Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libqt5-qtbase for openSUSE:Factory checked in at 2025-06-10 08:59:26 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libqt5-qtbase (Old) and /work/SRC/openSUSE:Factory/.libqt5-qtbase.new.19631 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libqt5-qtbase" Tue Jun 10 08:59:26 2025 rev:159 rq:1283610 version:5.15.17+kde122 Changes: -------- --- /work/SRC/openSUSE:Factory/libqt5-qtbase/libqt5-qtbase.changes 2025-05-30 17:22:28.008122948 +0200 +++ /work/SRC/openSUSE:Factory/.libqt5-qtbase.new.19631/libqt5-qtbase.changes 2025-06-10 08:59:50.701907736 +0200 @@ -1,0 +2,6 @@ +Fri Jun 6 10:57:45 UTC 2025 - Christophe Marin <christo...@krop.fr> + +- Add patch (CVE-2025-5455, boo#1243958) + * CVE-2025-5455.patch + +------------------------------------------------------------------- New: ---- CVE-2025-5455.patch BETA DEBUG BEGIN: New:- Add patch (CVE-2025-5455, boo#1243958) * CVE-2025-5455.patch BETA DEBUG END: ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libqt5-qtbase.spec ++++++ --- /var/tmp/diff_new_pack.PP5Ozi/_old 2025-06-10 08:59:52.137966994 +0200 +++ /var/tmp/diff_new_pack.PP5Ozi/_new 2025-06-10 08:59:52.137966994 +0200 @@ -63,6 +63,7 @@ Patch21: 0001-Don-t-white-list-recent-Mesa-versions-for-multithrea.patch Patch24: fix-fixqt4headers.patch # patches 1000-2000 and above from upstream 5.15 branch # +Patch1000: CVE-2025-5455.patch # patches 2000-3000 and above from upstream qt6/dev branch # # Not accepted yet, https://codereview.qt-project.org/c/qt/qtbase/+/255384 Patch2001: 0002-Synthesize-Enter-LeaveEvent-for-accepted-QTabletEven.patch ++++++ CVE-2025-5455.patch ++++++ An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code. This has been assigned the CVE id CVE-2025-5455. https://www.qt.io/blog/security-advisory-recently-discovered-issue-in-qdecodedataurl-in-qtcore-impacts-qt -- diff --git a/src/corelib/io/qdataurl.cpp b/src/corelib/io/qdataurl.cpp index f14d399301f..83e59e3ac00 100644 --- a/src/corelib/io/qdataurl.cpp +++ b/src/corelib/io/qdataurl.cpp @@ -76,10 +76,11 @@ Q_CORE_EXPORT bool qDecodeDataUrl(const QUrl &uri, QString &mimeType, QByteArray } if (data.toLower().startsWith("charset")) { - int i = 7; // strlen("charset") - while (data.at(i) == ' ') - ++i; - if (data.at(i) == '=') + int prefixSize = 7; // strlen("charset") + QLatin1String copy(data.constData() + prefixSize, data.size() - prefixSize); + while (copy.startsWith(QLatin1String(" "))) + copy = copy.mid(1); + if (copy.startsWith(QLatin1String("="))) data.prepend("text/plain;"); }
