++++++++++++++++++++++
 qt6.spec             |  6 ++--
 2 files changed, 84 insertions(+), 2 deletions(-)
---
diff --git a/qt6.spec b/qt6.spec
index c4b5e0e..53d4f28 100644
--- a/qt6.spec
+++ b/qt6.spec
@@ -109,7 +109,7 @@ Summary:	Qt6 Library
 Summary(pl.UTF-8):	Biblioteka Qt6
 Name:		qt6
 Version:	6.6.1
-Release:	2
+Release:	3
 License:	LGPL v3 or GPL v2 or GPL v3 or commercial
 Group:		X11/Libraries
 Source0:	https://download.qt.io/official_releases/qt/6.6/%{version}/single/qt-everywhere-src-%{version}.tar.xz
@@ -121,6 +121,7 @@ Patch3:		no-implicit-sse2.patch
 Patch4:		x32.patch
 Patch5:		qtwebengine-cmake-build-type.patch
 Patch6:		libxml2.12.patch
+Patch7:		CVE-2023-51714.patch
 URL:		https://www.qt.io/
 %{?with_directfb:BuildRequires:	DirectFB-devel}
 BuildRequires:	EGL-devel
@@ -2054,7 +2055,7 @@ Requires:	Qt6Core = %{version}
 Qt6 Protobuf library provides integration with Protocol Buffers.
 
 %description -n Qt6Protobuf -l pl.UTF-8
-Biblioteka Qt6 Protobuf dostarcza integrację z Protocol Buffers. 
+Biblioteka Qt6 Protobuf dostarcza integrację z Protocol Buffers.
 
 %package -n Qt6Protobuf-devel
 Summary:	Qt6 Protobuf library - development files
@@ -3645,6 +3646,7 @@ narzędzia.
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1 -d qtwebengine
+%patch7 -p1 -d qtbase
 
 %{__sed} -i -e 's,usr/X11R6/,usr/,g' qtbase/mkspecs/linux-g++-64/qmake.conf
 
diff --git a/CVE-2023-51714.patch b/CVE-2023-51714.patch
new file mode 100644
index 0000000..c6c5a3d
--- /dev/null
+++ b/CVE-2023-51714.patch
@@ -0,0 +1,80 @@
+From 13c16b756900fe524f6d9534e8a07aa003c05e0c Mon Sep 17 00:00:00 2001
+From: Marc Mutz <marc.mutz at qt.io>
+Date: Tue, 12 Dec 2023 20:51:56 +0100
+Subject: [PATCH] HPack: fix a Yoda Condition
+
+Putting the variable on the LHS of a relational operation makes the
+expression easier to read. In this case, we find that the whole
+expression is nonsensical as an overflow protection, because if
+name.size() + value.size() overflows, the result will exactly _not_
+be > max() - 32, because UB will have happened.
+
+To be fixed in a follow-up commit.
+
+As a drive-by, add parentheses around the RHS.
+
+Pick-to: 6.5 6.2 5.15
+Change-Id: I35ce598884c37c51b74756b3bd2734b9aad63c09
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen at qt.io>
+(cherry picked from commit 658607a34ead214fbacbc2cca44915655c318ea9)
+Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot at qt-project.org>
+(cherry picked from commit 4f7efd41740107f90960116700e3134f5e433867)
+---
+
+diff --git a/src/network/access/http2/hpacktable.cpp b/src/network/access/http2/hpacktable.cpp
+index 74a09a2..c8c5d09 100644
+--- a/src/network/access/http2/hpacktable.cpp
++++ b/src/network/access/http2/hpacktable.cpp
+@@ -27,7 +27,7 @@
+     // 32 octets of overhead."
+ 
+     const unsigned sum = unsigned(name.size() + value.size());
+-    if (std::numeric_limits<unsigned>::max() - 32 < sum)
++    if (sum > (std::numeric_limits<unsigned>::max() - 32))
+         return HeaderSize();
+     return HeaderSize(true, quint32(sum + 32));
+ }
+From 811b9eef6d08d929af8708adbf2a5effb0eb62d7 Mon Sep 17 00:00:00 2001
+From: Marc Mutz <marc.mutz at qt.io>
+Date: Tue, 12 Dec 2023 22:08:07 +0100
+Subject: [PATCH] HPack: fix incorrect integer overflow check
+
+This code never worked:
+
+For the comparison with max() - 32 to trigger, on 32-bit platforms (or
+Qt 5) signed interger overflow would have had to happen in the
+addition of the two sizes. The compiler can therefore remove the
+overflow check as dead code.
+
+On Qt 6 and 64-bit platforms, the signed integer addition would be
+very unlikely to overflow, but the following truncation to uint32
+would yield the correct result only in a narrow 32-value window just
+below UINT_MAX, if even that.
+
+Fix by using the proper tool, qAddOverflow.
+
+Pick-to: 6.5 6.2 5.15
+Change-Id: I7599f2e75ff7f488077b0c60b81022591005661c
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen at qt.io>
+(cherry picked from commit ee5da1f2eaf8932aeca02ffea6e4c618585e29e3)
+Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot at qt-project.org>
+(cherry picked from commit debeb8878da2dc706ead04b6072ecbe7e5313860)
+Reviewed-by: Thiago Macieira <thiago.macieira at intel.com>
+Reviewed-by: Marc Mutz <marc.mutz at qt.io>
+---
+
+diff --git a/src/network/access/http2/hpacktable.cpp b/src/network/access/http2/hpacktable.cpp
+index c8c5d09..2c728b3 100644
+--- a/src/network/access/http2/hpacktable.cpp
++++ b/src/network/access/http2/hpacktable.cpp
+@@ -26,7 +26,9 @@
+     // for counting the number of references to the name and value would have
+     // 32 octets of overhead."
+ 
+-    const unsigned sum = unsigned(name.size() + value.size());
++    size_t sum;
++    if (qAddOverflow(size_t(name.size()), size_t(value.size()), &sum))
++        return HeaderSize();
+     if (sum > (std::numeric_limits<unsigned>::max() - 32))
+         return HeaderSize();
+     return HeaderSize(true, quint32(sum + 32));
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/qt6.git/commitdiff/c1d249e81a07211fcbbf73ddd7a08bce3db279c5

More information about the pld-cvs-commit mailing list