Bug#1035986: Built without GLESv2 support causing errors on machines only supporting GLES
Hi Erik! On Fri, 12 May 2023 at 05:51, Erik Inkinen wrote: > > Package: qt6-base > Severity: normal > > Qt5 packages had separate GLES versions packaged in Debian, but on Qt6 > the rendering backend was revamped by Qt so that the same binaries can > support desktop GL and GLES. > > For some reason, the current Debian packaging does not include libGLES > development headers in Build-Depends. When configuring the build, Qt > will not be able to enable GLESv2 support. These packages then cannot be > used to render anything on devices that do not support desktop GL, but > have GLES support. > > I have confirmed that building with GLES packages indeed fixes the errors. This is an interesting bug, thanks! Sadly it is too late in the release process to tackle it, but I'll fix it after bookworm's release and hopefully do a stable update.
Bug#1034815: marked as done (kontact: Can't fetch, send or save emails/ tasks or contacts: Failed to append item)
Your message dated Mon, 22 May 2023 23:23:52 -0300 with message-id and subject line Closing with version has caused the Debian Bug report #1034815, regarding kontact: Can't fetch, send or save emails/ tasks or contacts: Failed to append item to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1034815: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034815 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems --- Begin Message --- Package: kontact Version: 4:20.08.3-1 Severity: important X-Debbugs-Cc: gentler...@poesteo.eu Dear Maintainer, *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? - apt dist-Upgrade * What exactly did you do (or not do) that was effective (or ineffective)? * What was the outcome of this action? - turning it off and on again ;) - downgraded mariaDB: ``` apt install mariadb-common=1:10.5.18-0+deb11u1 mariadb-server-core-10.5=1:10.5.18-0+deb11u1 mariadb-client-10.5=1:10.5.18-0+deb11u1 libmariadb3=1:10.5.18-0+deb11u1 mariadb-client-core-10.5> ``` -> no change restored actual version with ```apt dist-upgrade``` -> no change * What outcome did you expect instead? - being able to to fetch, send or save emails/ tasks or contacts Messages from the Konsole Regularly occuring: org.kde.kitinerary: Cannot find external extractor: "kitinerary-extractor" When trying to save a draft: ``` org.kde.kitinerary: Cannot find external extractor: "kitinerary-extractor" org.kde.kitinerary: Cannot find external extractor: "kitinerary-extractor" org.kde.kitinerary: Cannot find external extractor: "kitinerary-extractor" org.kde.pim.messagecomposer: Failed to save a message: "Failed to append item" loadExternal false mHtmlLoadExtOverride false org.kde.kitinerary: Cannot find external extractor: "kitinerary-extractor" org.kde.kitinerary: Cannot find external extractor: "kitinerary-extractor" loadExternal false mHtmlLoadExtOverride false ``` When trying to send an email: - no Konsole Output - error box opens "Es gab Probleme beim Einreihen der Nachricht in die Sende-Warteschlange: Failed to append item" (translation: There are problems with appending the message to the send queue) When trying to create a task: - error box: "Es ist nicht möglich, das Ereignis in den Kalender aufzunehmen. Nochmal versuchen? Grund: Failed to append item" (translation: It is not possible to add this event to the calendar. Try again? Reason: Failed to append item) ```QObject::disconnect: Unexpected nullptr parameter kf.xmlgui: KActionCollection::setComponentName does not work on a KActionCollection containing actions! "korganizer" org.kde.pim.incidenceeditor: free slot calculation: invalid range. range( 0 ) / mSlotResolutionSeconds( 900 ) = 0 "Failed to append item" org.kde.pim.incidenceeditor: Creation failed "Failed to append item" qt.qpa.xcb: QXcbConnection: XCB error: 3 (BadWindow), sequence: 35788, resource id: 15993454, major code: 40 (TranslateCoords), minor code: 0 ``` When trying to create new contact: - no error box - no Konsole Output - create contact window closes, but no contact is created *** End of the template - remove these template lines *** -- System Information: Debian Release: 11.6 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable-debug'), (500, 'proposed-updates'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.10.0-21-amd64 (SMP w/4 CPU threads) Kernel taint flags: TAINT_WARN, TAINT_OOT_MODULE, TAINT_UNSIGNED_MODULE Locale: LANG=de_DE.UTF-8, LC_CTYPE=de_DE.UTF-8 (charmap=UTF-8), LANGUAGE=de Shell: /bin/sh linked to /bin/dash Init: systemd (via /run/systemd/system) LSM: AppArmor: enabled Versions of packages kontact depends on: ii kdepim-runtime 4:20.08.3-1 ii libc6 2.31-13+deb11u5 ii libkf5configcore55.78.0-4 ii libkf5configgui5 5.78.0-4 ii libkf5configwidgets5 5.78.0-2 ii libkf5coreaddons55.78.0-4 ii libkf5crash5 5.78.0-3 ii libkf5grantleetheme5 [libkf5grantleetheme5-20.08]20.08.3-1 ii libkf5i18n5 5.78.0-2 ii libkf5iconthemes55.78.0-2 ii libkf5jobwidgets55.78.0-2 ii
Re: Checksum error in some packages
Hi Antonio! On Tue, 2 May 2023 at 09:30, Antonio wrote: > > Hello, > can you check these packages? > > Periodic debsums return "checksum errors" for these files: > > $ debsums -c This sounds like an issue on your system, except I am missing something in debsums. But if something went wrong on Debian side it should have been reported many times already.
Processed: Re: libqt5quick5: Qt segfault on amd64
Processing commands for cont...@bugs.debian.org: > tag 1034457 unreproducible moreinfo Bug #1034457 [libqt5quick5] libqt5quick5: Qt segfault on amd64 Added tag(s) unreproducible and moreinfo. > thanks Stopping processing here. Please contact me if you need assistance. -- 1034457: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1034457 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
Bug#1034457: libqt5quick5: Qt segfault on amd64
tag 1034457 unreproducible moreinfo thanks Hi! On sábado, 15 de abril de 2023 18:51:18 -03 Julian Groß wrote: > Package: libqt5quick5 > Version: 5.15.8+dfsg-3 > Severity: normal > > Dear Maintainer, > > we ran into what appears to be a segmentation fault in Qt. > One of the last places it runs into is QQuickOpenGLShaderEffectCommon which > is why I am reporting it towards this package. Well, when you have a crash you are supposed to file a bug against the application that triggers the segfault. If this is the case, then please close this bug (or just reply asking us to do it) and then file a new bug to the application itself, so all the relevant metadata is there. If the application that triggers the bug is not in Debian then you must add a complete small example code to trigger the bug. Thanks, Lisandro. signature.asc Description: This is a digitally signed message part.
qt6-svg_6.4.2-2~bpo11+1_source.changes ACCEPTED into bullseye-backports
Thank you for your contribution to Debian. Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 22 May 2023 13:39:56 -0300 Source: qt6-svg Architecture: source Version: 6.4.2-2~bpo11+1 Distribution: bullseye-backports Urgency: medium Maintainer: Debian Qt/KDE Maintainers Changed-By: Lisandro Damián Nicanor Pérez Meyer Changes: qt6-svg (6.4.2-2~bpo11+1) bullseye-backports; urgency=medium . * Rebuild for bullseye-backports. . qt6-svg (6.4.2-2) unstable; urgency=medium . * Team upload. * Add patch to solve CVE-2023-32573. Checksums-Sha1: 0b5c1e0f62c36f62bc61e4b4fd56ab866c3a3303 2396 qt6-svg_6.4.2-2~bpo11+1.dsc 30382e8adf63460cb98b67bc1deedbd93d8d9a2b 9404 qt6-svg_6.4.2-2~bpo11+1.debian.tar.xz 56d9a8bbe2f2e2ddfc81efc5ad7dcfeb671d70da 12847 qt6-svg_6.4.2-2~bpo11+1_source.buildinfo Checksums-Sha256: f02aa0e7640a896f0034a036183c93c2ef766fa39ce5d382bd7171ec55f1a66e 2396 qt6-svg_6.4.2-2~bpo11+1.dsc 4d2474f85183e46d0c14e9b4f6f635c1a64c8c46fb166d921a6d6fa8a333cb43 9404 qt6-svg_6.4.2-2~bpo11+1.debian.tar.xz db5fc3e179d7669463dbbf4a9c0decedc454dd67d70a8041ac40ae776ade464e 12847 qt6-svg_6.4.2-2~bpo11+1_source.buildinfo Files: 67099fc96b9e1593a6422a94da6272ad 2396 libs optional qt6-svg_6.4.2-2~bpo11+1.dsc f36d955a5f005f3fa80b372b718d9971 9404 libs optional qt6-svg_6.4.2-2~bpo11+1.debian.tar.xz f6229a709d72f085b318d70681a1afe4 12847 libs optional qt6-svg_6.4.2-2~bpo11+1_source.buildinfo -BEGIN PGP SIGNATURE- iQJIBAEBCgAyFiEEEt36hKwjsrvwSzE8q2RfQGKGp9AFAmRrmw0UHGxpc2FuZHJv QGRlYmlhbi5vcmcACgkQq2RfQGKGp9DKGA//acQQQ28CjVFXVZQ0V3LMeq7PYmj0 nihb5DeMcsNuwGSonPfwntOK+Qej2WcAUnbrhTRW9xyKLaIUqICux3nxoF4Q1BMe gXR8pgFUTYJZcGoJycf/FWKOglYPji+673ywtBYw3iofbvXPevjle0pKA2mHvPMs oGvxNbtSzzInGnTevFCdyelkzqUhAvjl6G8hWOrYUEeMzUDb6UA23rh1ktuc2zBA eR5f632Mz1crH+FbkBfwwODusH1ILZokSuwyWcrmYRWyYnUJLaoSnpsa1DwO+V3Z uQ45B8gRJU6yMYTvTetK0MDmNRy51nyaGqZlXiFvTl7FCQss51hIYMJZ2hIU+cw6 Dj6wBnN+82KVkWv3EF0H/kRnq73pp4KMjRLrSMA66RYxt6xV6ghi0/n8iyohBU5i Y8O+x1UpApUBkH9RGycaTvvuNkzXIDuvfU2EK8V5Z0QDqn+v+eFLyrc0bwmxsN2a EPeT0IA8sGeSQ+o5L6WiwzCEVI5gzTDXscYLCWX0wl48ZTbKwl72epcBcTPkocg9 qTi+4Xh/x/CRtvWSfy+wGLHJtDA2UcRrKIktu5Wks9xJy+pbwsEetbTC0D+IoHf1 +2xn6Nip5YrJP4fpHeAnuKvZ2tCSbJptRtyivhq3cb0FqV/4+1j7m4ku5ZhdVbVA BTnUjNjLASZHyS8= =MEJw -END PGP SIGNATURE-
qt6-base_6.4.2+dfsg-9~bpo11+1_source.changes ACCEPTED into bullseye-backports
Thank you for your contribution to Debian. Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 22 May 2023 13:41:56 -0300 Source: qt6-base Architecture: source Version: 6.4.2+dfsg-9~bpo11+1 Distribution: bullseye-backports Urgency: medium Maintainer: Debian Qt/KDE Maintainers Changed-By: Lisandro Damián Nicanor Pérez Meyer Changes: qt6-base (6.4.2+dfsg-9~bpo11+1) bullseye-backports; urgency=medium . * Rebuild for bullseye-backports. . qt6-base (6.4.2+dfsg-9) unstable; urgency=medium . * Team upload. * Add a patch to fix CVE-2023-32762. . qt6-base (6.4.2+dfsg-8) unstable; urgency=medium . * Team upload. * Add patch for solving CVE-2023-32763. * Refresh patches. Checksums-Sha1: 4fba22e30406be9e414145a538ae2c40f448f416 4952 qt6-base_6.4.2+dfsg-9~bpo11+1.dsc 50e1a1d55511fa61b02288d112e93cb49a7ac6eb 181200 qt6-base_6.4.2+dfsg-9~bpo11+1.debian.tar.xz 4c007c532fe9ddded20b34463edff0fa1f36ecbd 18740 qt6-base_6.4.2+dfsg-9~bpo11+1_source.buildinfo Checksums-Sha256: 1a52eff2db4976dc4123539ab131e5572e5037012f8df8460b73a2c918444575 4952 qt6-base_6.4.2+dfsg-9~bpo11+1.dsc 715fb5c6a87e617b30174a6d632b665a7f6f7c0f557de702728f93fcfb5b91a6 181200 qt6-base_6.4.2+dfsg-9~bpo11+1.debian.tar.xz 878225738baa81af0edcfa83907d7451033f20d54baf9e6780e44bba82d8f14a 18740 qt6-base_6.4.2+dfsg-9~bpo11+1_source.buildinfo Files: 36ccc2915c98476b3655e5c9c1e77348 4952 libs optional qt6-base_6.4.2+dfsg-9~bpo11+1.dsc 59606fceaff27252c4cfa908e5766b00 181200 libs optional qt6-base_6.4.2+dfsg-9~bpo11+1.debian.tar.xz f9d49b31ed0977a749f7192136e559b3 18740 libs optional qt6-base_6.4.2+dfsg-9~bpo11+1_source.buildinfo -BEGIN PGP SIGNATURE- iQJIBAEBCgAyFiEEEt36hKwjsrvwSzE8q2RfQGKGp9AFAmRrm5kUHGxpc2FuZHJv QGRlYmlhbi5vcmcACgkQq2RfQGKGp9ByMBAAkW7Ot76oqdDbJYBStCrcDVFbdb3x mKK3LMtxz5j3wrbQ9Xrxd7hEg/YwtoiAQiTL0xMVpX5KntG0vzrBUZKFb66ehysj Vy5rRyM55qvOXfB0xciIcTEjutlwIyuSj0fTmO8bhe7uYr8Al12OR4+YSPsQMxRV 3xn9DROpAl6fhcMvVX9mcSQMFwlGcdHOgwDncRFXx9G9NWL860dIP7f1hWwRAic1 tfH3xBu2n8Zg7/7x0tKz8RpB8OTkjGcsDm34qr+a78fw/+yDF0w1HqcpdnnzXHK1 i0WFQvHjvYhJ6m2a/DGS30Vk1AntUhuYgVKDZgYSYAUcraTF66sgSna3Y8mzItyh eRp7T4H9Jbn3PcPwPCmKWULA0W1hcseiwp60zORp3KEd0C4NFFcx6kfrO8Vs8Ec0 cgwDXmy/uFPBvWfltLYA4qVd+I8U++wd9LQrdWUXPELljekVMyHfZeK8KmGURR2n 22ZNkEyEzo7Uvmsi6tpuXwZkg6fJ2Ng3P7XuaWtsAzz93rvF2t244t75d18cjlTD +LuMsv3uvluoINZWDgxy7u20T8QWwxkRm8sn+N33qnQPRherlGi3a8VWKsTg7njR HQbTsgMv+DoosmVMsvEZ55SzVvkjiMuSFnCW0Acvsp5uQvzsuqU0660BiL7ylihX HLCCNpZ+4RoH2G8= =pyy5 -END PGP SIGNATURE-
Bug#1036564: unblock: qt6-base/6.4.2+dfsg-9
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: qt6-b...@packages.debian.org, delta...@debian.org,
lisan...@debian.org
Control: affects -1 + src:qt6-base
Please unblock package qt6-base
[ Reason ]
Fixes CVE-2023-32762 and CVE-2023-32763. One prevents a crash with SVG
(not related to the one in qtsvg-opensource-src) and the other one
related to a security heade parsing in the network module.
[ Impact ]
Lack of security fixes.
[ Tests ]
Tested by upstream, do not break API/ABI, seems safe.
[ Risks ]
None that I can think of.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
unblock qt6-base/6.4.2+dfsg-9
diff --git a/debian/changelog b/debian/changelog
index b117abd..85ce31b 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,18 @@
+qt6-base (6.4.2+dfsg-9) unstable; urgency=medium
+
+ * Team upload.
+ * Add a patch to fix CVE-2023-32762.
+
+ -- Lisandro Damián Nicanor Pérez Meyer Mon, 22 May
2023 11:40:45 -0300
+
+qt6-base (6.4.2+dfsg-8) unstable; urgency=medium
+
+ * Team upload.
+ * Add patch for solving CVE-2023-32763.
+ * Refresh patches.
+
+ -- Lisandro Damián Nicanor Pérez Meyer Mon, 22 May
2023 10:42:21 -0300
+
qt6-base (6.4.2+dfsg-7) unstable; urgency=medium
[ Patrick Franz ]
diff --git a/debian/patches/armel-noyield.patch
b/debian/patches/armel-noyield.patch
index 37061fb..74b1ae2 100644
--- a/debian/patches/armel-noyield.patch
+++ b/debian/patches/armel-noyield.patch
@@ -1,8 +1,12 @@
Description: Don't use yield on CPUs that might not support it
+---
+ src/corelib/global/qsimd_p.h |2 ++
+ 1 file changed, 2 insertions(+)
+
--- a/src/corelib/global/qsimd_p.h
+++ b/src/corelib/global/qsimd_p.h
-@@ -428,7 +428,9 @@ static inline void qYieldCpu()
+@@ -401,7 +401,9 @@ static inline void qYieldCpu()
https://stackoverflow.com/a/70076751/134841
https://gcc.gnu.org/bugzilla/show_bug.cgi?id=105416
*/
diff --git
a/debian/patches/build_path_embedded_qtbuildinternalsextra_cmake.patch
b/debian/patches/build_path_embedded_qtbuildinternalsextra_cmake.patch
index 2ab0f5e..bf93bca 100644
--- a/debian/patches/build_path_embedded_qtbuildinternalsextra_cmake.patch
+++ b/debian/patches/build_path_embedded_qtbuildinternalsextra_cmake.patch
@@ -9,22 +9,18 @@ and causes reproducibility issues when built in different
paths.
https://reproducible-builds.org/docs/build-path/
---
- cmake/QtBuildInternalsExtra.cmake.in | 3 ---
+ cmake/QtBuildInternalsExtra.cmake.in |3 ---
1 file changed, 3 deletions(-)
-diff --git a/cmake/QtBuildInternalsExtra.cmake.in
b/cmake/QtBuildInternalsExtra.cmake.in
-index cbd70b1..23b2391 100644
--- a/cmake/QtBuildInternalsExtra.cmake.in
+++ b/cmake/QtBuildInternalsExtra.cmake.in
-@@ -53,9 +53,6 @@ endif()
+@@ -75,9 +75,6 @@ endif()
set(QT_WILL_INSTALL @QT_WILL_INSTALL@ CACHE BOOL
"Boolean indicating if doing a Qt prefix build (vs non-prefix build)."
FORCE)
-
+
-set(QT_SOURCE_TREE "@QT_SOURCE_TREE@" CACHE PATH
-"A path to the source tree of the previously configured QtBase project."
FORCE)
-
# Propagate decision of building tests and examples to other repositories.
set(QT_BUILD_TESTS @QT_BUILD_TESTS@ CACHE BOOL "Build the testing tree.")
set(QT_BUILD_EXAMPLES @QT_BUILD_EXAMPLES@ CACHE BOOL "Build Qt examples")
---
-2.35.1
diff --git a/debian/patches/cross.patch b/debian/patches/cross.patch
index 1a7ebd3..239c803 100644
--- a/debian/patches/cross.patch
+++ b/debian/patches/cross.patch
@@ -1,6 +1,11 @@
+---
+ cmake/QtBuildInternals/QtBuildInternalsConfig.cmake |2 --
+ src/tools/configure.cmake |2 +-
+ 2 files changed, 1 insertion(+), 3 deletions(-)
+
--- a/cmake/QtBuildInternals/QtBuildInternalsConfig.cmake
+++ b/cmake/QtBuildInternals/QtBuildInternalsConfig.cmake
-@@ -146,8 +146,6 @@
+@@ -151,8 +151,6 @@ function(qt_build_internals_disable_pkg_
set(FEATURE_pkg_config "${pkg_config_enabled}" CACHE STRING "Using
pkg-config")
if(NOT pkg_config_enabled)
qt_build_internals_disable_pkg_config()
@@ -11,7 +16,7 @@
--- a/src/tools/configure.cmake
+++ b/src/tools/configure.cmake
-@@ -2,7 +2,7 @@
+@@ -2,7 +2,7 @@ qt_feature("androiddeployqt" PRIVATE
SECTION "Deployment"
LABEL "Android deployment tool"
PURPOSE "The Android deployment tool automates the process of creating
Android packages."
diff --git a/debian/patches/cve-2023-32762.diff
b/debian/patches/cve-2023-32762.diff
new file mode 100644
index 000..92b76fa
--- /dev/null
+++ b/debian/patches/cve-2023-32762.diff
@@ -0,0 +1,15 @@
+---
+ src/network/access/qhsts.cpp |2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+--- a/src/network/access/qhsts.cpp
b/src/network/access/qhsts.cpp
+@@ -328,7 +328,7 @@ bool QHstsHeaderParser::parse(const QLis
+ {
+ for (const
Processing of qt6-svg_6.4.2-2~bpo11+1_source.changes
qt6-svg_6.4.2-2~bpo11+1_source.changes uploaded successfully to localhost along with the files: qt6-svg_6.4.2-2~bpo11+1.dsc qt6-svg_6.4.2-2~bpo11+1.debian.tar.xz qt6-svg_6.4.2-2~bpo11+1_source.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org)
Processing of qt6-base_6.4.2+dfsg-9~bpo11+1_source.changes
qt6-base_6.4.2+dfsg-9~bpo11+1_source.changes uploaded successfully to localhost along with the files: qt6-base_6.4.2+dfsg-9~bpo11+1.dsc qt6-base_6.4.2+dfsg-9~bpo11+1.debian.tar.xz qt6-base_6.4.2+dfsg-9~bpo11+1_source.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org)
Bug#1036563: unblock: qt6-svg/6.4.2-2
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: qt6-...@packages.debian.org, delta...@debian.org,
lisan...@debian.org
Control: affects -1 + src:qt6-svg
Please unblock package qt6-svg
[ Reason ]
Fixes CVE-2023-32573.
[ Impact ]
This patch avoids a crash when parsing malformed/crafted SVG files.
[ Tests ]
Done by upstream, it basically makes sures a variable has a default
value.
[ Risks ]
None that I can think of.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
unblock qt6-svg/6.4.2-2
diff --git a/debian/changelog b/debian/changelog
index 41242b5..78f7594 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+qt6-svg (6.4.2-2) unstable; urgency=medium
+
+ * Team upload.
+ * Add patch to solve CVE-2023-32573.
+
+ -- Lisandro Damián Nicanor Pérez Meyer Mon, 22 May
2023 10:48:50 -0300
+
qt6-svg (6.4.2-1) unstable; urgency=medium
[ Patrick Franz ]
diff --git a/debian/patches/cve-2023-32573.diff
b/debian/patches/cve-2023-32573.diff
new file mode 100644
index 000..750f29e
--- /dev/null
+++ b/debian/patches/cve-2023-32573.diff
@@ -0,0 +1,37 @@
+---
+ src/svg/qsvgfont_p.h|5 ++---
+ src/svg/qsvghandler.cpp |2 +-
+ 2 files changed, 3 insertions(+), 4 deletions(-)
+
+--- a/src/svg/qsvgfont_p.h
b/src/svg/qsvgfont_p.h
+@@ -38,6 +38,7 @@ public:
+ class Q_SVG_PRIVATE_EXPORT QSvgFont : public QSvgRefCounted
+ {
+ public:
++static constexpr qreal DEFAULT_UNITS_PER_EM = 1000;
+ QSvgFont(qreal horizAdvX);
+
+ void setFamilyName(const QString );
+@@ -50,9 +51,7 @@ public:
+ void draw(QPainter *p, const QPointF , const QString , qreal
pixelSize, Qt::Alignment alignment) const;
+ public:
+ QString m_familyName;
+-qreal m_unitsPerEm;
+-qreal m_ascent;
+-qreal m_descent;
++qreal m_unitsPerEm = DEFAULT_UNITS_PER_EM;
+ qreal m_horizAdvX;
+ QHash m_glyphs;
+ };
+--- a/src/svg/qsvghandler.cpp
b/src/svg/qsvghandler.cpp
+@@ -2622,7 +2622,7 @@ static bool parseFontFaceNode(QSvgStyleP
+
+ qreal unitsPerEm = toDouble(unitsPerEmStr);
+ if (!unitsPerEm)
+-unitsPerEm = 1000;
++unitsPerEm = QSvgFont::DEFAULT_UNITS_PER_EM;
+
+ if (!name.isEmpty())
+ font->setFamilyName(name);
diff --git a/debian/patches/series b/debian/patches/series
new file mode 100644
index 000..71efccf
--- /dev/null
+++ b/debian/patches/series
@@ -0,0 +1,2 @@
+# Fixed in 6.5.
+cve-2023-32573.diff
Bug#1036562: unblock: qtbase-opensource-src/5.15.8+dfsg-10
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: qtbase-opensource-...@packages.debian.org, mity...@debian.org,
lisan...@debian.org
Control: affects -1 + src:qtbase-opensource-src
Please unblock package qtbase-opensource-src
[ Reason ]
This upload:
- Fixes CVE-2023-32762 and CVE-2023-32763. One prevents a crash with SVG
(not related to the one in qtsvg-opensource-src) and the other one
related to a security heade parsing in the network module.
- Adds a Break/Replaces in order to allow proper handling of systems
that still had libqtcore4 around (#1035790).
- Backports a patch in order to solve an issue with KWin:
- https://bugreports.qt.io/browse/QTBUG-98048
- https://lists.debian.org/debian-kde/2022/11/msg00019.html
[ Impact ]
- Lack of security fixes.
- Breaks the bullseye → bookworm update on some systems.
- Nasty visual effects while drag and dropping.
[ Tests ]
All the patches have been tested by upstream.
The security patches are quite straightforward.
The B/R issue is also straightforward, with a specific Qt4 version
allowing users to keep libqt4 around if necessary.
Drag and dropping just works as expected.
[ Risks ]
Sincerely I don't think there are risks here.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
unblock qtbase-opensource-src/5.15.8+dfsg-10
diff --git a/debian/changelog b/debian/changelog
index 8c172cff..1f5b73f0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+qtbase-opensource-src (5.15.8+dfsg-10) unstable; urgency=medium
+
+ * Add patches to fix CVE-2023-32762 and CVE-2023-32763.
+
+ -- Lisandro Damián Nicanor Pérez Meyer Mon, 22 May
2023 11:31:55 -0300
+
+qtbase-opensource-src (5.15.8+dfsg-9) unstable; urgency=medium
+
+ * Backport upstream patch to fix laggy drag-and-drop with KWin. See:
+- https://bugreports.qt.io/browse/QTBUG-98048
+- https://lists.debian.org/debian-kde/2022/11/msg00019.html
+
+ -- Dmitry Shachnev Sun, 21 May 2023 12:19:31 +0300
+
qtbase-opensource-src (5.15.8+dfsg-8) unstable; urgency=medium
* Add back Breaks/Replaces for libqtcore4 (closes: #1035790).
diff --git a/debian/patches/CVE-2023-32762.patch
b/debian/patches/CVE-2023-32762.patch
new file mode 100644
index ..d0deff76
--- /dev/null
+++ b/debian/patches/CVE-2023-32762.patch
@@ -0,0 +1,17 @@
+---
+ src/network/access/qhsts.cpp |4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/src/network/access/qhsts.cpp
b/src/network/access/qhsts.cpp
+@@ -364,8 +364,8 @@ quoted-pair= "\" CHAR
+ bool QHstsHeaderParser::parse(const QList>
)
+ {
+ for (const auto : headers) {
+-// We use '==' since header name was already 'trimmed' for us:
+-if (h.first == "Strict-Transport-Security") {
++// We compare directly because header name was already 'trimmed' for
us:
++if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive)
== 0) {
+ header = h.second;
+ // RFC6797, 8.1:
+ //
diff --git a/debian/patches/cve-2023-32763.diff
b/debian/patches/cve-2023-32763.diff
new file mode 100644
index ..b74413dc
--- /dev/null
+++ b/debian/patches/cve-2023-32763.diff
@@ -0,0 +1,50 @@
+---
+ src/gui/painting/qfixed_p.h |9 +
+ src/gui/text/qtextlayout.cpp |9 ++---
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+--- a/src/gui/painting/qfixed_p.h
b/src/gui/painting/qfixed_p.h
+@@ -54,6 +54,7 @@
+ #include
+ #include "QtCore/qdebug.h"
+ #include "QtCore/qpoint.h"
++#include
+ #include "QtCore/qsize.h"
+
+ QT_BEGIN_NAMESPACE
+@@ -182,6 +183,14 @@ Q_DECL_CONSTEXPR inline bool operator<(i
+ Q_DECL_CONSTEXPR inline bool operator>(const QFixed , int i) { return
f.value() > i * 64; }
+ Q_DECL_CONSTEXPR inline bool operator>(int i, const QFixed ) { return i *
64 > f.value(); }
+
++inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
++{
++int val;
++bool result = add_overflow(v1.value(), v2.value(), );
++r->setValue(val);
++return result;
++}
++
+ #ifndef QT_NO_DEBUG_STREAM
+ inline QDebug <<(QDebug , const QFixed )
+ { return dbg << f.toReal(); }
+--- a/src/gui/text/qtextlayout.cpp
b/src/gui/text/qtextlayout.cpp
+@@ -2150,11 +2150,14 @@ found:
+ eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
+ } else {
+ eng->minWidth = qMax(eng->minWidth, lbh.minw);
+-eng->maxWidth += line.textWidth;
++if (qAddOverflow(eng->maxWidth, line.textWidth, >maxWidth))
++eng->maxWidth = QFIXED_MAX;
+ }
+
+-if (line.textWidth > 0 && item < eng->layoutData->items.size())
+-eng->maxWidth += lbh.spaceData.textWidth;
++if (line.textWidth > 0 && item < eng->layoutData->items.size()) {
++if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth,
>maxWidth))
qtbase-opensource-src_5.15.8+dfsg-10_source.changes ACCEPTED into unstable
Thank you for your contribution to Debian. Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 22 May 2023 11:31:55 -0300 Source: qtbase-opensource-src Architecture: source Version: 5.15.8+dfsg-10 Distribution: unstable Urgency: medium Maintainer: Debian Qt/KDE Maintainers Changed-By: Lisandro Damián Nicanor Pérez Meyer Changes: qtbase-opensource-src (5.15.8+dfsg-10) unstable; urgency=medium . * Add patches to fix CVE-2023-32762 and CVE-2023-32763. Checksums-Sha1: e574af65347309675afab681538bbb99a8042760 5434 qtbase-opensource-src_5.15.8+dfsg-10.dsc ac9f673db739361a91d513a9530399cb697294d2 232544 qtbase-opensource-src_5.15.8+dfsg-10.debian.tar.xz 760ec928c2aba214c718f471082a786bcf7cbac6 18032 qtbase-opensource-src_5.15.8+dfsg-10_source.buildinfo Checksums-Sha256: d9cde477023eb5def9d9d49a848b943ef62173ebc23d065d515a4d2b1931c917 5434 qtbase-opensource-src_5.15.8+dfsg-10.dsc 49ade0278f32b5a6203c840d5efed90da686f953dd801689947c470093697b00 232544 qtbase-opensource-src_5.15.8+dfsg-10.debian.tar.xz 7b8e0cec819da28f7be9e1e04942e2e1c69ce517b62fb30db5ac1f596df46490 18032 qtbase-opensource-src_5.15.8+dfsg-10_source.buildinfo Files: e9d72a29363ee3ee17fb64059b3b5436 5434 libs optional qtbase-opensource-src_5.15.8+dfsg-10.dsc 4e5bc3ac1dbc59ef2306e4ef8329a564 232544 libs optional qtbase-opensource-src_5.15.8+dfsg-10.debian.tar.xz 506f036fc6ffb9671bfceae26d1bc9dc 18032 libs optional qtbase-opensource-src_5.15.8+dfsg-10_source.buildinfo -BEGIN PGP SIGNATURE- iQJIBAEBCgAyFiEEEt36hKwjsrvwSzE8q2RfQGKGp9AFAmRrfToUHGxpc2FuZHJv QGRlYmlhbi5vcmcACgkQq2RfQGKGp9BfexAAvZv9gXs6xap3CYpOR8mzwC3gpbGI cV0CLuRXhEgwbp+D8V9VJWgxr8hOAUOdfS5waSZRJ8Dhn7D1Mil3Nq6J6AwCx6In 4vHpo3/NxXEsIMhHWPY3pJxV+TUnIjIrpF9uaW2o5idjHPQp7q9L+VgDIfSzFcnF KuT+bN3rluwmgn9IPsa0aGGkSyh3opFJ50jJznCXUj9RuNh+oO4ydIQdJ1ZB/toH Emr5RFdgTjSYHqh7OHzvKK8FqXG/fskokrT61jal/VjOd9nniImiZzCpE5ZtfP4a raXo3MGbA161Sae1ErPiKHJ8Yxz2VPsWDwRjAuCJED2Wa0ZWm0Iie3NX5kuE+JXp kmXWPJy1wH+fPP8MVsb7dv8bLdr3oj8tI8PlivgjRywFNsVFDerq6q51B/s2KGZo ZDz4BSNijHgKxGZn4ajaiVcqk50o6fBitlTN1nMK4MqzTX/ttueaoDvBy4L7x4f4 xAlIybGshCDRX7NTnhRKTB/Wz682TWw4SumZvPORbnsmovSWcVuRBNUWC61f6CDh r+ApRExsSv8Xzh49qjobNC+Esem3fXAcx3LNbPUrrWlEHmBmNzhIoOqFD4tDYesb P+3em9kd/6FnlDrO1Uiezp1cXgIE9ovjW/3/vx8VjF5xjnQZRynHAHcu2Rp9I+Bj 28deRbiZ0Py+gsY= =mnh+ -END PGP SIGNATURE-
qt6-base_6.4.2+dfsg-9_source.changes ACCEPTED into unstable
Thank you for your contribution to Debian. Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 22 May 2023 11:40:45 -0300 Source: qt6-base Architecture: source Version: 6.4.2+dfsg-9 Distribution: unstable Urgency: medium Maintainer: Debian Qt/KDE Maintainers Changed-By: Lisandro Damián Nicanor Pérez Meyer Changes: qt6-base (6.4.2+dfsg-9) unstable; urgency=medium . * Team upload. * Add a patch to fix CVE-2023-32762. Checksums-Sha1: 9c8711d11961d6471872f16a73059178ab8a543e 4859 qt6-base_6.4.2+dfsg-9.dsc 31b8775b56de763a249594040a2a3a2d0f4289a7 178196 qt6-base_6.4.2+dfsg-9.debian.tar.xz adf123ff79687c0fddac8fa9f42e10e25d220421 18708 qt6-base_6.4.2+dfsg-9_source.buildinfo Checksums-Sha256: 20df470477ae4cdf8b390dd8287651465354ca6aee6ee3857de94c0f6fc02fe2 4859 qt6-base_6.4.2+dfsg-9.dsc ce17b3a49a043cb6f543d467ad37c29e8883ff62c5afead0d6082aa4f4f718e0 178196 qt6-base_6.4.2+dfsg-9.debian.tar.xz 54466f00384dc9786d25716b5735af4077277183e58819e1bfb899e31b938730 18708 qt6-base_6.4.2+dfsg-9_source.buildinfo Files: 18c27c776c019f55db6940fb2a6fc8db 4859 libs optional qt6-base_6.4.2+dfsg-9.dsc a829671a6b2f1b17be87accf55e68de6 178196 libs optional qt6-base_6.4.2+dfsg-9.debian.tar.xz 722771e7c32f8e3952f658b11eb8216f 18708 libs optional qt6-base_6.4.2+dfsg-9_source.buildinfo -BEGIN PGP SIGNATURE- iQJIBAEBCgAyFiEEEt36hKwjsrvwSzE8q2RfQGKGp9AFAmRrgFoUHGxpc2FuZHJv QGRlYmlhbi5vcmcACgkQq2RfQGKGp9AisQ/+NJu9F6iUncZbvmhSxB0l6tsyQyFl 15H/UflUSALa2c9E/RYRfTxzPBUTWueU3+dvNkRUFkRjNn+wIc/8DEDyqnNPIgms S5EppEpPqdx/r/pnArIGPrUg3qr05UOmBIZt93blNeMapriFXofEMckSrpvQPZ3S KG/X51nXRIv1qR9L9SEY+wPKl1lQFMpjctEKU6mcQ1rJHv9KFW2tAdmXBVt3BnC2 U+CGJPcBdTfxluVCdke9v95itiD2+EYzPqZwZfSJTb25QmQ29Iew/FSQzKkrF39n ssA8CEvyiUqlK2zh1XEpn1JxZCTBEUuGqkGA9U3QXAmnwPb4ZJX6vdnPa7xg0vch 6FaMtynmviW2hquq2FEfG3ChLmlaCcS4I29Lm9aY0XVvghrhLiL4qyvfegdDmubR mSpgmLBhVaNcGLZZk74UEpqK0ssELdwYFdfDzsQEHIPe/ZOGrF0Ng8ghqnW4BG7p FvOCiHsIKJkPUKG2E8hduRtTX7B3g04AQJXdzigLplEJI1vWlyKHS+UaMvPBcz+f je0v+o2ECt+67Gq+rsYCQIfsWYkNbKmdki429Tn/6pR48FRzxM5k0/xNuaxBgrKV fYOSw0kN4i+CvDdXCz7xN2sdXFAkWxQFzwXPTfoTtgG724YkZD/uBVBYOij7Kf0n pFFUyhwSFTbwSao= =6BRo -END PGP SIGNATURE-
Processing of qt6-base_6.4.2+dfsg-9_source.changes
qt6-base_6.4.2+dfsg-9_source.changes uploaded successfully to localhost along with the files: qt6-base_6.4.2+dfsg-9.dsc qt6-base_6.4.2+dfsg-9.debian.tar.xz qt6-base_6.4.2+dfsg-9_source.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org)
Processing of qtbase-opensource-src_5.15.8+dfsg-10_source.changes
qtbase-opensource-src_5.15.8+dfsg-10_source.changes uploaded successfully to localhost along with the files: qtbase-opensource-src_5.15.8+dfsg-10.dsc qtbase-opensource-src_5.15.8+dfsg-10.debian.tar.xz qtbase-opensource-src_5.15.8+dfsg-10_source.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org)
qt6-svg_6.4.2-2_source.changes ACCEPTED into unstable
Thank you for your contribution to Debian. Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 22 May 2023 10:48:50 -0300 Source: qt6-svg Architecture: source Version: 6.4.2-2 Distribution: unstable Urgency: medium Maintainer: Debian Qt/KDE Maintainers Changed-By: Lisandro Damián Nicanor Pérez Meyer Changes: qt6-svg (6.4.2-2) unstable; urgency=medium . * Team upload. * Add patch to solve CVE-2023-32573. Checksums-Sha1: 93955c6bb2c76300c40575d20a6e4e1fec9870d0 2302 qt6-svg_6.4.2-2.dsc 31ad4076ef3dd433da44a83b0e44caee92117927 9264 qt6-svg_6.4.2-2.debian.tar.xz 0e494ae0c036d38971f7dadc1cbdb413e30fca9d 12815 qt6-svg_6.4.2-2_source.buildinfo Checksums-Sha256: 85fc5a16d4ae8928cc26c0a254178d3a81ae090f6407377278cb8167f7c0ec55 2302 qt6-svg_6.4.2-2.dsc 04bdb1f115a486a1b1cb0ab5f8a7f856f2f01de258cb18a5ab4a44a806c28428 9264 qt6-svg_6.4.2-2.debian.tar.xz 9299696406466e4d76b0823b47bedf072bdd2015fe8fdab4350b4a083d1efa16 12815 qt6-svg_6.4.2-2_source.buildinfo Files: ce41bc1cb49622a3f5ff9d69789eef50 2302 libs optional qt6-svg_6.4.2-2.dsc 0d4c3ee48b395d96a7942ac6b9a8a26c 9264 libs optional qt6-svg_6.4.2-2.debian.tar.xz 6760cb8f75cbcd632e1dc142cc49daaf 12815 libs optional qt6-svg_6.4.2-2_source.buildinfo -BEGIN PGP SIGNATURE- iQJIBAEBCgAyFiEEEt36hKwjsrvwSzE8q2RfQGKGp9AFAmRrdGYUHGxpc2FuZHJv QGRlYmlhbi5vcmcACgkQq2RfQGKGp9DmYQ//dMsyYYqbAVU54dk5cUI5DiW9y8T/ F2YlEfXlgAvceNwdgvqJ5eFG0tsk3FA/CTAEw273y3U4KT1CFue4c57LaN5W2Sxc SpCVeThL7e/Ig9Ch3JihsyGkgHxXvnAJS+No90U7kFmoRx/ws7zajCwoZxRP9cOZ dHzPi8IlqpMHusdfF8QIbGVan4WhrQ7KTYRluwqFawolOOC0gv0iRjzOSv1IEhtW VjmGK6Iox1wTK1rB9EW6rhvbCB/pR8yxX+0PesijwpXNie25UVCLsVHe0jMzIreh 3vS6wHh3hBsbwyKTTORD99iRRyVyXWQe0hecKpJ3p30Wo6/600H2pH5HH917GFnD 42dSegWuida6i2P5HmCdjIUooMjbL8o9+zc4AQ3McStOE4cn4bkWkoO4tOPU2vhH F6gJaVuLrSaiQE8EN7Jov/w6sn7MKuoYYoAV55As+EOuqeJ2tD26F4DvKclEvblC KjCG/k0M+sIPZyY4lK2lVu96ecDQwADa81rVQGmYc/iV51WCfYv3ZzLdrmgmd7H2 jdg9wsHeqj55hax66cLJztgImezOy+zw4HWO9lSwJQh+bLplhfAfqzrvPtJVaaWZ Os2FgA//pr1GNGYGKxeqAzLAX/Kj9xZL5dBwiQD4vhfoMbX8ELdMvbfBZckpwcij viENIMOaMHL9UA4= =VB7d -END PGP SIGNATURE-
qt6-base_6.4.2+dfsg-8_source.changes ACCEPTED into unstable
Thank you for your contribution to Debian. Accepted: -BEGIN PGP SIGNED MESSAGE- Hash: SHA512 Format: 1.8 Date: Mon, 22 May 2023 10:42:21 -0300 Source: qt6-base Architecture: source Version: 6.4.2+dfsg-8 Distribution: unstable Urgency: medium Maintainer: Debian Qt/KDE Maintainers Changed-By: Lisandro Damián Nicanor Pérez Meyer Changes: qt6-base (6.4.2+dfsg-8) unstable; urgency=medium . * Team upload. * Add patch for solving CVE-2023-32763. * Refresh patches. Checksums-Sha1: fb320a609543a1f2e63be5acf6f4645cf28b6ecf 4859 qt6-base_6.4.2+dfsg-8.dsc 10310ce7c52dfa280d463defb99cd101032c1036 177880 qt6-base_6.4.2+dfsg-8.debian.tar.xz dcc50674347b46813343fb718f7f048c252140a6 18708 qt6-base_6.4.2+dfsg-8_source.buildinfo Checksums-Sha256: 89bc4c7c5af3e5f3b419188ce9c4d1765b1a90764a4c61ead3005687ebfe8023 4859 qt6-base_6.4.2+dfsg-8.dsc 7706dfd4d520b3ce9d520535534417e7cb1bc89f7bb188a592b48477e511e6bf 177880 qt6-base_6.4.2+dfsg-8.debian.tar.xz 14e69875a3190cf7338c9bf036b4776644cf74ffdbf0d7ee42ba90c3d8a3798c 18708 qt6-base_6.4.2+dfsg-8_source.buildinfo Files: 0053d1fba9e0638819fd781edb903fc9 4859 libs optional qt6-base_6.4.2+dfsg-8.dsc ddaf5c5108fa1e327f065de78b9da1d9 177880 libs optional qt6-base_6.4.2+dfsg-8.debian.tar.xz 5ed7fe863f1035317a2116aadb79b240 18708 libs optional qt6-base_6.4.2+dfsg-8_source.buildinfo -BEGIN PGP SIGNATURE- iQJIBAEBCgAyFiEEEt36hKwjsrvwSzE8q2RfQGKGp9AFAmRrdCcUHGxpc2FuZHJv QGRlYmlhbi5vcmcACgkQq2RfQGKGp9C2gg//V4TBLzkG/Y3nFa31sbNpp32TfJaR WDuxbMLAfHu9AiUlKDbNXZ+jpM1boLTWVxSoLqXPKL4FLQ3PIbfiRZ2eKqUYVOVj KoEB1NxlViwLZ/+hQIUNV5/vFgF9Fy9AhrroPPpMMqn9bll4/lnScywuB+TXMEYU QX8k6l+oule1nOqjwZNXrNDKU66pjE+aQHGCZhHLs1jVA49fdHPgjOK20OaPXGwk 8fKOh3846ygaf8WBehnCWRaJXOtgIR00I3bumai2jUyA5cpTdO8cdG0+HCsFNK75 o3PBAHUojjEAKMv6pvSWDNFeXrbX66TxCvwtrQd64hlVG4+Svgf3ZLwhcgufsbva N3AnMYcqZ2QIiTHP3IPSxCL+Mi6Jl9j6Ck2+mvPziU/uZ3UQSWJxLTVgnUugPYTL RD6ke1bMDbnvO7DG8yTVAYGe37iNhzrLE2IEi7ZweapxRaqEnlNLx4jFlTD9HJEK UvAQugwE7h4l+HRnHcdW5EDWXzjDp3LDX8OxmTBO/us+VR7HRjOvWSdkv+M1B9A5 c4o1TcMLvlNdZuq2WNWFXW46jC4t9i3KvZnubru1Hgu0xNkqBTl6z/dDH/QoZIt5 tGALh6wYFkWEzotPz70wCGY29ptiCLAS/sahObJNBtAHAvawMayzyEdCvjRm679t CGhLSfNklSiariU= =cgOO -END PGP SIGNATURE-
Processing of qt6-svg_6.4.2-2_source.changes
qt6-svg_6.4.2-2_source.changes uploaded successfully to localhost along with the files: qt6-svg_6.4.2-2.dsc qt6-svg_6.4.2-2.debian.tar.xz qt6-svg_6.4.2-2_source.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org)
Processing of qt6-base_6.4.2+dfsg-8_source.changes
qt6-base_6.4.2+dfsg-8_source.changes uploaded successfully to localhost along with the files: qt6-base_6.4.2+dfsg-8.dsc qt6-base_6.4.2+dfsg-8.debian.tar.xz qt6-base_6.4.2+dfsg-8_source.buildinfo Greetings, Your Debian queue daemon (running on host usper.debian.org)
Bug#1036553: unblock: qtsvg-opensource-src/5.15.8-3
Package: release.debian.org
Severity: normal
User: release.debian@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: qtsvg-opensource-...@packages.debian.org
Control: affects -1 + src:qtsvg-opensource-src
Please unblock package qtsvg-opensource-src.
[ Reason ]
This fixes a security bug. See:
- https://security-tracker.debian.org/tracker/CVE-2023-32573
- https://www.qt.io/blog/security-advisory-qt-svg
[ Impact ]
Use of uninitialized variable which is undefined behavior, e.g. may lead to
division by zero.
[ Tests ]
The upstream test suite is run during build.
[ Risks ]
The change is quite trivial, it just initializes the variable and uses a
constant
to keep the value in one place.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
unblock qtsvg-opensource-src/5.15.8-3
--
Dmitry Shachnev
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,10 @@
+qtsvg-opensource-src (5.15.8-3) unstable; urgency=medium
+
+ * Backport upstream commit to initialize QSvgFont::m_unitsPerEm
+(CVE-2023-32573).
+
+ -- Dmitry Shachnev Sun, 21 May 2023 19:06:01 +0300
+
qtsvg-opensource-src (5.15.8-2) unstable; urgency=medium
* Upload to unstable.
--- /dev/null
+++ b/debian/patches/CVE-2023-32573.diff
@@ -0,0 +1,34 @@
+Description: QSvgFont: initialize m_unitsPerEm to fix undefined behavior
+Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2023-32573-qtsvg-5.15.diff
+Last-Update: 2023-05-21
+
+--- a/src/svg/qsvgfont_p.h
b/src/svg/qsvgfont_p.h
+@@ -74,6 +74,7 @@ public:
+ class Q_SVG_PRIVATE_EXPORT QSvgFont : public QSvgRefCounted
+ {
+ public:
++static constexpr qreal DEFAULT_UNITS_PER_EM = 1000;
+ QSvgFont(qreal horizAdvX);
+
+ void setFamilyName(const QString );
+@@ -86,7 +87,7 @@ public:
+ void draw(QPainter *p, const QPointF , const QString , qreal pixelSize, Qt::Alignment alignment) const;
+ public:
+ QString m_familyName;
+-qreal m_unitsPerEm;
++qreal m_unitsPerEm = DEFAULT_UNITS_PER_EM;
+ qreal m_ascent;
+ qreal m_descent;
+ qreal m_horizAdvX;
+--- a/src/svg/qsvghandler.cpp
b/src/svg/qsvghandler.cpp
+@@ -2666,7 +2666,7 @@ static bool parseFontFaceNode(QSvgStyleP
+
+ qreal unitsPerEm = toDouble(unitsPerEmStr);
+ if (!unitsPerEm)
+-unitsPerEm = 1000;
++unitsPerEm = QSvgFont::DEFAULT_UNITS_PER_EM;
+
+ if (!name.isEmpty())
+ font->setFamilyName(name);
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -1 +1,2 @@
reject_oversize_svgs.diff
+CVE-2023-32573.diff
signature.asc
Description: PGP signature
