Bug#1070154: bullseye-pu: qtbase-opensource-src/5.15.2+dfsg-9+deb11u1

2024-05-12 Thread Thorsten Alteholz 

Hi Jonathan,

On 12.05.24 13:13, Jonathan Wiltshire wrote:

Please go ahead.


great, thanks ...

... and done.

  Thorsten

Bug#1070154: bullseye-pu: qtbase-opensource-src/5.15.2+dfsg-9+deb11u1

2024-05-12 Thread Jonathan Wiltshire 
Control: tag -1 confirmed

On Tue, Apr 30, 2024 at 11:26:17PM +, Thorsten Alteholz wrote:
> The attached debdiff for qtbase-opensource-src fixes several CVEs in
> Bullseye. All CVEs are marked as no-dsa by the security team.

Please go ahead.

Thanks,


-- 
Jonathan Wiltshire  j...@debian.org
Debian Developer http://people.debian.org/~jmw

4096R: 0xD3524C51 / 0A55 B7C5 1223 3942 86EC  74C3 5394 479D D352 4C51
ed25519/0x196418AAEB74C8A1: CA619D65A72A7BADFC96D280196418AAEB74C8A1

Bug#1070154: bullseye-pu: qtbase-opensource-src/5.15.2+dfsg-9+deb11u1

2024-04-30 Thread Thorsten Alteholz 

Package: release.debian.org
Severity: normal
Tags: bullseye
User: release.debian@packages.debian.org
Usertags: pu


The attached debdiff for qtbase-opensource-src fixes several CVEs in 
Bullseye. All CVEs are marked as no-dsa by the security team.


  Thorstendiff -Nru qtbase-opensource-src-5.15.2+dfsg/debian/changelog 
qtbase-opensource-src-5.15.2+dfsg/debian/changelog
--- qtbase-opensource-src-5.15.2+dfsg/debian/changelog  2021-07-02 
17:58:04.0 +0200
+++ qtbase-opensource-src-5.15.2+dfsg/debian/changelog  2024-04-28 
22:48:02.0 +0200
@@ -1,3 +1,33 @@
+qtbase-opensource-src (5.15.2+dfsg-9+deb11u1) bullseye; urgency=medium
+
+  * Non-maintainer upload by the LTS Team.
+  * CVE-2024-25580 (Closes: #1064053)
+fix buffer overflow due to crafted KTX image file
+  * CVE-2023-32763 (Closes: #1036702)
+fix QTextLayout buffer overflow due to crafted SVG file
+  * CVE-2022-25255
+prevent QProcess from execution of a binary from the current working
+directory when not found in the PATH
+  * CVE-2023-24607 (Closes: #1031872)
+fix denial of service via a crafted string when the SQL ODBC driver
+plugin is used
+  * fix regression caused by patch for CVE-2023-24607
+  * CVE-2023-32762
+prevent incorrect parsing of the strict-transport-security (HSTS) header
+  * CVE-2023-51714 (Closes: #1060694)
+fix incorrect HPack integer overflow check.
+  * CVE-2023-38197 (Closes: #1041105)
+fix infinite loop in recursive entity expansion
+  * CVE-2023-37369 (Closes: #1059302)
+fix crash of application in QXmlStreamReader due to crafted XML string
+  * CVE-2023-34410 (Closes: #1037210)
+fix checking during TLS whether root of the chain really is a
+configured CA certificate
+  * CVE-2023-33285 (Closes: #1036848)
+fix buffer overflow in QDnsLookup
+
+ -- Thorsten Alteholz   Sun, 28 Apr 2024 22:48:02 +0200
+
 qtbase-opensource-src (5.15.2+dfsg-9) unstable; urgency=medium
 
   * Revert adding fix-misplacement-of-placeholder-text-in-QLineEdit.diff.
diff -Nru qtbase-opensource-src-5.15.2+dfsg/debian/patches/CVE-2022-25255.diff 
qtbase-opensource-src-5.15.2+dfsg/debian/patches/CVE-2022-25255.diff
--- qtbase-opensource-src-5.15.2+dfsg/debian/patches/CVE-2022-25255.diff
1970-01-01 01:00:00.0 +0100
+++ qtbase-opensource-src-5.15.2+dfsg/debian/patches/CVE-2022-25255.diff
2024-03-05 13:22:01.0 +0100
@@ -0,0 +1,96 @@
+Description: QProcess: ensure we don't accidentally execute something from CWD
+ Unless "." (or the empty string) is in $PATH, we're not supposed to find
+ executables in the current directory. This is how the Unix shells behave
+ and we match their behavior. It's also the behavior Qt had prior to 5.9
+ (commit 28666d167aa8e602c0bea25ebc4d51b55005db13). On Windows, searching
+ the current directory is the norm, so we keep that behavior.
+ .
+ This commit does not add an explicit check for an empty return from
+ QStandardPaths::findExecutable(). Instead, we allow that empty string to
+ go all the way to execve(2), which will fail with ENOENT. We could catch
+ it early, before fork(2), but why add code for the error case?
+ .
+ See https://kde.org/info/security/advisory-20220131-1.txt
+Origin: upstream, 
https://download.qt.io/official_releases/qt/5.15/CVE-2022-25255-qprocess5-15.diff
+Last-Update: 2022-02-21
+
+Index: qtbase-opensource-src-5.15.2+dfsg/src/corelib/io/qprocess_unix.cpp
+===
+--- qtbase-opensource-src-5.15.2+dfsg.orig/src/corelib/io/qprocess_unix.cpp
2024-03-05 13:21:06.432881985 +0100
 qtbase-opensource-src-5.15.2+dfsg/src/corelib/io/qprocess_unix.cpp 
2024-03-05 13:21:06.428881981 +0100
+@@ -1,7 +1,7 @@
+ /
+ **
+ ** Copyright (C) 2016 The Qt Company Ltd.
+-** Copyright (C) 2016 Intel Corporation.
++** Copyright (C) 2022 Intel Corporation.
+ ** Contact: https://www.qt.io/licensing/
+ **
+ ** This file is part of the QtCore module of the Qt Toolkit.
+@@ -422,14 +422,15 @@
+ // Add the program name to the argument list.
+ argv[0] = nullptr;
+ if (!program.contains(QLatin1Char('/'))) {
++// findExecutable() returns its argument if it's an absolute path,
++// otherwise it searches $PATH; returns empty if not found (we handle
++// that case much later)
+ const QString &exeFilePath = QStandardPaths::findExecutable(program);
+-if (!exeFilePath.isEmpty()) {
+-const QByteArray &tmp = QFile::encodeName(exeFilePath);
+-argv[0] = ::strdup(tmp.constData());
+-}
+-}
+-if (!argv[0])
++const QByteArray &tmp = QFile::encodeName(exeFilePath);
++argv[0] = ::strdup(tmp.constData());
++} else {
+ argv[0] = ::strdup(encodedProgramName.constData());
++}
+ 
+ // Add every argument to the list
+ for (int i = 0; i < arguments.count(); ++i)
+@@ -983,15 +984,16 @@