Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: qtbase-opensource-...@packages.debian.org, mity...@debian.org,
lisan...@debian.org
Control: affects -1 + src:qtbase-opensource-src
Please unblock package qtbase-opensource-src
[ Reason ]
This upload:
- Fixes CVE-2023-32762 and CVE-2023-32763. One prevents a crash with SVG
(not related to the one in qtsvg-opensource-src) and the other one
related to a security heade parsing in the network module.
- Adds a Break/Replaces in order to allow proper handling of systems
that still had libqtcore4 around (#1035790).
- Backports a patch in order to solve an issue with KWin:
- https://bugreports.qt.io/browse/QTBUG-98048
- https://lists.debian.org/debian-kde/2022/11/msg00019.html
[ Impact ]
- Lack of security fixes.
- Breaks the bullseye → bookworm update on some systems.
- Nasty visual effects while drag and dropping.
[ Tests ]
All the patches have been tested by upstream.
The security patches are quite straightforward.
The B/R issue is also straightforward, with a specific Qt4 version
allowing users to keep libqt4 around if necessary.
Drag and dropping just works as expected.
[ Risks ]
Sincerely I don't think there are risks here.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
unblock qtbase-opensource-src/5.15.8+dfsg-10
diff --git a/debian/changelog b/debian/changelog
index 8c172cff..1f5b73f0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+qtbase-opensource-src (5.15.8+dfsg-10) unstable; urgency=medium
+
+ * Add patches to fix CVE-2023-32762 and CVE-2023-32763.
+
+ -- Lisandro Damián Nicanor Pérez Meyer Mon, 22 May
2023 11:31:55 -0300
+
+qtbase-opensource-src (5.15.8+dfsg-9) unstable; urgency=medium
+
+ * Backport upstream patch to fix laggy drag-and-drop with KWin. See:
+- https://bugreports.qt.io/browse/QTBUG-98048
+- https://lists.debian.org/debian-kde/2022/11/msg00019.html
+
+ -- Dmitry Shachnev Sun, 21 May 2023 12:19:31 +0300
+
qtbase-opensource-src (5.15.8+dfsg-8) unstable; urgency=medium
* Add back Breaks/Replaces for libqtcore4 (closes: #1035790).
diff --git a/debian/patches/CVE-2023-32762.patch
b/debian/patches/CVE-2023-32762.patch
new file mode 100644
index ..d0deff76
--- /dev/null
+++ b/debian/patches/CVE-2023-32762.patch
@@ -0,0 +1,17 @@
+---
+ src/network/access/qhsts.cpp |4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/src/network/access/qhsts.cpp
b/src/network/access/qhsts.cpp
+@@ -364,8 +364,8 @@ quoted-pair= "\" CHAR
+ bool QHstsHeaderParser::parse(const QList>
)
+ {
+ for (const auto : headers) {
+-// We use '==' since header name was already 'trimmed' for us:
+-if (h.first == "Strict-Transport-Security") {
++// We compare directly because header name was already 'trimmed' for
us:
++if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive)
== 0) {
+ header = h.second;
+ // RFC6797, 8.1:
+ //
diff --git a/debian/patches/cve-2023-32763.diff
b/debian/patches/cve-2023-32763.diff
new file mode 100644
index ..b74413dc
--- /dev/null
+++ b/debian/patches/cve-2023-32763.diff
@@ -0,0 +1,50 @@
+---
+ src/gui/painting/qfixed_p.h |9 +
+ src/gui/text/qtextlayout.cpp |9 ++---
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+--- a/src/gui/painting/qfixed_p.h
b/src/gui/painting/qfixed_p.h
+@@ -54,6 +54,7 @@
+ #include
+ #include "QtCore/qdebug.h"
+ #include "QtCore/qpoint.h"
++#include
+ #include "QtCore/qsize.h"
+
+ QT_BEGIN_NAMESPACE
+@@ -182,6 +183,14 @@ Q_DECL_CONSTEXPR inline bool operator<(i
+ Q_DECL_CONSTEXPR inline bool operator>(const QFixed , int i) { return
f.value() > i * 64; }
+ Q_DECL_CONSTEXPR inline bool operator>(int i, const QFixed ) { return i *
64 > f.value(); }
+
++inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
++{
++int val;
++bool result = add_overflow(v1.value(), v2.value(), );
++r->setValue(val);
++return result;
++}
++
+ #ifndef QT_NO_DEBUG_STREAM
+ inline QDebug <<(QDebug , const QFixed )
+ { return dbg << f.toReal(); }
+--- a/src/gui/text/qtextlayout.cpp
b/src/gui/text/qtextlayout.cpp
+@@ -2150,11 +2150,14 @@ found:
+ eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
+ } else {
+ eng->minWidth = qMax(eng->minWidth, lbh.minw);
+-eng->maxWidth += line.textWidth;
++if (qAddOverflow(eng->maxWidth, line.textWidth, >maxWidth))
++eng->maxWidth = QFIXED_MAX;
+ }
+
+-if (line.textWidth > 0 && item < eng->layoutData->items.size())
+-eng->maxWidth += lbh.spaceData.textWidth;
++if (line.textWidth > 0 && item < eng->layoutData->items.size()) {
++if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth,
>maxWidth))