[packages/qt5-qtsvg] upstream fix for CVE-2023-32573; rel 2

Mon, 22 May 2023 04:42:20 -0700 

commit 95fe1f82140bf2810ed89b109661e0d83b6bb52f
Author: Jan Palus <[email protected]>
Date:   Mon May 22 12:44:34 2023 +0200

    upstream fix for CVE-2023-32573; rel 2
    
    as advised in:
    https://lists.qt-project.org/pipermail/announce/2023-May/000411.html

 CVE-2023-32573-qtsvg-5.15.diff | 34 ++++++++++++++++++++++++++++++++++
 qt5-qtsvg.spec                 |  4 +++-
 2 files changed, 37 insertions(+), 1 deletion(-)
---
diff --git a/qt5-qtsvg.spec b/qt5-qtsvg.spec
index 5a16810..146abbe 100644
--- a/qt5-qtsvg.spec
+++ b/qt5-qtsvg.spec
@@ -9,11 +9,12 @@ Summary:      The Qt5 Svg library
 Summary(pl.UTF-8):     Biblioteka Qt5 Svg
 Name:          qt5-%{orgname}
 Version:       5.15.9
-Release:       1
+Release:       2
 License:       LGPL v3 or GPL v2 or GPL v3 or comercial
 Group:         X11/Libraries
 Source0:       
https://download.qt.io/official_releases/qt/5.15/%{version}/submodules/%{orgname}-everywhere-opensource-src-%{version}.tar.xz
 # Source0-md5: 5fc7f98d8ba2078446c538a461566d4b
+Patch0:                CVE-2023-32573-qtsvg-5.15.diff
 URL:           https://www.qt.io/
 BuildRequires: Qt5Core-devel >= %{qtbase_ver}
 BuildRequires: Qt5Gui-devel >= %{qtbase_ver}
@@ -124,6 +125,7 @@ Przykłady do biblioteki Qt5 Svg.
 
 %prep
 %setup -q -n %{orgname}-everywhere-src-%{version}
+%patch0 -p1
 
 %build
 %{qmake_qt5}
diff --git a/CVE-2023-32573-qtsvg-5.15.diff b/CVE-2023-32573-qtsvg-5.15.diff
new file mode 100644
index 0000000..0554756
--- /dev/null
+++ b/CVE-2023-32573-qtsvg-5.15.diff
@@ -0,0 +1,34 @@
+--- a/src/svg/qsvgfont_p.h
++++ b/src/svg/qsvgfont_p.h
+@@ -74,6 +74,7 @@ public:
+ class Q_SVG_PRIVATE_EXPORT QSvgFont : public QSvgRefCounted
+ {
+ public:
++    static constexpr qreal DEFAULT_UNITS_PER_EM = 1000;
+     QSvgFont(qreal horizAdvX);
+
+     void setFamilyName(const QString &name);
+@@ -86,9 +87,7 @@ public:
+     void draw(QPainter *p, const QPointF &point, const QString &str, qreal 
pixelSize, Qt::Alignment alignment) const;
+ public:
+     QString m_familyName;
+-    qreal m_unitsPerEm;
+-    qreal m_ascent;
+-    qreal m_descent;
++    qreal m_unitsPerEm = DEFAULT_UNITS_PER_EM;
+     qreal m_horizAdvX;
+     QHash<QChar, QSvgGlyph> m_glyphs;
+ };
+
+
+--- a/src/svg/qsvghandler.cpp
++++ b/src/svg/qsvghandler.cpp
+@@ -2668,7 +2668,7 @@ static bool parseFontFaceNode(QSvgStyleProperty *parent,
+
+     qreal unitsPerEm = toDouble(unitsPerEmStr);
+     if (!unitsPerEm)
+-        unitsPerEm = 1000;
++        unitsPerEm = QSvgFont::DEFAULT_UNITS_PER_EM;
+
+     if (!name.isEmpty())
+         font->setFamilyName(name);
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/qt5-qtsvg.git/commitdiff/95fe1f82140bf2810ed89b109661e0d83b6bb52f

_______________________________________________
pld-cvs-commit mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit

Reply via email to