Package: release.debian.org Severity: normal X-Debbugs-Cc: [email protected], [email protected] Control: affects -1 + src:qt6-base User: [email protected] Usertags: unblock
Dear Release Team, please unblock package qt6-base. [ Reason ] This upload backports a patch fixing CVE-2025-5455. [ Impact ] If malformed data is sent and a specific function in the Qt API used, it would result in a denial of service. [ Tests ] No manual tests were conducted, but the patch is directly from upstream Qt where it's been part of the 6.8.4 release and has therefore gone through the normal QA. [ Risks ] I deem the risks to be low. The patch is taken directly from upstream and has been part of the 6.8.4 release. The patch in itself is rather simple, just a couple of lines. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock qt6-base/6.8.2+dfsg-8 Thank you.
diff -Nru qt6-base-6.8.2+dfsg/debian/changelog qt6-base-6.8.2+dfsg/debian/changelog --- qt6-base-6.8.2+dfsg/debian/changelog 2025-06-20 00:08:21.000000000 +0200 +++ qt6-base-6.8.2+dfsg/debian/changelog 2025-06-29 23:52:49.000000000 +0200 @@ -1,3 +1,10 @@ +qt6-base (6.8.2+dfsg-8) unstable; urgency=medium + + [ Patrick Franz ] + * Backport patch to fix CVE-2025-5455 (Closes: #1108474). + + -- Patrick Franz <[email protected]> Sun, 29 Jun 2025 23:52:49 +0200 + qt6-base (6.8.2+dfsg-7) unstable; urgency=medium [ Patrick Franz ] diff -Nru qt6-base-6.8.2+dfsg/debian/patches/series qt6-base-6.8.2+dfsg/debian/patches/series --- qt6-base-6.8.2+dfsg/debian/patches/series 2025-06-20 00:08:03.000000000 +0200 +++ qt6-base-6.8.2+dfsg/debian/patches/series 2025-06-29 23:47:49.000000000 +0200 @@ -7,6 +7,7 @@ # fixed in 6.8.4 upstream_cve-2025-3512_fix_heap_buffer_overflow.diff +upstream_cve-2025-5455_fix_data_assertion_error.diff # fixed in 6.8.3 upstream_unset_current_openglcontext.diff diff -Nru qt6-base-6.8.2+dfsg/debian/patches/upstream_cve-2025-5455_fix_data_assertion_error.diff qt6-base-6.8.2+dfsg/debian/patches/upstream_cve-2025-5455_fix_data_assertion_error.diff --- qt6-base-6.8.2+dfsg/debian/patches/upstream_cve-2025-5455_fix_data_assertion_error.diff 1970-01-01 01:00:00.000000000 +0100 +++ qt6-base-6.8.2+dfsg/debian/patches/upstream_cve-2025-5455_fix_data_assertion_error.diff 2025-06-29 23:50:17.000000000 +0200 @@ -0,0 +1,28 @@ +Description: qDecodeDataUrl(): fix precondition violation in call to QByteArrayView::at() + It is a precondition violation to call QByteArrayView::at() with + size() as argument. The code used that, though, as an implicit + end-of-string check, assuming == ' ' and == '=' would both fail for + null bytes. Besides, QByteArrays (but most certainly QByteArrayViews) + need not be null-terminated, so this could read even past size(). + . + To fix, use higher-level API (startsWith()), consuming parsed tokens + along the way. +Origin: upstream, https://download.qt.io/official_releases/qt/6.8/CVE-2025-5455-qtbase-6.8.patch +Last-Update: 2025-06-29 + +--- a/src/corelib/io/qdataurl.cpp ++++ b/src/corelib/io/qdataurl.cpp +@@ -47,10 +47,10 @@ Q_CORE_EXPORT bool qDecodeDataUrl(const QUrl &uri, QString &mimeType, QByteArray + QLatin1StringView textPlain; + constexpr auto charset = "charset"_L1; + if (QLatin1StringView{data}.startsWith(charset, Qt::CaseInsensitive)) { +- qsizetype i = charset.size(); +- while (data.at(i) == ' ') +- ++i; +- if (data.at(i) == '=') ++ QByteArrayView copy = data.sliced(charset.size()); ++ while (copy.startsWith(' ')) ++ copy.slice(1); ++ if (copy.startsWith('=')) + textPlain = "text/plain;"_L1; + }
