Bug#1108624: marked as done (unblock: qt6-base/6.8.2+dfsg-8)

Tue, 01 Jul 2025 11:57:47 -0700 

Your message dated Tue, 01 Jul 2025 18:55:06 +0000
with message-id <[email protected]>
and subject line unblock qt6-base
has caused the Debian Bug report #1108624,
regarding unblock: qt6-base/6.8.2+dfsg-8
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)


-- 
1108624: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108624
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message --- 
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: [email protected], [email protected]
Control: affects -1 + src:qt6-base
User: [email protected]
Usertags: unblock

Dear Release Team,

please unblock package qt6-base.

[ Reason ]
This upload backports a patch fixing CVE-2025-5455.

[ Impact ]
If malformed data is sent and a specific function in the Qt API used,
it would result in a denial of service.

[ Tests ]
No manual tests were conducted, but the patch is directly from upstream Qt
where it's been part of the 6.8.4 release and has therefore gone through
the normal QA.

[ Risks ]
I deem the risks to be low. The patch is taken directly from upstream and
has been part of the 6.8.4 release.
The patch in itself is rather simple, just a couple of lines.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

unblock qt6-base/6.8.2+dfsg-8

Thank you.

diff -Nru qt6-base-6.8.2+dfsg/debian/changelog 
qt6-base-6.8.2+dfsg/debian/changelog
--- qt6-base-6.8.2+dfsg/debian/changelog        2025-06-20 00:08:21.000000000 
+0200
+++ qt6-base-6.8.2+dfsg/debian/changelog        2025-06-29 23:52:49.000000000 
+0200
@@ -1,3 +1,10 @@
+qt6-base (6.8.2+dfsg-8) unstable; urgency=medium
+
+  [ Patrick Franz ]
+  * Backport patch to fix CVE-2025-5455 (Closes: #1108474).
+
+ -- Patrick Franz <[email protected]>  Sun, 29 Jun 2025 23:52:49 +0200
+
 qt6-base (6.8.2+dfsg-7) unstable; urgency=medium
 
   [ Patrick Franz ]
diff -Nru qt6-base-6.8.2+dfsg/debian/patches/series 
qt6-base-6.8.2+dfsg/debian/patches/series
--- qt6-base-6.8.2+dfsg/debian/patches/series   2025-06-20 00:08:03.000000000 
+0200
+++ qt6-base-6.8.2+dfsg/debian/patches/series   2025-06-29 23:47:49.000000000 
+0200
@@ -7,6 +7,7 @@
 
 # fixed in 6.8.4
 upstream_cve-2025-3512_fix_heap_buffer_overflow.diff
+upstream_cve-2025-5455_fix_data_assertion_error.diff
 
 # fixed in 6.8.3
 upstream_unset_current_openglcontext.diff
diff -Nru 
qt6-base-6.8.2+dfsg/debian/patches/upstream_cve-2025-5455_fix_data_assertion_error.diff
 
qt6-base-6.8.2+dfsg/debian/patches/upstream_cve-2025-5455_fix_data_assertion_error.diff
--- 
qt6-base-6.8.2+dfsg/debian/patches/upstream_cve-2025-5455_fix_data_assertion_error.diff
     1970-01-01 01:00:00.000000000 +0100
+++ 
qt6-base-6.8.2+dfsg/debian/patches/upstream_cve-2025-5455_fix_data_assertion_error.diff
     2025-06-29 23:50:17.000000000 +0200
@@ -0,0 +1,28 @@
+Description: qDecodeDataUrl(): fix precondition violation in call to 
QByteArrayView::at()
+ It is a precondition violation to call QByteArrayView::at() with
+ size() as argument. The code used that, though, as an implicit
+ end-of-string check, assuming == ' ' and == '=' would both fail for
+ null bytes. Besides, QByteArrays (but most certainly QByteArrayViews)
+ need not be null-terminated, so this could read even past size().
+ .
+ To fix, use higher-level API (startsWith()), consuming parsed tokens
+ along the way.
+Origin: upstream, 
https://download.qt.io/official_releases/qt/6.8/CVE-2025-5455-qtbase-6.8.patch
+Last-Update: 2025-06-29
+
+--- a/src/corelib/io/qdataurl.cpp
++++ b/src/corelib/io/qdataurl.cpp
+@@ -47,10 +47,10 @@ Q_CORE_EXPORT bool qDecodeDataUrl(const QUrl &uri, QString 
&mimeType, QByteArray
+         QLatin1StringView textPlain;
+         constexpr auto charset = "charset"_L1;
+         if (QLatin1StringView{data}.startsWith(charset, Qt::CaseInsensitive)) 
{
+-            qsizetype i = charset.size();
+-            while (data.at(i) == ' ')
+-                ++i;
+-            if (data.at(i) == '=')
++            QByteArrayView copy = data.sliced(charset.size());
++            while (copy.startsWith(' '))
++                copy.slice(1);
++            if (copy.startsWith('='))
+                 textPlain = "text/plain;"_L1;
+         }

--- End Message ---
--- Begin Message --- 
Unblocked qt6-base.

--- End Message ---

Reply via email to