qtbase-opensource-src_5.15.8+dfsg-11_source.changes ACCEPTED into unstable

[Debian FTP Masters]

Thank you for your contribution to Debian.



Accepted:

-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512

Format: 1.8
Date: Thu, 25 May 2023 13:45:05 +0300
Source: qtbase-opensource-src
Architecture: source
Version: 5.15.8+dfsg-11
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers 
Changed-By: Dmitry Shachnev 
Changes:
 qtbase-opensource-src (5.15.8+dfsg-11) unstable; urgency=medium
 .
   * Rename the patches for consistency and add DEP-3 headers.
   * Add a patch to fix buffer overflow in QDnsLookup (CVE-2023-33285).
Checksums-Sha1:
 8c1119225491e30a2c10da5f34821ed868712eac 5434 
qtbase-opensource-src_5.15.8+dfsg-11.dsc
 961607a209b8feb2548e4f436cc1b816d3488231 233272 
qtbase-opensource-src_5.15.8+dfsg-11.debian.tar.xz
 f7518c3c93bd261cf2745eba456757dc79b19563 15643 
qtbase-opensource-src_5.15.8+dfsg-11_source.buildinfo
Checksums-Sha256:
 84135f6d4139d080a47e76bd9d5912be3fcf83fd6e488b82958157310bf203be 5434 
qtbase-opensource-src_5.15.8+dfsg-11.dsc
 043baefff892a49cd193cebbbf1a58359566cd85d8aa07a50e8d53914fa7141d 233272 
qtbase-opensource-src_5.15.8+dfsg-11.debian.tar.xz
 6138ea3f0e891ccde80a37d7fcea8d4ce53d1467432a978b598bfcf112dfb76d 15643 
qtbase-opensource-src_5.15.8+dfsg-11_source.buildinfo
Files:
 0b19b7b963829f30513068aab1905771 5434 libs optional 
qtbase-opensource-src_5.15.8+dfsg-11.dsc
 4fd2b2635856cab5cb49313d2f75d14e 233272 libs optional 
qtbase-opensource-src_5.15.8+dfsg-11.debian.tar.xz
 0dba64e93970828c76b46aaf7740425f 15643 libs optional 
qtbase-opensource-src_5.15.8+dfsg-11_source.buildinfo

-BEGIN PGP SIGNATURE-

iQJHBAEBCgAxFiEE5688gqe4PSusUZcLZkYmW1hrg8sFAmRvPOQTHG1pdHlhNTdA
ZGViaWFuLm9yZwAKCRBmRiZbWGuDy+tED/4wNN+7OdWgRb4tnR05MscPQPQBLzHO
G6y91/xULxlmInnrAYYJlCviEn5Ib1pL5NRfdcvQgKCjpcjvrmoz138j29uZTYD4
O61JHex7lfcZ3NYSiuXLC7fvxAwMo23/whAu970Z597dGUQNXu3FEVp2NaF3yq0R
zF3VxiR+3aWTPEXyLIqqPu5RL2XyZV3eGBtDLpretmBwTKr67ewoVKF7FAuHit5w
Lg0FfNMaBQa59R6StyIH2lMLKWp+/rRGh/klN9WqHoBOTEnzbLQkebniZIisnub4
Ff0bL3jEY5R9vt4lJjxfbT8luFcSmzRdnRW4rvfVnATrFrT7yba1KTJoNGBqvl32
auu+rf4Vg6BbDVfN2PfjJ2+opOCnuZ1gFwwKTmOxSj7AA6gjQNPEUyKdEkptfupz
K/X2Ul8bGD0EwgpbG8br7mxGFhe0MOl5t894hQ0dojISVuQQeoHE3ZmorYiEqYml
RTKred2V6bvwdnQKAgUcinXOTk5VF0w3aDA2poHukevYKwLvXn7MMp2SVGpMCR3W
vJF7T3/7W7ylOjtNN0snURcA0bubjXa4hHESi/fS+4htQ+rjMtjOMybNcX/Bzcg1
VrKW9seE8kcb0cCXpACynSHEaZqBFltNT3g8FwRxiuCNre6UL9fFtJZ6jQet4k6z
wUC2IQv7C7DEHA==
=3DAr
-END PGP SIGNATURE-

Processing of qtbase-opensource-src_5.15.8+dfsg-11_source.changes

[Debian FTP Masters]

qtbase-opensource-src_5.15.8+dfsg-11_source.changes uploaded successfully to 
localhost
along with the files:
  qtbase-opensource-src_5.15.8+dfsg-11.dsc
  qtbase-opensource-src_5.15.8+dfsg-11.debian.tar.xz
  qtbase-opensource-src_5.15.8+dfsg-11_source.buildinfo

Greetings,

Your Debian queue daemon (running on host usper.debian.org)

Re: Question about Plasma 5.27.5 and Frameworks 5.106

[Luc Castermans]

i have two PC's on this level and have not seen strange behaviour as of today.

Luc

Diederik de Haas  schreef op 25 mei 2023 09:43:03 UTC:
>On Friday, 19 May 2023 13:11:01 CEST Luc Castermans wrote:
>> I just upgraded the machine which was messed up earlier, fixed later, using:
>> 
>> aptitude install -t experimental '~i ~V5\.27\.2'
>> aptitude install -t experimental '~i ~V5\.103\.0'
>
>I hadn't upgraded to those packages, but earlier today I did reboot my laptop 
>and when I logged in, my desktop was completely blank and no longer had the 
>icons and plasma widgets I had on them.
>
>After doing `aptitude safe-upgrade '~i~V5\.27\.2' -t experimental` and another 
>reboot (maybe a logout/login would be sufficient; we'll never know), I had my 
>normal desktop back. 
>
>I haven't yet tried upgrade Frameworks, but the Plasma package update 
>definitely fixed an issue on my laptop.
>
>Cheers,
>  Diederik

Re: Question about Plasma 5.27.5 and Frameworks 5.106

[Diederik de Haas]

On Friday, 19 May 2023 13:11:01 CEST Luc Castermans wrote:
> I just upgraded the machine which was messed up earlier, fixed later, using:
> 
> aptitude install -t experimental '~i ~V5\.27\.2'
> aptitude install -t experimental '~i ~V5\.103\.0'

I hadn't upgraded to those packages, but earlier today I did reboot my laptop 
and when I logged in, my desktop was completely blank and no longer had the 
icons and plasma widgets I had on them.

After doing `aptitude safe-upgrade '~i~V5\.27\.2' -t experimental` and another 
reboot (maybe a logout/login would be sufficient; we'll never know), I had my 
normal desktop back. 

I haven't yet tried upgrade Frameworks, but the Plasma package update 
definitely fixed an issue on my laptop.

Cheers,
  Diederik

signature.asc
Description: This is a digitally signed message part.

Bug#1036745: unblock: qtbase-opensource-src-gles/5.15.8+dfsg-3

[Dmitry Shachnev]

Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: qtbase-opensource-src-g...@packages.debian.org
Control: affects -1 + src:qtbase-opensource-src-gles

Please unblock package qtbase-opensource-src-gles.

[ Reason ]
* Fixes for two CVEs (CVE-2023-24607 and CVE-2023-32763).
* Updated image_deletion_order.diff to fix dangling or incorrect
  device pointers during handler destruction.
* Fix for cross-building (#1029082).
* Minor update for debian/libqt5gui5-gles.symbols.

[ Impact ]
Of these fixes, CVE-2023-32763 is the most important. It is possible to
trigger a buffer overflow when rendering SVG files.

[ Tests ]
No automated tests are run for this package. But patches that come from
upstream are covered by upstream tests.

[ Risks ]
I think the risk is low. Most of these fixes are already present in the
non-gles variant of the package in testing (5.15.8+dfsg-10) and have been
tested by many users. Except for the cross-build fix which is specific to
the -gles variant, but that fix is only applied when cross-building and
does not affect regular builds.

[ Checklist ]
  [x] all changes are documented in the d/changelog
  [x] I reviewed all changes and I approve them
  [x] attach debdiff against the package in testing

[ Other info ]
(Anything else the release team should know.)

unblock qtbase-opensource-src-gles/5.15.8+dfsg-3

--
Dmitry Shachnev
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,28 @@
+qtbase-opensource-src-gles (5.15.8+dfsg-3) unstable; urgency=medium
+
+  * Add a patch to fix CVE-2023-32763: buffer overflow in Qt SVG
+(closes: #1036702).
+
+ -- Dmitry Shachnev   Wed, 24 May 2023 20:52:26 +0300
+
+qtbase-opensource-src-gles (5.15.8+dfsg-2) unstable; urgency=medium
+
+  * Merge qtbase-opensource-src 5.15.8+dfsg-3 upload.
+  * Compare only upstream version of qt5-qmake-bin when cross-building
+(closes: #1029082).
+
+ -- Dmitry Shachnev   Sat, 04 Mar 2023 14:39:27 +0300
+
+qtbase-opensource-src (5.15.8+dfsg-3) unstable; urgency=medium
+
+  * Use ${DEB_HOST_GNU_TYPE} substitution in debian/qt5-qmake.install.
+  * Add upstream patch to fix denial-of-service in Qt SQL ODBC plugin
+(CVE-2023-24607, closes: #1031872).
+  * Update debian/libqt5gui5.symbols from s390x build log.
+  * Amend image_deletion_order.diff from one more upstream commit.
+
+ -- Dmitry Shachnev   Mon, 27 Feb 2023 11:28:53 +0300
+
 qtbase-opensource-src-gles (5.15.8+dfsg-1) unstable; urgency=medium
 
   * Merge qtbase-opensource-src 5.15.8+dfsg-2 upload.
--- a/debian/libqt5gui5-gles.symbols
+++ b/debian/libqt5gui5-gles.symbols
@@ -1,4 +1,4 @@
-# SymbolsHelper-Confirmed: 5.15.4 amd64 hppa powerpc ppc64 s390x sparc64
+# SymbolsHelper-Confirmed: 5.15.8 s390x
 libQt5Gui.so.5 libqt5gui5 #MINVER# | libqt5gui5-gles #MINVER#
 | libqt5gui5 #MINVER# | libqt5gui5-gles #MINVER#, qtbase-abi-5-15-8
 | libqt5gui5 #MINVER#
@@ -1563,7 +1563,7 @@ libQt5Gui.so.5 libqt5gui5 #MINVER# | libqt5gui5-gles #MINVER#
  _ZN16QDoubleValidatorD0Ev@Qt_5 5.0.2
  _ZN16QDoubleValidatorD1Ev@Qt_5 5.0.2
  _ZN16QDoubleValidatorD2Ev@Qt_5 5.0.2
- (optional=inline|arch=!hppa !ia64 !s390x)_ZN16QOpenGLFunctions17glBindFramebufferEjj@Qt_5 5.15.2
+ (optional=inline|arch=!hppa !ia64)_ZN16QOpenGLFunctions17glBindFramebufferEjj@Qt_5 5.15.2
  _ZN16QOpenGLFunctions25initializeOpenGLFunctionsEv@Qt_5 5.0.2
  _ZN16QOpenGLFunctionsC1EP14QOpenGLContext@Qt_5 5.0.2
  _ZN16QOpenGLFunctionsC1Ev@Qt_5 5.0.2
--- /dev/null
+++ b/debian/patches/CVE-2023-24607.diff
@@ -0,0 +1,330 @@
+Description: Fix denial-of-service in Qt SQL ODBC driver plugin
+Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
+Last-Update: 2023-02-26
+
+--- a/src/plugins/sqldrivers/odbc/qsql_odbc.cpp
 b/src/plugins/sqldrivers/odbc/qsql_odbc.cpp
+@@ -92,23 +92,39 @@ inline static QString fromSQLTCHAR(const
+ return result;
+ }
+ 
++template 
++void toSQLTCHARImpl(QVarLengthArray , const QString ); // primary template undefined
++
++template 
++void do_append(QVarLengthArray , const Container )
++{
++result.append(reinterpret_cast(c.data()), c.size());
++}
++
++template <>
++void toSQLTCHARImpl<1>(QVarLengthArray , const QString )
++{
++const auto u8 = input.toUtf8();
++do_append(result, u8);
++}
++
++template <>
++void toSQLTCHARImpl<2>(QVarLengthArray , const QString )
++{
++do_append(result, input);
++}
++
++template <>
++void toSQLTCHARImpl<4>(QVarLengthArray , const QString )
++{
++const auto u32 = input.toUcs4();
++do_append(result, u32);
++}
++
+ inline static QVarLengthArray toSQLTCHAR(const QString )
+ {
+ QVarLengthArray result;
+-result.resize(input.size());
+-switch(sizeof(SQLTCHAR)) {
+-case 1:
+-memcpy(result.data(), input.toUtf8().data(), input.size());
+-break;
+-case 2:
+-memcpy(result.data(), input.unicode(), input.size() * 2);
+-break;
+-case 4:
+-