Hi! I'm now attaching the debdiff patch.
-- Lisandro Damián Nicanor Pérez Meyer http://perezmeyer.com.ar/ http://perezmeyer.blogspot.com/
diff -Nru qtbase-opensource-src-5.11.3+dfsg1/debian/changelog qtbase-opensource-src-5.11.3+dfsg1/debian/changelog --- qtbase-opensource-src-5.11.3+dfsg1/debian/changelog 2020-01-30 10:42:01.000000000 -0300 +++ qtbase-opensource-src-5.11.3+dfsg1/debian/changelog 2020-09-14 09:15:20.000000000 -0300 @@ -1,3 +1,15 @@ +qtbase-opensource-src (5.11.3+dfsg1-1+deb10u4) buster; urgency=medium + + [ Dmitry Shachnev ] + * Backport upstream patch to fix buffer overflow in XBM parser + (CVE-2020-17507, closes: #968444). + + [ Lisandro Damián Nicanor Pérez Meyer ] + * Backport XCB_Fix_clipboard_breaking_when_timer_wraps_after_50_days.patch + (Closes: #961293). Thanks Nicolás for pointing us to the bug fix. + + -- Lisandro Damián Nicanor Pérez Meyer <[email protected]> Mon, 14 Sep 2020 09:15:20 -0300 + qtbase-opensource-src (5.11.3+dfsg1-1+deb10u3) buster-security; urgency=high [ Dmitry Shachnev ] diff -Nru qtbase-opensource-src-5.11.3+dfsg1/debian/patches/CVE-2020-17507.diff qtbase-opensource-src-5.11.3+dfsg1/debian/patches/CVE-2020-17507.diff --- qtbase-opensource-src-5.11.3+dfsg1/debian/patches/CVE-2020-17507.diff 1969-12-31 21:00:00.000000000 -0300 +++ qtbase-opensource-src-5.11.3+dfsg1/debian/patches/CVE-2020-17507.diff 2020-09-04 18:08:50.000000000 -0300 @@ -0,0 +1,21 @@ +Description: fix buffer overflow in XBM parser +Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=1616c71921b73b22 +Last-Update: 2020-08-18 + +--- + src/gui/image/qxbmhandler.cpp | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/src/gui/image/qxbmhandler.cpp ++++ b/src/gui/image/qxbmhandler.cpp +@@ -154,7 +154,9 @@ static bool read_xbm_body(QIODevice *dev + w = (w+7)/8; // byte width + + while (y < h) { // for all encoded bytes... +- if (p) { // p = "0x.." ++ if (p && p < (buf + readBytes - 3)) { // p = "0x.." ++ if (!isxdigit(p[2]) || !isxdigit(p[3])) ++ return false; + *b++ = hex2byte(p+2); + p += 2; + if (++x == w && ++y < h) { diff -Nru qtbase-opensource-src-5.11.3+dfsg1/debian/patches/series qtbase-opensource-src-5.11.3+dfsg1/debian/patches/series --- qtbase-opensource-src-5.11.3+dfsg1/debian/patches/series 2020-01-30 10:42:01.000000000 -0300 +++ qtbase-opensource-src-5.11.3+dfsg1/debian/patches/series 2020-09-04 18:08:50.000000000 -0300 @@ -10,6 +10,8 @@ repolish_run_on_direct_children.diff CVE-2020-0569.diff CVE-2020-0570.diff +XCB_Fix_clipboard_breaking_when_timer_wraps_after_50_days.patch +CVE-2020-17507.diff # Debian specific. gnukfreebsd.diff diff -Nru qtbase-opensource-src-5.11.3+dfsg1/debian/patches/XCB_Fix_clipboard_breaking_when_timer_wraps_after_50_days.patch qtbase-opensource-src-5.11.3+dfsg1/debian/patches/XCB_Fix_clipboard_breaking_when_timer_wraps_after_50_days.patch --- qtbase-opensource-src-5.11.3+dfsg1/debian/patches/XCB_Fix_clipboard_breaking_when_timer_wraps_after_50_days.patch 1969-12-31 21:00:00.000000000 -0300 +++ qtbase-opensource-src-5.11.3+dfsg1/debian/patches/XCB_Fix_clipboard_breaking_when_timer_wraps_after_50_days.patch 2020-09-04 18:08:50.000000000 -0300 @@ -0,0 +1,47 @@ +From 036fe49580d7470eeaa4c168845bdf2483946f22 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?Luk=C3=A1=C5=A1=20Turek?= <[email protected]> +Date: Fri, 22 Feb 2019 19:26:37 +0100 +Subject: [PATCH] XCB: Fix clipboard breaking when timer wraps after 50 days +Reviewed-By: Lisandro Damián Nicanor Pérez Meyer <[email protected]> +Bug-Debian: #961293 + +xcb_timestamp_t is a 32-bit unsigned value in milliseconds, so it +wraps after 49.7 days. When it happens, QXcbConnection::m_time stops +updating and copy & paste in an application would not work until the +application is restarted. This patch detects the timer wrap and +allows m_time to wrap too. The fix was verified in KDE desktop with +applications running for 51 days. + +Fixes: QTBUG-65145 +Change-Id: I328c4179c1b1f71914adda6f9a0ca3991a7e808e +Reviewed-by: Uli Schlachter <[email protected]> +Reviewed-by: Milian Wolff <[email protected]> +Reviewed-by: Gatis Paeglis <[email protected]> +--- + src/plugins/platforms/xcb/qxcbconnection.h | 6 ++++-- + 1 file changed, 4 insertions(+), 2 deletions(-) + +--- a/src/plugins/platforms/xcb/qxcbconnection.h ++++ b/src/plugins/platforms/xcb/qxcbconnection.h +@@ -470,10 +470,10 @@ public: + PeekOptions option = PeekDefault, qint32 peekerId = -1); + + inline xcb_timestamp_t time() const { return m_time; } +- inline void setTime(xcb_timestamp_t t) { if (t > m_time) m_time = t; } ++ inline void setTime(xcb_timestamp_t t) { if (timeGreaterThan(t, m_time)) m_time = t; } + + inline xcb_timestamp_t netWmUserTime() const { return m_netWmUserTime; } +- inline void setNetWmUserTime(xcb_timestamp_t t) { if (t > m_netWmUserTime) m_netWmUserTime = t; } ++ inline void setNetWmUserTime(xcb_timestamp_t t) { if (timeGreaterThan(t, m_netWmUserTime)) m_netWmUserTime = t; } + + bool hasXFixes() const { return has_xfixes; } + bool hasXShape() const { return has_shape_extension; } +@@ -581,6 +581,8 @@ private: + void destroyScreen(QXcbScreen *screen); + void initializeScreens(); + bool compressEvent(xcb_generic_event_t *event, int currentIndex, QXcbEventArray *eventqueue) const; ++ inline bool timeGreaterThan(xcb_timestamp_t a, xcb_timestamp_t b) const ++ { return static_cast<int32_t>(a - b) > 0 || b == XCB_CURRENT_TIME; } + + bool m_xi2Enabled = false; + #if QT_CONFIG(xinput2)
