Your message dated Wed, 31 May 2023 22:09:27 +0200
with message-id <[email protected]>
and subject line Re: Bug#1036867: unblock: qt6-base/6.4.2+dfsg-10
has caused the Debian Bug report #1036867,
regarding unblock: qt6-base/6.4.2+dfsg-10
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1036867: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036867
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: [email protected]
Usertags: unblock
X-Debbugs-Cc: [email protected],[email protected]
Please unblock package qt6-base
[ Reason ]
Fixes CVE-2023-33285 that prevents a buffer overflow.
[ Impact ]
Lack of security fixes.
[ Tests ]
Tested by upstream, do not break API/ABI, seems safe.
[ Risks ]
None that I can think of.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock qt6-base/6.4.2+dfsg-10
diffstat for qt6-base-6.4.2+dfsg qt6-base-6.4.2+dfsg
changelog | 7 ++++
patches/cve-2023-33285.diff | 70 ++++++++++++++++++++++++++++++++++++++++++++
patches/series | 3 +
3 files changed, 79 insertions(+), 1 deletion(-)
diff -Nru qt6-base-6.4.2+dfsg/debian/changelog
qt6-base-6.4.2+dfsg/debian/changelog
--- qt6-base-6.4.2+dfsg/debian/changelog 2023-05-22 16:40:45.000000000
+0200
+++ qt6-base-6.4.2+dfsg/debian/changelog 2023-05-28 10:41:24.000000000
+0200
@@ -1,3 +1,10 @@
+qt6-base (6.4.2+dfsg-10) unstable; urgency=medium
+
+ [ Patrick Franz ]
+ * Add patch to fix CVE-2023-33285 (Closes: #1036848).
+
+ -- Patrick Franz <[email protected]> Sun, 28 May 2023 10:41:24 +0200
+
qt6-base (6.4.2+dfsg-9) unstable; urgency=medium
* Team upload.
diff -Nru qt6-base-6.4.2+dfsg/debian/patches/cve-2023-33285.diff
qt6-base-6.4.2+dfsg/debian/patches/cve-2023-33285.diff
--- qt6-base-6.4.2+dfsg/debian/patches/cve-2023-33285.diff 1970-01-01
01:00:00.000000000 +0100
+++ qt6-base-6.4.2+dfsg/debian/patches/cve-2023-33285.diff 2023-05-28
10:40:55.000000000 +0200
@@ -0,0 +1,70 @@
+diff --git a/src/network/kernel/qdnslookup_unix.cpp
b/src/network/kernel/qdnslookup_unix.cpp
+index 75f7c6c440..de0113494f 100644
+--- a/src/network/kernel/qdnslookup_unix.cpp
++++ b/src/network/kernel/qdnslookup_unix.cpp
+@@ -193,7 +193,6 @@ void QDnsLookupRunnable::query(const int requestType,
const QByteArray &requestN
+ // responseLength in case of error, we still can extract the
+ // exact error code from the response.
+ HEADER *header = (HEADER*)response;
+- const int answerCount = ntohs(header->ancount);
+ switch (header->rcode) {
+ case NOERROR:
+ break;
+@@ -226,18 +225,31 @@ void QDnsLookupRunnable::query(const int requestType,
const QByteArray &requestN
+ return;
+ }
+
+- // Skip the query host, type (2 bytes) and class (2 bytes).
+ char host[PACKETSZ], answer[PACKETSZ];
+ unsigned char *p = response + sizeof(HEADER);
+- int status = local_dn_expand(response, response + responseLength, p,
host, sizeof(host));
+- if (status < 0) {
++ int status;
++
++ if (ntohs(header->qdcount) == 1) {
++ // Skip the query host, type (2 bytes) and class (2 bytes).
++ status = local_dn_expand(response, response + responseLength, p,
host, sizeof(host));
++ if (status < 0) {
++ reply->error = QDnsLookup::InvalidReplyError;
++ reply->errorString = tr("Could not expand domain name");
++ return;
++ }
++ if ((p - response) + status + 4 >= responseLength)
++ header->qdcount = 0xffff; // invalid reply below
++ else
++ p += status + 4;
++ }
++ if (ntohs(header->qdcount) > 1) {
+ reply->error = QDnsLookup::InvalidReplyError;
+- reply->errorString = tr("Could not expand domain name");
++ reply->errorString = tr("Invalid reply received");
+ return;
+ }
+- p += status + 4;
+
+ // Extract results.
++ const int answerCount = ntohs(header->ancount);
+ int answerIndex = 0;
+ while ((p < response + responseLength) && (answerIndex < answerCount)) {
+ status = local_dn_expand(response, response + responseLength, p,
host, sizeof(host));
+@@ -249,6 +261,11 @@ void QDnsLookupRunnable::query(const int requestType,
const QByteArray &requestN
+ const QString name = QUrl::fromAce(host);
+
+ p += status;
++
++ if ((p - response) + 10 > responseLength) {
++ // probably just a truncated reply, return what we have
++ return;
++ }
+ const quint16 type = (p[0] << 8) | p[1];
+ p += 2; // RR type
+ p += 2; // RR class
+@@ -256,6 +273,8 @@ void QDnsLookupRunnable::query(const int requestType,
const QByteArray &requestN
+ p += 4;
+ const quint16 size = (p[0] << 8) | p[1];
+ p += 2;
++ if ((p - response) + size > responseLength)
++ return; // truncated
+
+ if (type == QDnsLookup::A) {
+ if (size != 4) {
diff -Nru qt6-base-6.4.2+dfsg/debian/patches/series
qt6-base-6.4.2+dfsg/debian/patches/series
--- qt6-base-6.4.2+dfsg/debian/patches/series 2023-05-22 16:37:22.000000000
+0200
+++ qt6-base-6.4.2+dfsg/debian/patches/series 2023-05-28 10:22:01.000000000
+0200
@@ -1,6 +1,7 @@
-# fixed in 6.5
+# fixed in 6.5.1
cve-2023-32762.diff
cve-2023-32763.diff
+cve-2023-33285.diff
upstream_Add-HPPA-detection.patch
upstream_Add-M68k-detection.patch
--- End Message ---
--- Begin Message ---
Hi,
On 28-05-2023 10:58, Patrick Franz wrote:
unblock qt6-base/6.4.2+dfsg-10
Unblocked, thanks.
Paul
OpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---
