Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu
The attached debdiff for qtbase-opensource-src fixes several CVEs in
Bullseye. All CVEs are marked as no-dsa by the security team.
Thorstendiff -Nru qtbase-opensource-src-5.15.2+dfsg/debian/changelog
qtbase-opensource-src-5.15.2+dfsg/debian/changelog
--- qtbase-opensource-src-5.15.2+dfsg/debian/changelog 2021-07-02
17:58:04.0 +0200
+++ qtbase-opensource-src-5.15.2+dfsg/debian/changelog 2024-04-28
22:48:02.0 +0200
@@ -1,3 +1,33 @@
+qtbase-opensource-src (5.15.2+dfsg-9+deb11u1) bullseye; urgency=medium
+
+ * Non-maintainer upload by the LTS Team.
+ * CVE-2024-25580 (Closes: #1064053)
+fix buffer overflow due to crafted KTX image file
+ * CVE-2023-32763 (Closes: #1036702)
+fix QTextLayout buffer overflow due to crafted SVG file
+ * CVE-2022-25255
+prevent QProcess from execution of a binary from the current working
+directory when not found in the PATH
+ * CVE-2023-24607 (Closes: #1031872)
+fix denial of service via a crafted string when the SQL ODBC driver
+plugin is used
+ * fix regression caused by patch for CVE-2023-24607
+ * CVE-2023-32762
+prevent incorrect parsing of the strict-transport-security (HSTS) header
+ * CVE-2023-51714 (Closes: #1060694)
+fix incorrect HPack integer overflow check.
+ * CVE-2023-38197 (Closes: #1041105)
+fix infinite loop in recursive entity expansion
+ * CVE-2023-37369 (Closes: #1059302)
+fix crash of application in QXmlStreamReader due to crafted XML string
+ * CVE-2023-34410 (Closes: #1037210)
+fix checking during TLS whether root of the chain really is a
+configured CA certificate
+ * CVE-2023-33285 (Closes: #1036848)
+fix buffer overflow in QDnsLookup
+
+ -- Thorsten Alteholz Sun, 28 Apr 2024 22:48:02 +0200
+
qtbase-opensource-src (5.15.2+dfsg-9) unstable; urgency=medium
* Revert adding fix-misplacement-of-placeholder-text-in-QLineEdit.diff.
diff -Nru qtbase-opensource-src-5.15.2+dfsg/debian/patches/CVE-2022-25255.diff
qtbase-opensource-src-5.15.2+dfsg/debian/patches/CVE-2022-25255.diff
--- qtbase-opensource-src-5.15.2+dfsg/debian/patches/CVE-2022-25255.diff
1970-01-01 01:00:00.0 +0100
+++ qtbase-opensource-src-5.15.2+dfsg/debian/patches/CVE-2022-25255.diff
2024-03-05 13:22:01.0 +0100
@@ -0,0 +1,96 @@
+Description: QProcess: ensure we don't accidentally execute something from CWD
+ Unless "." (or the empty string) is in $PATH, we're not supposed to find
+ executables in the current directory. This is how the Unix shells behave
+ and we match their behavior. It's also the behavior Qt had prior to 5.9
+ (commit 28666d167aa8e602c0bea25ebc4d51b55005db13). On Windows, searching
+ the current directory is the norm, so we keep that behavior.
+ .
+ This commit does not add an explicit check for an empty return from
+ QStandardPaths::findExecutable(). Instead, we allow that empty string to
+ go all the way to execve(2), which will fail with ENOENT. We could catch
+ it early, before fork(2), but why add code for the error case?
+ .
+ See https://kde.org/info/security/advisory-20220131-1.txt
+Origin: upstream,
https://download.qt.io/official_releases/qt/5.15/CVE-2022-25255-qprocess5-15.diff
+Last-Update: 2022-02-21
+
+Index: qtbase-opensource-src-5.15.2+dfsg/src/corelib/io/qprocess_unix.cpp
+===
+--- qtbase-opensource-src-5.15.2+dfsg.orig/src/corelib/io/qprocess_unix.cpp
2024-03-05 13:21:06.432881985 +0100
qtbase-opensource-src-5.15.2+dfsg/src/corelib/io/qprocess_unix.cpp
2024-03-05 13:21:06.428881981 +0100
+@@ -1,7 +1,7 @@
+ /
+ **
+ ** Copyright (C) 2016 The Qt Company Ltd.
+-** Copyright (C) 2016 Intel Corporation.
++** Copyright (C) 2022 Intel Corporation.
+ ** Contact: https://www.qt.io/licensing/
+ **
+ ** This file is part of the QtCore module of the Qt Toolkit.
+@@ -422,14 +422,15 @@
+ // Add the program name to the argument list.
+ argv[0] = nullptr;
+ if (!program.contains(QLatin1Char('/'))) {
++// findExecutable() returns its argument if it's an absolute path,
++// otherwise it searches $PATH; returns empty if not found (we handle
++// that case much later)
+ const QString &exeFilePath = QStandardPaths::findExecutable(program);
+-if (!exeFilePath.isEmpty()) {
+-const QByteArray &tmp = QFile::encodeName(exeFilePath);
+-argv[0] = ::strdup(tmp.constData());
+-}
+-}
+-if (!argv[0])
++const QByteArray &tmp = QFile::encodeName(exeFilePath);
++argv[0] = ::strdup(tmp.constData());
++} else {
+ argv[0] = ::strdup(encodedProgramName.constData());
++}
+
+ // Add every argument to the list
+ for (int i = 0; i < arguments.count(); ++i)
+@@ -983,15 +984,16 @@