Your message dated Wed, 31 May 2023 22:09:27 +0200 with message-id <64ef3095-e5eb-6a54-d48c-fbe1e5ec5...@debian.org> and subject line Re: Bug#1036867: unblock: qt6-base/6.4.2+dfsg-10 has caused the Debian Bug report #1036867, regarding unblock: qt6-base/6.4.2+dfsg-10 to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1036867: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036867 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: release.debian.org Severity: normal User: release.debian....@packages.debian.org Usertags: unblock X-Debbugs-Cc: delta...@debian.org,debian-qt-...@lists.debian.org Please unblock package qt6-base [ Reason ] Fixes CVE-2023-33285 that prevents a buffer overflow. [ Impact ] Lack of security fixes. [ Tests ] Tested by upstream, do not break API/ABI, seems safe. [ Risks ] None that I can think of. [ Checklist ] [x] all changes are documented in the d/changelog [x] I reviewed all changes and I approve them [x] attach debdiff against the package in testing unblock qt6-base/6.4.2+dfsg-10diffstat for qt6-base-6.4.2+dfsg qt6-base-6.4.2+dfsg changelog | 7 ++++ patches/cve-2023-33285.diff | 70 ++++++++++++++++++++++++++++++++++++++++++++ patches/series | 3 + 3 files changed, 79 insertions(+), 1 deletion(-) diff -Nru qt6-base-6.4.2+dfsg/debian/changelog qt6-base-6.4.2+dfsg/debian/changelog --- qt6-base-6.4.2+dfsg/debian/changelog 2023-05-22 16:40:45.000000000 +0200 +++ qt6-base-6.4.2+dfsg/debian/changelog 2023-05-28 10:41:24.000000000 +0200 @@ -1,3 +1,10 @@ +qt6-base (6.4.2+dfsg-10) unstable; urgency=medium + + [ Patrick Franz ] + * Add patch to fix CVE-2023-33285 (Closes: #1036848). + + -- Patrick Franz <delta...@debian.org> Sun, 28 May 2023 10:41:24 +0200 + qt6-base (6.4.2+dfsg-9) unstable; urgency=medium * Team upload. diff -Nru qt6-base-6.4.2+dfsg/debian/patches/cve-2023-33285.diff qt6-base-6.4.2+dfsg/debian/patches/cve-2023-33285.diff --- qt6-base-6.4.2+dfsg/debian/patches/cve-2023-33285.diff 1970-01-01 01:00:00.000000000 +0100 +++ qt6-base-6.4.2+dfsg/debian/patches/cve-2023-33285.diff 2023-05-28 10:40:55.000000000 +0200 @@ -0,0 +1,70 @@ +diff --git a/src/network/kernel/qdnslookup_unix.cpp b/src/network/kernel/qdnslookup_unix.cpp +index 75f7c6c440..de0113494f 100644 +--- a/src/network/kernel/qdnslookup_unix.cpp ++++ b/src/network/kernel/qdnslookup_unix.cpp +@@ -193,7 +193,6 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN + // responseLength in case of error, we still can extract the + // exact error code from the response. + HEADER *header = (HEADER*)response; +- const int answerCount = ntohs(header->ancount); + switch (header->rcode) { + case NOERROR: + break; +@@ -226,18 +225,31 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN + return; + } + +- // Skip the query host, type (2 bytes) and class (2 bytes). + char host[PACKETSZ], answer[PACKETSZ]; + unsigned char *p = response + sizeof(HEADER); +- int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); +- if (status < 0) { ++ int status; ++ ++ if (ntohs(header->qdcount) == 1) { ++ // Skip the query host, type (2 bytes) and class (2 bytes). ++ status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); ++ if (status < 0) { ++ reply->error = QDnsLookup::InvalidReplyError; ++ reply->errorString = tr("Could not expand domain name"); ++ return; ++ } ++ if ((p - response) + status + 4 >= responseLength) ++ header->qdcount = 0xffff; // invalid reply below ++ else ++ p += status + 4; ++ } ++ if (ntohs(header->qdcount) > 1) { + reply->error = QDnsLookup::InvalidReplyError; +- reply->errorString = tr("Could not expand domain name"); ++ reply->errorString = tr("Invalid reply received"); + return; + } +- p += status + 4; + + // Extract results. ++ const int answerCount = ntohs(header->ancount); + int answerIndex = 0; + while ((p < response + responseLength) && (answerIndex < answerCount)) { + status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); +@@ -249,6 +261,11 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN + const QString name = QUrl::fromAce(host); + + p += status; ++ ++ if ((p - response) + 10 > responseLength) { ++ // probably just a truncated reply, return what we have ++ return; ++ } + const quint16 type = (p[0] << 8) | p[1]; + p += 2; // RR type + p += 2; // RR class +@@ -256,6 +273,8 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN + p += 4; + const quint16 size = (p[0] << 8) | p[1]; + p += 2; ++ if ((p - response) + size > responseLength) ++ return; // truncated + + if (type == QDnsLookup::A) { + if (size != 4) { diff -Nru qt6-base-6.4.2+dfsg/debian/patches/series qt6-base-6.4.2+dfsg/debian/patches/series --- qt6-base-6.4.2+dfsg/debian/patches/series 2023-05-22 16:37:22.000000000 +0200 +++ qt6-base-6.4.2+dfsg/debian/patches/series 2023-05-28 10:22:01.000000000 +0200 @@ -1,6 +1,7 @@ -# fixed in 6.5 +# fixed in 6.5.1 cve-2023-32762.diff cve-2023-32763.diff +cve-2023-33285.diff upstream_Add-HPPA-detection.patch upstream_Add-M68k-detection.patch
--- End Message ---
--- Begin Message ---Hi, On 28-05-2023 10:58, Patrick Franz wrote:unblock qt6-base/6.4.2+dfsg-10Unblocked, thanks. PaulOpenPGP_signature
Description: OpenPGP digital signature
--- End Message ---