Bug#1064056: marked as done (qtbase-opensource-src: CVE-2024-25580)
Your message dated Sun, 18 Feb 2024 00:37:49 +
with message-id
and subject line Bug#1064053: fixed in qtbase-opensource-src 5.15.10+dfsg-7
has caused the Debian Bug report #1064053,
regarding qtbase-opensource-src: CVE-2024-25580
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1064053: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064053
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Source: qtbase-opensource-src
Version: 5.15.10+dfsg-6
Severity: normal
Tags: patch security
Dear Maintainer,
Security advisory CVE-2024-25580, a buffer overflow affecting KTX image
handling in QT, has been announced[1], and the announcement includes patches
for various versions of QT including the v5.15 branch.
I've confirmed that the patch applies cleanly to qtbase-opensource-src versions
5.15.8+dfsg-11 (bookworm / stable) and 5.15.10+dfsg-6 (trixie / testing), and
have successfully compiled the trixie package.
Please find attached the v5.15 patch from upstream.
( sha256sum 7cc9bf74f696de8ec5386bb80ce7a2fed5aa3870ac0e2c7db4628621c5c1a731 )
Regards,
James
[1] - https://lists.qt-project.org/pipermail/announce/2024-February/000472.html
diff --git a/src/gui/util/qktxhandler.cpp b/src/gui/util/qktxhandler.cpp
index 0d98e97453..6a79e55109 100644
--- a/src/gui/util/qktxhandler.cpp
+++ b/src/gui/util/qktxhandler.cpp
@@ -73,7 +73,7 @@ struct KTXHeader {
quint32 bytesOfKeyValueData;
};
-static const quint32 headerSize = sizeof(KTXHeader);
+static constexpr quint32 qktxh_headerSize = sizeof(KTXHeader);
// Currently unused, declared for future reference
struct KTXKeyValuePairItem {
@@ -103,11 +103,36 @@ struct KTXMipmapLevel {
*/
};
-bool QKtxHandler::canRead(const QByteArray &suffix, const QByteArray &block)
+static bool qAddOverflow(quint32 v1, quint32 v2, quint32 *r) {
+// unsigned additions are well-defined
+*r = v1 + v2;
+return v1 > quint32(v1 + v2);
+}
+
+// Returns the nearest multiple of 4 greater than or equal to 'value'
+static bool nearestMultipleOf4(quint32 value, quint32 *result)
+{
+constexpr quint32 rounding = 4;
+*result = 0;
+if (qAddOverflow(value, rounding - 1, result))
+return true;
+*result &= ~(rounding - 1);
+return false;
+}
+
+// Returns a slice with prechecked bounds
+static QByteArray safeSlice(const QByteArray& array, quint32 start, quint32
length)
{
-Q_UNUSED(suffix)
+quint32 end = 0;
+if (qAddOverflow(start, length, &end) || end > quint32(array.length()))
+return {};
+return QByteArray(array.data() + start, length);
+}
-return (qstrncmp(block.constData(), ktxIdentifier, KTX_IDENTIFIER_LENGTH)
== 0);
+bool QKtxHandler::canRead(const QByteArray &suffix, const QByteArray &block)
+{
+Q_UNUSED(suffix);
+return block.startsWith(QByteArray::fromRawData(ktxIdentifier,
KTX_IDENTIFIER_LENGTH));
}
QTextureFileData QKtxHandler::read()
@@ -115,42 +140,97 @@ QTextureFileData QKtxHandler::read()
if (!device())
return QTextureFileData();
-QByteArray buf = device()->readAll();
-const quint32 dataSize = quint32(buf.size());
-if (dataSize < headerSize || !canRead(QByteArray(), buf)) {
-qCDebug(lcQtGuiTextureIO, "Invalid KTX file %s",
logName().constData());
+const QByteArray buf = device()->readAll();
+if (size_t(buf.size()) > std::numeric_limits::max()) {
+qWarning(lcQtGuiTextureIO, "Too big KTX file %s",
logName().constData());
+return QTextureFileData();
+}
+
+if (!canRead(QByteArray(), buf)) {
+qWarning(lcQtGuiTextureIO, "Invalid KTX file %s",
logName().constData());
+return QTextureFileData();
+}
+
+if (buf.size() < qsizetype(qktxh_headerSize)) {
+qWarning(lcQtGuiTextureIO, "Invalid KTX header size in %s",
logName().constData());
return QTextureFileData();
}
-const KTXHeader *header = reinterpret_cast(buf.constData());
-if (!checkHeader(*header)) {
-qCDebug(lcQtGuiTextureIO, "Unsupported KTX file format in %s",
logName().constData());
+KTXHeader header;
+memcpy(&header, buf.data(), qktxh_headerSize);
+if (!checkHeader(header)) {
+qWarning(lcQtGuiTextureIO, "Unsupported KTX file format in %s",
logName().constData());
return QTextureFileData();
}
QTextureFileData texData;
texData.setData(buf);
-texData.setSize(QSize(decode(header->pixelWidth),
decode(header->pixelHeight)));
-texData.setGLFormat(decode(header->glFormat));
-texData.setGLInternalFormat(decode(header->glInternalFormat));
-
Bug#1064053: marked as done (qtbase-opensource-src: CVE-2024-25580)
Your message dated Sun, 18 Feb 2024 00:37:49 + with message-id and subject line Bug#1064053: fixed in qtbase-opensource-src 5.15.10+dfsg-7 has caused the Debian Bug report #1064053, regarding qtbase-opensource-src: CVE-2024-25580 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1064053: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064053 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Source: qtbase-opensource-src X-Debbugs-CC: t...@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qtbase-opensource-src. CVE-2024-25580[0]: https://bugzilla.redhat.com/show_bug.cgi?id=2264423 https://download.qt.io/official_releases/qt/5.15/CVE-2024-25580-qtbase-5.15.diff If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2024-25580 https://www.cve.org/CVERecord?id=CVE-2024-25580 Please adjust the affected versions in the BTS as needed. --- End Message --- --- Begin Message --- Source: qtbase-opensource-src Source-Version: 5.15.10+dfsg-7 Done: Dmitry Shachnev We believe that the bug you reported is fixed in the latest version of qtbase-opensource-src, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1064...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dmitry Shachnev (supplier of updated qtbase-opensource-src package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 17 Feb 2024 15:11:37 +0300 Source: qtbase-opensource-src Architecture: source Version: 5.15.10+dfsg-7 Distribution: unstable Urgency: medium Maintainer: Debian Qt/KDE Maintainers Changed-By: Dmitry Shachnev Closes: 1064053 Changes: qtbase-opensource-src (5.15.10+dfsg-7) unstable; urgency=medium . * Backport upstream patch to fix potential buffer overflow when reading KTX images (CVE-2024-25580, closes: #1064053). Checksums-Sha1: e7018036ef9626a5510d2dcc58043c5e896c4045 5312 qtbase-opensource-src_5.15.10+dfsg-7.dsc f84c35ee48ec3930bf7604e37446617cdb5cb0ae 237812 qtbase-opensource-src_5.15.10+dfsg-7.debian.tar.xz c99497b1cf1fb3fd4eedd02ccc4faf17f06da23c 16912 qtbase-opensource-src_5.15.10+dfsg-7_source.buildinfo Checksums-Sha256: 2641c71d71807422c60a025cf7fa1491e8bb021d45a40ca590b08925aa64d6e6 5312 qtbase-opensource-src_5.15.10+dfsg-7.dsc 4a4f2afe86be116a08858eecfd5a419f0304547e22e6c8f75bea2e145f325a1c 237812 qtbase-opensource-src_5.15.10+dfsg-7.debian.tar.xz 591825e004480f25d54e1814f347cf22e8572a14cbc53d277cf50919cb5989ce 16912 qtbase-opensource-src_5.15.10+dfsg-7_source.buildinfo Files: 792d5429e0fbfa25675c5e6b0520699b 5312 libs optional qtbase-opensource-src_5.15.10+dfsg-7.dsc 50a8fa3ae71c217c6c66637508f6f138 237812 libs optional qtbase-opensource-src_5.15.10+dfsg-7.debian.tar.xz d3b953a84fa480a69bc35bc4eaa99fe1 16912 libs optional qtbase-opensource-src_5.15.10+dfsg-7_source.buildinfo -BEGIN PGP SIGNATURE- iQJHBAEBCgAxFiEEq2sdvrA0LydXHe1qsmYUtFL0RrYFAmXQo3wTHG1pdHlhNTdA ZGViaWFuLm9yZwAKCRCyZhS0UvRGtrNCEACXPNqvTO5rLFSOroqSKn9+fK+xMNPj 8yV1wwkKXVCitjzJXVUO+GSx/lJE+nFxKhRL2DsRlm+RhGhvXp7tLwdozswCe4Uj GO7I5sdpLCY3YGvLr3UKkKY+fg0o92yu43AUVZpRAFQsP2CB4pvGfIyVTxLCpk9c +ZFI2SvFBJBSahj5sPiOABsxT7kLcK85mIMpoB8zM4Jy37xr+RBDqGnN8TnoO3lh pYYNmi1dDIucadiKfDKWbnV9XMbFDLofyPm3P4o+zWOe3FlB4Xvtn0YsJdJddrTg C3H7EVAPlsAIbhzltUQr3dtngaNAJBzBqL5uhiRGNFxr1zyXEghH0DO1lHuHfiSN H3VOdpjqDw0Dd5DcGlJnmCKkWL3BQoMSFqKkCtus8KQA4S2ZJ7SvQh9RpZDWRu8b WfNUkuDE4hsBXvV1KWyi5TkZjRJnkF6uDKw5dDjc7g+/vVXhgvjOlgN85zwuiC99 ejnzm5ZmwvcO9Xoe0zzwQU3vNv9TelAFlxFsHQFocV9T55CXWmsDW0PA6HM1c0kG B/r+LV6bdCc0oJLU+0DJcpEYGoWVmDeQJxbF4/7MZ7LMLyzJ8EdvcYJ/tECn4jtF Zj+2JhlENIEZ/0g//nS7Iav9GKI3qdi2M8ScNWIymFj9BpaELHMdKBt8cYszKkwY GwQtlIS4pvQt7g== =5rgS -END PGP SIGNATURE- pgpP5XPV_iCp2.pgp Description: PGP signature --- End Message ---
Bug#1059631: marked as done (qhelpgenerator-qt5: nearly-reproducible LastRegisterTime value in .qch files is not timezone-normalized)
Your message dated Sun, 18 Feb 2024 00:38:28 +
with message-id
and subject line Bug#1059631: fixed in qttools-opensource-src 5.15.10-6
has caused the Debian Bug report #1059631,
regarding qhelpgenerator-qt5: nearly-reproducible LastRegisterTime value in
.qch files is not timezone-normalized
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1059631: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059631
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: qhelpgenerator-qt5
Version: 5.15.2-3
Severity: wishlist
User: reproducible-bui...@lists.alioth.debian.org
Usertags: timezone
X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org
Dear Maintainer,
Looking at some recent Reproducible Build[1] test results[2] for the Debian
openorienteering-mapper package, the LastRegisterTime value placed into the
SettingsTable table in the .qch (sqlite3 db) file format can vary based on
the build host's configuration.
Inspecting the patch from #875847 and the values that appear in the diffoscope
output from the build logs: the SOURCE_DATE_EPOCH value of the build is used,
as expected, to improve the reproducibility of the build. It takes the value
of the most recent Debian changelog entry.
However: the patch mutates an existing QT QDateTime instance (last_modified) to
store the seconds-since-epoch value -- without specifying a timezone for the
value.
I'm not 100% certain, but I think it's likely (given that the duration
between the two timestamps that appear in the diffoscope output is 26 hours,
equal to the local-time-difference between GMT-14 and GMT+12, the two build
timezones) that the last_modified object remains timezone-relative in each
build, and therefore emits differing LastRegisterTime values in ISO format.
-INSERT INTO SettingsTable
VALUES('LastRegisterTime','2021-12-27T21:45:41.000');
+INSERT INTO SettingsTable
VALUES('LastRegisterTime','2021-12-28T23:45:41.000');
My sense is that the LastRegisterTime column value is probably intended to be
stored in UTC; it may be sufficient to set the timezone of the last_modified
instance to UTC -- making careful to ensure that it is indeed a _set_ timezone
operation and not a _translate_ timezone operation.
Regards,
James
[1] - https://reproducible-builds.org/
[2] -
https://tests.reproducible-builds.org/debian/rb-pkg/bookworm/arm64/diffoscope-results/openorienteering-mapper.html
[3] - https://doc.qt.io/qt-5/qdatetime.html
--- End Message ---
--- Begin Message ---
Source: qttools-opensource-src
Source-Version: 5.15.10-6
Done: Dmitry Shachnev
We believe that the bug you reported is fixed in the latest version of
qttools-opensource-src, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1059...@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dmitry Shachnev (supplier of updated
qttools-opensource-src package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmas...@ftp-master.debian.org)
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Format: 1.8
Date: Sat, 17 Feb 2024 15:27:24 +0300
Source: qttools-opensource-src
Architecture: source
Version: 5.15.10-6
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers
Changed-By: Dmitry Shachnev
Closes: 1059592 1059631
Changes:
qttools-opensource-src (5.15.10-6) unstable; urgency=medium
.
* Backport upstream patch to ensure FileAttributeSetTable is filled
ordered (closes: #1059592).
* Backport upstream patch to localize SOURCE_DATE_EPOCH to UTC in
qhelpgenerator (closes: #1059631).
Checksums-Sha1:
dee81e367f266c61162f183800de2cf7e3ee195c 4065
qttools-opensource-src_5.15.10-6.dsc
9cca5ac3d583b29385d8fb24af274c96dd11fbd8 49612
qttools-opensource-src_5.15.10-6.debian.tar.xz
602a3ec07a70361c09b1d956da8f5a27cbe53f2f 14004
qttools-opensource-src_5.15.10-6_source.buildinfo
Checksums-Sha256:
af64a4dcf71c22d9221edb3004071aa8dc3f708a5228016ca4347bc40a1e7402 4065
qttools-opensource-src_5.15.10-6.dsc
c6d3e10c9099ef6aa080a0a81566ed99b9db9ebcf8065ed41a920ecf60f1b79f 49612
qttools-opensource-src_5.15.10-6.debian.tar.xz
3fdf3af43a8cde1fa36d9be110c6e952e6e91f72473947c6b907751aa4a12d36 14004
qttools-opensource-src_5.15.10-6_source.buildinfo
Files:
1cb93e97e56c
Bug#1059592: marked as done (qhelpgenerator-qt5: emits .qch file attribute entries with unpredictable ordering)
Your message dated Sun, 18 Feb 2024 00:38:28 + with message-id and subject line Bug#1059592: fixed in qttools-opensource-src 5.15.10-6 has caused the Debian Bug report #1059592, regarding qhelpgenerator-qt5: emits .qch file attribute entries with unpredictable ordering to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1059592: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059592 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: qhelpgenerator-qt5 Severity: wishlist Tags: patch User: reproducible-bui...@lists.alioth.debian.org Usertags: randomness X-Debbugs-Cc: reproducible-b...@lists.alioth.debian.org Dear Maintainer, I'm an occasional contributor to Debian's reproducible builds, and noticed a recent reproducibility test failure[1] for the qtwebview-opensource-src source package that has a build-dependency on qhelpgenerator-qt5. The problem relates to a documentation file -- qtwebview.qch -- that is built by the qhelpgenerator binary. In particular, when qhelpgenerator collects items for a FileAttributeSetTable table in the .qch file -- which is a SQLite3 database -- it uses a QT QSet datastructure. Crucially, that datastructure does _not_ guarantee sort ordering (neither insertion-order nor key-order) when retrieving items, as documented[2]. I'll offer a patch shortly that adds a sort step, consistent with another similar sort that occurs within the same helpgenerator.cpp code file. In terms of testing: I've confirmed that the package compiles with my patch, and that the resulting qhelpgenerator-qt5 binary package can be used to build the src:qtwebview-opensource-src package and produces a qtwebview.qch file with the expected table records in the expected order. Thanks, James [1] - https://tests.reproducible-builds.org/debian/rb-pkg/trixie/arm64/qtwebview-opensource-src.html [2] - https://doc.qt.io/qt-5/qset.html --- End Message --- --- Begin Message --- Source: qttools-opensource-src Source-Version: 5.15.10-6 Done: Dmitry Shachnev We believe that the bug you reported is fixed in the latest version of qttools-opensource-src, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1059...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dmitry Shachnev (supplier of updated qttools-opensource-src package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 17 Feb 2024 15:27:24 +0300 Source: qttools-opensource-src Architecture: source Version: 5.15.10-6 Distribution: unstable Urgency: medium Maintainer: Debian Qt/KDE Maintainers Changed-By: Dmitry Shachnev Closes: 1059592 1059631 Changes: qttools-opensource-src (5.15.10-6) unstable; urgency=medium . * Backport upstream patch to ensure FileAttributeSetTable is filled ordered (closes: #1059592). * Backport upstream patch to localize SOURCE_DATE_EPOCH to UTC in qhelpgenerator (closes: #1059631). Checksums-Sha1: dee81e367f266c61162f183800de2cf7e3ee195c 4065 qttools-opensource-src_5.15.10-6.dsc 9cca5ac3d583b29385d8fb24af274c96dd11fbd8 49612 qttools-opensource-src_5.15.10-6.debian.tar.xz 602a3ec07a70361c09b1d956da8f5a27cbe53f2f 14004 qttools-opensource-src_5.15.10-6_source.buildinfo Checksums-Sha256: af64a4dcf71c22d9221edb3004071aa8dc3f708a5228016ca4347bc40a1e7402 4065 qttools-opensource-src_5.15.10-6.dsc c6d3e10c9099ef6aa080a0a81566ed99b9db9ebcf8065ed41a920ecf60f1b79f 49612 qttools-opensource-src_5.15.10-6.debian.tar.xz 3fdf3af43a8cde1fa36d9be110c6e952e6e91f72473947c6b907751aa4a12d36 14004 qttools-opensource-src_5.15.10-6_source.buildinfo Files: 1cb93e97e56c579895fe20d63aa2ea65 4065 libs optional qttools-opensource-src_5.15.10-6.dsc 6587283bb9f81f01d3945d0c700a4b29 49612 libs optional qttools-opensource-src_5.15.10-6.debian.tar.xz 379a11d9ce074336a47e2ac35c2010ad 14004 libs optional qttools-opensource-src_5.15.10-6_source.buildinfo -BEGIN PGP SIGNATURE- iQJHBAEBCgAxFiEEq2sdvrA0LydXHe1qsmYUtFL0RrYFAmXQpnYTHG1pdHlhNTdA ZGViaWFuLm9yZwAKCRCyZhS0UvRGtmQAD/9NE1wIoL4YASkq5hTaAQIKErsusSGu e4ls5sswm49E0fdwCQgw/xToCpkhfa0zi+Vb4RqGOJWAlETLXZMkqO/RbXaXbaGY RS5QYpcC7JP0axglD0zDISLcbfihdGey1o+kkcAt2U
qttools-opensource-src_5.15.10-6_source.changes ACCEPTED into unstable
Thank you for your contribution to Debian. Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 17 Feb 2024 15:27:24 +0300 Source: qttools-opensource-src Architecture: source Version: 5.15.10-6 Distribution: unstable Urgency: medium Maintainer: Debian Qt/KDE Maintainers Changed-By: Dmitry Shachnev Closes: 1059592 1059631 Changes: qttools-opensource-src (5.15.10-6) unstable; urgency=medium . * Backport upstream patch to ensure FileAttributeSetTable is filled ordered (closes: #1059592). * Backport upstream patch to localize SOURCE_DATE_EPOCH to UTC in qhelpgenerator (closes: #1059631). Checksums-Sha1: dee81e367f266c61162f183800de2cf7e3ee195c 4065 qttools-opensource-src_5.15.10-6.dsc 9cca5ac3d583b29385d8fb24af274c96dd11fbd8 49612 qttools-opensource-src_5.15.10-6.debian.tar.xz 602a3ec07a70361c09b1d956da8f5a27cbe53f2f 14004 qttools-opensource-src_5.15.10-6_source.buildinfo Checksums-Sha256: af64a4dcf71c22d9221edb3004071aa8dc3f708a5228016ca4347bc40a1e7402 4065 qttools-opensource-src_5.15.10-6.dsc c6d3e10c9099ef6aa080a0a81566ed99b9db9ebcf8065ed41a920ecf60f1b79f 49612 qttools-opensource-src_5.15.10-6.debian.tar.xz 3fdf3af43a8cde1fa36d9be110c6e952e6e91f72473947c6b907751aa4a12d36 14004 qttools-opensource-src_5.15.10-6_source.buildinfo Files: 1cb93e97e56c579895fe20d63aa2ea65 4065 libs optional qttools-opensource-src_5.15.10-6.dsc 6587283bb9f81f01d3945d0c700a4b29 49612 libs optional qttools-opensource-src_5.15.10-6.debian.tar.xz 379a11d9ce074336a47e2ac35c2010ad 14004 libs optional qttools-opensource-src_5.15.10-6_source.buildinfo -BEGIN PGP SIGNATURE- iQJHBAEBCgAxFiEEq2sdvrA0LydXHe1qsmYUtFL0RrYFAmXQpnYTHG1pdHlhNTdA ZGViaWFuLm9yZwAKCRCyZhS0UvRGtmQAD/9NE1wIoL4YASkq5hTaAQIKErsusSGu e4ls5sswm49E0fdwCQgw/xToCpkhfa0zi+Vb4RqGOJWAlETLXZMkqO/RbXaXbaGY RS5QYpcC7JP0axglD0zDISLcbfihdGey1o+kkcAt2UHuJFPEXgckRrb9WfrsqvU8 kHcTy228b7J8jEDYCI6WFmjg0UNE813Gb4Gv4N/G/ITu9HyPnc6ErT55Bpbx1xQE ZozEigDWRbAXwE1Fq/huWtP7x/OlnvYnVN7kLLHZFqfiO/SPfvnOEb+mh9SrBAFQ qNDWoSQ4TDPwwtCIwJw/nCl/y3+NBPf3kQ/z2NyIs4ObUUntaIhJCXA5bXr6Dzlw 2anhXrmzW0zAR2cUNpre6gvp12/vy/vCSbmfcuALUBCcWguYgZdYp4qRVYJnbqbU g7UaKnM6ybvIKbzpcz9qiHpb5xALsQVLrjTLs7j/AIVzc0uZLNGbD7n1avckACmI jIIOfJOWSoreZ8eeGj/Y8/3c9aRNXvCoqNJ0PLRnKCln4waqFq95B08mEHWe8xB2 oWP/aZADa3E1iuSAzPeFwxuE5alajcgtLQmAsPWxqeL5FAPfSJJKQRKzW+4SDII1 YLkoimfmL81NZAulH1vwPaP0QvayNGBbxVZxOQKFrf3ZCg6fQ4gaXJCTAy8kuPU1 GpCa91ZWDRqSyA== =hBlK -END PGP SIGNATURE- pgpNLFXeQxVoO.pgp Description: PGP signature
qtbase-opensource-src_5.15.10+dfsg-7_source.changes ACCEPTED into unstable
Thank you for your contribution to Debian. Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Sat, 17 Feb 2024 15:11:37 +0300 Source: qtbase-opensource-src Architecture: source Version: 5.15.10+dfsg-7 Distribution: unstable Urgency: medium Maintainer: Debian Qt/KDE Maintainers Changed-By: Dmitry Shachnev Closes: 1064053 Changes: qtbase-opensource-src (5.15.10+dfsg-7) unstable; urgency=medium . * Backport upstream patch to fix potential buffer overflow when reading KTX images (CVE-2024-25580, closes: #1064053). Checksums-Sha1: e7018036ef9626a5510d2dcc58043c5e896c4045 5312 qtbase-opensource-src_5.15.10+dfsg-7.dsc f84c35ee48ec3930bf7604e37446617cdb5cb0ae 237812 qtbase-opensource-src_5.15.10+dfsg-7.debian.tar.xz c99497b1cf1fb3fd4eedd02ccc4faf17f06da23c 16912 qtbase-opensource-src_5.15.10+dfsg-7_source.buildinfo Checksums-Sha256: 2641c71d71807422c60a025cf7fa1491e8bb021d45a40ca590b08925aa64d6e6 5312 qtbase-opensource-src_5.15.10+dfsg-7.dsc 4a4f2afe86be116a08858eecfd5a419f0304547e22e6c8f75bea2e145f325a1c 237812 qtbase-opensource-src_5.15.10+dfsg-7.debian.tar.xz 591825e004480f25d54e1814f347cf22e8572a14cbc53d277cf50919cb5989ce 16912 qtbase-opensource-src_5.15.10+dfsg-7_source.buildinfo Files: 792d5429e0fbfa25675c5e6b0520699b 5312 libs optional qtbase-opensource-src_5.15.10+dfsg-7.dsc 50a8fa3ae71c217c6c66637508f6f138 237812 libs optional qtbase-opensource-src_5.15.10+dfsg-7.debian.tar.xz d3b953a84fa480a69bc35bc4eaa99fe1 16912 libs optional qtbase-opensource-src_5.15.10+dfsg-7_source.buildinfo -BEGIN PGP SIGNATURE- iQJHBAEBCgAxFiEEq2sdvrA0LydXHe1qsmYUtFL0RrYFAmXQo3wTHG1pdHlhNTdA ZGViaWFuLm9yZwAKCRCyZhS0UvRGtrNCEACXPNqvTO5rLFSOroqSKn9+fK+xMNPj 8yV1wwkKXVCitjzJXVUO+GSx/lJE+nFxKhRL2DsRlm+RhGhvXp7tLwdozswCe4Uj GO7I5sdpLCY3YGvLr3UKkKY+fg0o92yu43AUVZpRAFQsP2CB4pvGfIyVTxLCpk9c +ZFI2SvFBJBSahj5sPiOABsxT7kLcK85mIMpoB8zM4Jy37xr+RBDqGnN8TnoO3lh pYYNmi1dDIucadiKfDKWbnV9XMbFDLofyPm3P4o+zWOe3FlB4Xvtn0YsJdJddrTg C3H7EVAPlsAIbhzltUQr3dtngaNAJBzBqL5uhiRGNFxr1zyXEghH0DO1lHuHfiSN H3VOdpjqDw0Dd5DcGlJnmCKkWL3BQoMSFqKkCtus8KQA4S2ZJ7SvQh9RpZDWRu8b WfNUkuDE4hsBXvV1KWyi5TkZjRJnkF6uDKw5dDjc7g+/vVXhgvjOlgN85zwuiC99 ejnzm5ZmwvcO9Xoe0zzwQU3vNv9TelAFlxFsHQFocV9T55CXWmsDW0PA6HM1c0kG B/r+LV6bdCc0oJLU+0DJcpEYGoWVmDeQJxbF4/7MZ7LMLyzJ8EdvcYJ/tECn4jtF Zj+2JhlENIEZ/0g//nS7Iav9GKI3qdi2M8ScNWIymFj9BpaELHMdKBt8cYszKkwY GwQtlIS4pvQt7g== =5rgS -END PGP SIGNATURE- pgpwWL_KOeTZo.pgp Description: PGP signature
Bug#1040586: marked as done (krita: Krita Comics Manager crashes creating new template or page)
Your message dated Sat, 17 Feb 2024 21:55:13 +0100
with message-id
and subject line Re: krita: Krita Comics Manager crashes creating new template
or page
has caused the Debian Bug report #1040586,
regarding krita: Krita Comics Manager crashes creating new template or page
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1040586: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1040586
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: krita
Version: 1:5.1.5+dfsg-2
Severity: normal
X-Debbugs-Cc: fenix...@gmail.com
Dear Maintainer,
* What led up to the situation?
Creating new page with Krita Comic Manager Docker plugin throws exceptions:
* How reproduce the error:
1) Open Comics Manager Docker from Settings/Dockers.
2) Create new project.
3) Create new page and Create Template. We get error.
If you paste a previous template, you get other error creating a new page.
These is the errors:
1) Creating a new template throws:
TypeError
Python 3.11.4: /usr/bin/python3
Fri Jul 7 20:12:19 2023
A problem occurred in a Python script. Here is the sequence of
function calls leading up to the error, in the order they occurred.
/usr/share/krita/pykrita/comics_project_management_tools/comics_template_dialog.py
in
slot_create_template(self=)
112
113 if create.exec_() == QDialog.Accepted:
114 if (create.prepare_krita_file()):
115 self.fill_templates()
116
create =
create.prepare_krita_file = >
/usr/share/krita/pykrita/comics_project_management_tools/comics_template_dialog.py
in
prepare_krita_file(self=)
298 mB =
self.marginBottomUnit.pixelsForUnit(self.marginBottom.value(),
self.DPI.value())
299
300 template = Application.createDocument((wBase + bL + bR), (hBase +
bT + bB), self.templateName.text(), "RGBA", "U8", "sRGB built-in",
self.DPI.value())
301
302 backgroundName = i18n("Background")
template undefined
builtinApplication =
Application.createDocument =
wBase = 2480.314960629921
bL = 59.055118110236215
bR = 59.055118110236215
hBase = 3507.874015748031
bT = 118.11023622047243
bB = 118.11023622047243
self =
self.templateName =
self.templateName.text =
self.DPI =
self.DPI.value =
TypeError: createDocument(self, int, int, str, str, str, str, float): argument
1 has unexpected type 'float'
__cause__ = None
__class__ =
__context__ = None
__delattr__ =
__dict__ = {}
__dir__ =
__doc__ = 'Inappropriate argument type.'
__eq__ =
__format__ =
__ge__ =
__getattribute__ =
__getstate__ =
__gt__ =
__hash__ =
__init__ =
__init_subclass__ =
__le__ =
__lt__ =
__ne__ =
__new__ =
__reduce__ =
__reduce_ex__ =
__repr__ =
__setattr__ =
__setstate__ =
__sizeof__ =
__str__ =
__subclasshook__ =
__suppress_context__ = False
__traceback__ =
add_note =
args = ("createDocument(self, int, int, str, str, str, str, float):
argument 1 has unexpected type 'float'",)
with_traceback =
The above is a description of an error in a Python program. Here is
the original traceback:
Traceback (most recent call last):
File
"/usr/share/krita/pykrita/comics_project_management_tools/comics_template_dialog.py",
line 114, in slot_create_template
if (create.prepare_krita_file()):
^^^
File
"/usr/share/krita/pykrita/comics_project_management_tools/comics_template_dialog.py",
line 300, in prepare_krita_file
template = Application.createDocument((wBase + bL + bR), (hBase + bT + bB),
self.templateName.text(), "RGBA", "U8", "sRGB built-in", self.DPI.value())
^^^
TypeError: createDocument(self, int, int, str, str, str, str, float): argument
1 has unexpected type 'float'
2) Creating a page using a previous template throws:
TypeError
Python 3.11.4: /usr/bin/python3
Fri Jul 7 20:15:31 2023
A problem occurred in a Python script. Here is the sequence of
function calls leading up to the error, in the order they occurred.
/usr/share/krita/pykrita/comics_project_management_tools/comics_project_manager_docker.py
in
paint(self=, painter=,
option=,
index=)
94 thumbImage = icon.pixmap(imageSizeHighDPI).toImage()
95 thumbImage.setDevicePixelRatio(self.devicePixelRatioF)
96 painter.drawImage(QRect(leftSideThumbnail, topSizeThumbnail,
i
Processing of qtbase-opensource-src_5.15.10+dfsg-7_source.changes
qtbase-opensource-src_5.15.10+dfsg-7_source.changes uploaded successfully to localhost along with the files: qtbase-opensource-src_5.15.10+dfsg-7.dsc qtbase-opensource-src_5.15.10+dfsg-7.debian.tar.xz qtbase-opensource-src_5.15.10+dfsg-7_source.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org)
Processing of qttools-opensource-src_5.15.10-6_source.changes
qttools-opensource-src_5.15.10-6_source.changes uploaded successfully to localhost along with the files: qttools-opensource-src_5.15.10-6.dsc qttools-opensource-src_5.15.10-6.debian.tar.xz qttools-opensource-src_5.15.10-6_source.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org)
Processed: Bug#1064053 marked as pending in qtbase-opensource-src
Processing control commands: > tag -1 pending Bug #1064053 [src:qtbase-opensource-src] qtbase-opensource-src: CVE-2024-25580 Bug #1064056 [src:qtbase-opensource-src] qtbase-opensource-src: CVE-2024-25580 Added tag(s) pending. Added tag(s) pending. -- 1064053: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064053 1064056: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1064056 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1064103: qt5-gtk-platformtheme: Qt and KDE applications look pretty bad on a Gnome desktop (even with qt5-gtk-platformtheme installed)
Package: qt5-gtk-platformtheme Version: 5.15.10+dfsg-6 Severity: normal Dear Maintainer, the default experience of starting a Qt or KDE application in a Gnome desktop on Debian is not great: the default widget style is very different from what one sees in a KDE desktop (and it's not very pretty either), and the cursor is way too big. I will attach a screenshot demonstrating the problem (if reportbug lets me). This is despite installing qt5-gtk-platformtheme. So far, I have managed to partially work around this: - I have installed qt5ct - I have edited my ~/.profile to set QT_QPA_PLATFORMTHEME=qt5ct - I have selected the "Breeze" theme in qt5ct This helps a lot, but few non-experts are going to be able to find these steps. And even after all these steps, the cursor is still way too big when moving into Qt or KDE windows. (I originally reported this as a KDE bug: https://bugs.kde.org/show_bug.cgi?id=480272, but I was told that I should report this against the distro.) Kind regards, Ralf -- System Information: Debian Release: trixie/sid APT prefers testing APT policy: (500, 'testing') Architecture: amd64 (x86_64) Foreign Architectures: i386 Kernel: Linux 6.6.15-amd64 (SMP w/20 CPU threads; PREEMPT) Locale: LANG=en_US.UTF-8, LC_CTYPE=en_US.UTF-8 (charmap=UTF-8), LANGUAGE=en_US:en Shell: /bin/sh linked to /usr/bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages qt5-gtk-platformtheme depends on: ii libc6 2.37-15 ii libglib2.0-0 2.78.3-2 ii libgtk-3-0 3.24.41-1 ii libpango-1.0-0 1.51.0+ds-4 ii libqt5core5a [qtbase-abi-5-15-10] 5.15.10+dfsg-6 ii libqt5dbus55.15.10+dfsg-6 ii libqt5gui5 5.15.10+dfsg-6 ii libstdc++6 14-20240201-3 ii libx11-6 2:1.8.7-1 qt5-gtk-platformtheme recommends no packages. qt5-gtk-platformtheme suggests no packages. -- no debconf information
