Bug#1036562: unblock: qtbase-opensource-src/5.15.8+dfsg-10

2023-05-22 Thread Dmitry Shachnev 
On Mon, May 22, 2023 at 01:58:03PM -0300, Lisandro Damián Nicanor Pérez Meyer 
wrote:
> Package: release.debian.org
> Severity: normal
> User: release.debian@packages.debian.org
> Usertags: unblock
> X-Debbugs-Cc: qtbase-opensource-...@packages.debian.org, mity...@debian.org, 
> lisan...@debian.org
> Control: affects -1 + src:qtbase-opensource-src
> 
> Please unblock package qtbase-opensource-src
> 
> [ Reason ]
> 
> This upload:
> - Fixes CVE-2023-32762 and CVE-2023-32763. One prevents a crash with SVG
>   (not related to the one in qtsvg-opensource-src) and the other one
>   related to a security heade parsing in the network module.
> - Adds a Break/Replaces in order to allow proper handling of systems
>   that still had libqtcore4 around (#1035790).
> - Backports a patch in order to solve an issue with KWin:
>   - https://bugreports.qt.io/browse/QTBUG-98048
>   - https://lists.debian.org/debian-kde/2022/11/msg00019.html

Actually, the fix for #1035790 has already migrated to testing.
So just the first and third points are remaining.

--
Dmitry Shachnev


signature.asc
Description: PGP signature

Bug#1036562: unblock: qtbase-opensource-src/5.15.8+dfsg-10

2023-05-22 Thread Lisandro Damián Nicanor Pérez Meyer 
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: qtbase-opensource-...@packages.debian.org, mity...@debian.org, 
lisan...@debian.org
Control: affects -1 + src:qtbase-opensource-src

Please unblock package qtbase-opensource-src

[ Reason ]

This upload:
- Fixes CVE-2023-32762 and CVE-2023-32763. One prevents a crash with SVG
  (not related to the one in qtsvg-opensource-src) and the other one
  related to a security heade parsing in the network module.
- Adds a Break/Replaces in order to allow proper handling of systems
  that still had libqtcore4 around (#1035790).
- Backports a patch in order to solve an issue with KWin:
  - https://bugreports.qt.io/browse/QTBUG-98048
  - https://lists.debian.org/debian-kde/2022/11/msg00019.html

[ Impact ]

- Lack of security fixes.
- Breaks the bullseye → bookworm update on some systems.
- Nasty visual effects while drag and dropping.

[ Tests ]

All the patches have been tested by upstream.

The security patches are quite straightforward.
The B/R issue is also straightforward, with a specific Qt4 version
allowing users to keep libqt4 around if necessary.
Drag and dropping just works as expected.

[ Risks ]

Sincerely I don't think there are risks here.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock qtbase-opensource-src/5.15.8+dfsg-10
diff --git a/debian/changelog b/debian/changelog
index 8c172cff..1f5b73f0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+qtbase-opensource-src (5.15.8+dfsg-10) unstable; urgency=medium
+
+  * Add patches to fix CVE-2023-32762 and CVE-2023-32763.
+
+ -- Lisandro Damián Nicanor Pérez Meyer   Mon, 22 May 
2023 11:31:55 -0300
+
+qtbase-opensource-src (5.15.8+dfsg-9) unstable; urgency=medium
+
+  * Backport upstream patch to fix laggy drag-and-drop with KWin. See:
+- https://bugreports.qt.io/browse/QTBUG-98048
+- https://lists.debian.org/debian-kde/2022/11/msg00019.html
+
+ -- Dmitry Shachnev   Sun, 21 May 2023 12:19:31 +0300
+
 qtbase-opensource-src (5.15.8+dfsg-8) unstable; urgency=medium
 
   * Add back Breaks/Replaces for libqtcore4 (closes: #1035790).
diff --git a/debian/patches/CVE-2023-32762.patch 
b/debian/patches/CVE-2023-32762.patch
new file mode 100644
index ..d0deff76
--- /dev/null
+++ b/debian/patches/CVE-2023-32762.patch
@@ -0,0 +1,17 @@
+---
+ src/network/access/qhsts.cpp |4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/src/network/access/qhsts.cpp
 b/src/network/access/qhsts.cpp
+@@ -364,8 +364,8 @@ quoted-pair= "\" CHAR
+ bool QHstsHeaderParser::parse(const QList> 
)
+ {
+ for (const auto  : headers) {
+-// We use '==' since header name was already 'trimmed' for us:
+-if (h.first == "Strict-Transport-Security") {
++// We compare directly because header name was already 'trimmed' for 
us:
++if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) 
== 0) {
+ header = h.second;
+ // RFC6797, 8.1:
+ //
diff --git a/debian/patches/cve-2023-32763.diff 
b/debian/patches/cve-2023-32763.diff
new file mode 100644
index ..b74413dc
--- /dev/null
+++ b/debian/patches/cve-2023-32763.diff
@@ -0,0 +1,50 @@
+---
+ src/gui/painting/qfixed_p.h  |9 +
+ src/gui/text/qtextlayout.cpp |9 ++---
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+--- a/src/gui/painting/qfixed_p.h
 b/src/gui/painting/qfixed_p.h
+@@ -54,6 +54,7 @@
+ #include 
+ #include "QtCore/qdebug.h"
+ #include "QtCore/qpoint.h"
++#include 
+ #include "QtCore/qsize.h"
+ 
+ QT_BEGIN_NAMESPACE
+@@ -182,6 +183,14 @@ Q_DECL_CONSTEXPR inline bool operator<(i
+ Q_DECL_CONSTEXPR inline bool operator>(const QFixed , int i) { return 
f.value() > i * 64; }
+ Q_DECL_CONSTEXPR inline bool operator>(int i, const QFixed ) { return i * 
64 > f.value(); }
+ 
++inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
++{
++int val;
++bool result = add_overflow(v1.value(), v2.value(), );
++r->setValue(val);
++return result;
++}
++
+ #ifndef QT_NO_DEBUG_STREAM
+ inline QDebug <<(QDebug , const QFixed )
+ { return dbg << f.toReal(); }
+--- a/src/gui/text/qtextlayout.cpp
 b/src/gui/text/qtextlayout.cpp
+@@ -2150,11 +2150,14 @@ found:
+ eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
+ } else {
+ eng->minWidth = qMax(eng->minWidth, lbh.minw);
+-eng->maxWidth += line.textWidth;
++if (qAddOverflow(eng->maxWidth, line.textWidth, >maxWidth))
++eng->maxWidth = QFIXED_MAX;
+ }
+ 
+-if (line.textWidth > 0 && item < eng->layoutData->items.size())
+-eng->maxWidth += lbh.spaceData.textWidth;
++if (line.textWidth > 0 && item < eng->layoutData->items.size()) {
++if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, 
>maxWidth))