Script 'mail_helper' called by obssrc
Hello community,
here is the log from the commit of package qt6-base for openSUSE:Factory
checked in at 2024-01-04 15:58:14
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/qt6-base (Old)
and /work/SRC/openSUSE:Factory/.qt6-base.new.28375 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "qt6-base"
Thu Jan 4 15:58:14 2024 rev:49 rq:1136540 version:6.6.1
Changes:
--------
--- /work/SRC/openSUSE:Factory/qt6-base/qt6-base.changes 2024-01-03
12:25:39.652952385 +0100
+++ /work/SRC/openSUSE:Factory/.qt6-base.new.28375/qt6-base.changes
2024-01-04 16:00:31.355368605 +0100
@@ -1,0 +2,11 @@
+Wed Jan 3 08:52:06 UTC 2024 - Antonio Larrosa <alarr...@suse.com>
+
+- Add upstream patches to fix an incorrect integer overflow check
+ (boo#1218413, CVE-2023-51714):
+ * 0001-HPack-fix-a-Yoda-Condition.patch
+ * 0002-HPack-fix-incorrect-integer-overflow-check.patch
+- Add upstream patch to fix a potential overflow in
+ assemble_hpack_block():
+ * 0001-Http2-fix-potential-overflow-in-assemble_hpack_block.patch
+
+-------------------------------------------------------------------
New:
----
0001-HPack-fix-a-Yoda-Condition.patch
0001-Http2-fix-potential-overflow-in-assemble_hpack_block.patch
0002-HPack-fix-incorrect-integer-overflow-check.patch
BETA DEBUG BEGIN:
New: (boo#1218413, CVE-2023-51714):
* 0001-HPack-fix-a-Yoda-Condition.patch
* 0002-HPack-fix-incorrect-integer-overflow-check.patch
New: assemble_hpack_block():
* 0001-Http2-fix-potential-overflow-in-assemble_hpack_block.patch
New: * 0001-HPack-fix-a-Yoda-Condition.patch
* 0002-HPack-fix-incorrect-integer-overflow-check.patch
- Add upstream patch to fix a potential overflow in
BETA DEBUG END:
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Other differences:
------------------
++++++ qt6-base.spec ++++++
--- /var/tmp/diff_new_pack.oIwgsA/_old 2024-01-04 16:00:32.107396077 +0100
+++ /var/tmp/diff_new_pack.oIwgsA/_new 2024-01-04 16:00:32.107396077 +0100
@@ -1,7 +1,7 @@
#
# spec file
#
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
#
# All modifications and additions to the file contributed by third parties
# remain the property of their copyright owners, unless otherwise agreed
@@ -41,6 +41,9 @@
# Patches 0-100 are upstream patches #
Patch0: 0001-QMimeDatabase-handle-buggy-type-definitions.patch
Patch1: 0001-QMimeDatabase-collect-glob-patterns-from.patch
+Patch2: 0001-HPack-fix-a-Yoda-Condition.patch
+Patch3: 0002-HPack-fix-incorrect-integer-overflow-check.patch
+Patch4: 0001-Http2-fix-potential-overflow-in-assemble_hpack_block.patch
# Patches 100-200 are openSUSE and/or non-upstream(able) patches #
Patch100: 0001-Tell-the-truth-about-private-API.patch
# No need to pollute the library dir with object files, install them in the
qt6 subfolder
++++++ 0001-HPack-fix-a-Yoda-Condition.patch ++++++
>From 658607a34ead214fbacbc2cca44915655c318ea9 Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.m...@qt.io>
Date: Tue, 12 Dec 2023 20:51:56 +0100
Subject: [PATCH] HPack: fix a Yoda Condition
Putting the variable on the LHS of a relational operation makes the
expression easier to read. In this case, we find that the whole
expression is nonsensical as an overflow protection, because if
name.size() + value.size() overflows, the result will exactly _not_
be > max() - 32, because UB will have happened.
To be fixed in a follow-up commit.
As a drive-by, add parentheses around the RHS.
Pick-to: 6.7 6.6 6.5 6.2 5.15
Change-Id: I35ce598884c37c51b74756b3bd2734b9aad63c09
Reviewed-by: Allan Sandfeld Jensen <allan.jen...@qt.io>
---
src/network/access/http2/hpacktable.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/network/access/http2/hpacktable.cpp
b/src/network/access/http2/hpacktable.cpp
index 74a09a207ffb..c8c5d098c80a 100644
--- a/src/network/access/http2/hpacktable.cpp
+++ b/src/network/access/http2/hpacktable.cpp
@@ -27,7 +27,7 @@ HeaderSize entry_size(QByteArrayView name, QByteArrayView
value)
// 32 octets of overhead."
const unsigned sum = unsigned(name.size() + value.size());
- if (std::numeric_limits<unsigned>::max() - 32 < sum)
+ if (sum > (std::numeric_limits<unsigned>::max() - 32))
return HeaderSize();
return HeaderSize(true, quint32(sum + 32));
}
--
2.16.3
++++++ 0001-Http2-fix-potential-overflow-in-assemble_hpack_block.patch ++++++
>From 8907dedc858cc344d770a2e826d6acc516429540 Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.m...@qt.io>
Date: Tue, 19 Dec 2023 14:22:37 +0100
Subject: [PATCH] Http2: fix potential overflow in assemble_hpack_block()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
The function is given a vector of Http2::Frame's and flattens it into
a vector<uchar>. While each Frame can contain a maximum of 16GiB of
data (24-bit size field), one "only" needs 257 of them to overflow the
quint32 variable's range.
So make sure any overflow does not go undetected.
Keep the limited uint32_t range for now, as we don't know whether all
consumers of the result can deal with more than 4GiB of data.
Since all these frames must be in memory, this cannot overflow in
practice on 32-bit machines.
Pick-to: 6.7 6.6 6.5 6.2 5.15
Change-Id: Iafaa7d1c870cba9100e75065db11d95934f86213
Reviewed-by: MÃ¥rten Nordheim <marten.nordh...@qt.io>
(cherry picked from commit 1e6bb61af3ae29755f93b92f157df026f934ae61)
* asturmlechner 2024-01-02: Use correct include for 5.15
---
src/network/access/qhttp2protocolhandler.cpp | 8 ++++++--
1 file changed, 6 insertions(+), 2 deletions(-)
diff --git a/src/network/access/qhttp2protocolhandler.cpp
b/src/network/access/qhttp2protocolhandler.cpp
index 39dd460881a..ead88d781ae 100644
--- a/src/network/access/qhttp2protocolhandler.cpp
+++ b/src/network/access/qhttp2protocolhandler.cpp
@@ -10,10 +10,12 @@
#include <private/qnoncontiguousbytedevice_p.h>
#include <QtNetwork/qabstractsocket.h>
+
#include <QtCore/qloggingcategory.h>
#include <QtCore/qendian.h>
#include <QtCore/qdebug.h>
#include <QtCore/qlist.h>
+#include <QtCore/private/qnumeric_p.h>
#include <QtCore/qurl.h>
#include <qhttp2configuration.h>
@@ -90,8 +92,10 @@ std::vector<uchar> assemble_hpack_block(const
std::vector<Http2::Frame> &frames)
std::vector<uchar> hpackBlock;
quint32 total = 0;
- for (const auto &frame : frames)
- total += frame.hpackBlockSize();
+ for (const auto &frame : frames) {
+ if (add_overflow(total, frame.hpackBlockSize(), &total))
+ return hpackBlock;
+ }
if (!total)
return hpackBlock;
--
GitLab
++++++ 0002-HPack-fix-incorrect-integer-overflow-check.patch ++++++
>From ee5da1f2eaf8932aeca02ffea6e4c618585e29e3 Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.m...@qt.io>
Date: Tue, 12 Dec 2023 22:08:07 +0100
Subject: [PATCH] HPack: fix incorrect integer overflow check
This code never worked:
For the comparison with max() - 32 to trigger, on 32-bit platforms (or
Qt 5) signed interger overflow would have had to happen in the
addition of the two sizes. The compiler can therefore remove the
overflow check as dead code.
On Qt 6 and 64-bit platforms, the signed integer addition would be
very unlikely to overflow, but the following truncation to uint32
would yield the correct result only in a narrow 32-value window just
below UINT_MAX, if even that.
Fix by using the proper tool, qAddOverflow.
Pick-to: 6.7 6.6 6.5 6.2 5.15
Change-Id: I7599f2e75ff7f488077b0c60b81022591005661c
Reviewed-by: Allan Sandfeld Jensen <allan.jen...@qt.io>
---
src/network/access/http2/hpacktable.cpp | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/network/access/http2/hpacktable.cpp
b/src/network/access/http2/hpacktable.cpp
index c8c5d098c80a..2c728b37e3b5 100644
--- a/src/network/access/http2/hpacktable.cpp
+++ b/src/network/access/http2/hpacktable.cpp
@@ -26,7 +26,9 @@ HeaderSize entry_size(QByteArrayView name, QByteArrayView
value)
// for counting the number of references to the name and value would have
// 32 octets of overhead."
- const unsigned sum = unsigned(name.size() + value.size());
+ size_t sum;
+ if (qAddOverflow(size_t(name.size()), size_t(value.size()), &sum))
+ return HeaderSize();
if (sum > (std::numeric_limits<unsigned>::max() - 32))
return HeaderSize();
return HeaderSize(true, quint32(sum + 32));
--
2.16.3
