[arch-commits] Commit in qt5/trunk (5 files)
Felix Yan
fyan at archlinux.org
Thu May 14 07:32:12 UTC 2015
Date: Thursday, May 14, 2015 @ 09:32:11
Author: fyan
Revision: 239330
upgpkg: qt5 5.4.1-8
- add patches for CVE-2015-0295, CVE-2015-1858, CVE-2015-1859, CVE-2015-1860
- add patch to fix keypad shortcuts (FS#44676)
Added:
qt5/trunk/CVE-2015-0295.patch
qt5/trunk/CVE-2015-1858_1859.patch
qt5/trunk/CVE-2015-1860.patch
qt5/trunk/keypad-shortcuts.patch
Modified:
qt5/trunk/PKGBUILD
--------------------------+
CVE-2015-0295.patch | 44 +++++++++++++++++++++
CVE-2015-1858_1859.patch | 62 +++++++++++++++++++++++++++++
CVE-2015-1860.patch | 30 ++++++++++++++
PKGBUILD | 21 ++++++++--
keypad-shortcuts.patch | 94 +++++++++++++++++++++++++++++++++++++++++++++
5 files changed, 248 insertions(+), 3 deletions(-)
Added: CVE-2015-0295.patch
===================================================================
--- CVE-2015-0295.patch (rev 0)
+++ CVE-2015-0295.patch 2015-05-14 07:32:11 UTC (rev 239330)
@@ -0,0 +1,44 @@
+From 661f6bfd032dacc62841037732816a583640e187 Mon Sep 17 00:00:00 2001
+From: "Richard J. Moore" <rich at kde.org>
+Date: Sat, 21 Feb 2015 17:43:21 +0000
+Subject: Fix a division by zero when processing malformed BMP files.
+
+This fixes a division by 0 when processing a maliciously crafted BMP
+file. No impact beyond DoS.
+
+Task-number: QTBUG-44547
+Change-Id: Ifcded2c0aa712e90d23e6b3969af0ec3add53973
+Reviewed-by: Thiago Macieira <thiago.macieira at intel.com>
+Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen at theqtcompany.com>
+---
+ src/gui/image/qbmphandler.cpp | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
+index 21c1a2f..df66499 100644
+--- a/src/gui/image/qbmphandler.cpp
++++ b/src/gui/image/qbmphandler.cpp
+@@ -314,12 +314,20 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
+ }
+ } else if (comp == BMP_BITFIELDS && (nbits == 16 || nbits == 32)) {
+ red_shift = calc_shift(red_mask);
++ if (((red_mask >> red_shift) + 1) == 0)
++ return false;
+ red_scale = 256 / ((red_mask >> red_shift) + 1);
+ green_shift = calc_shift(green_mask);
++ if (((green_mask >> green_shift) + 1) == 0)
++ return false;
+ green_scale = 256 / ((green_mask >> green_shift) + 1);
+ blue_shift = calc_shift(blue_mask);
++ if (((blue_mask >> blue_shift) + 1) == 0)
++ return false;
+ blue_scale = 256 / ((blue_mask >> blue_shift) + 1);
+ alpha_shift = calc_shift(alpha_mask);
++ if (((alpha_mask >> alpha_shift) + 1) == 0)
++ return false;
+ alpha_scale = 256 / ((alpha_mask >> alpha_shift) + 1);
+ } else if (comp == BMP_RGB && (nbits == 24 || nbits == 32)) {
+ blue_mask = 0x000000ff;
+--
+cgit v0.11.0
+
Added: CVE-2015-1858_1859.patch
===================================================================
--- CVE-2015-1858_1859.patch (rev 0)
+++ CVE-2015-1858_1859.patch 2015-05-14 07:32:11 UTC (rev 239330)
@@ -0,0 +1,62 @@
+From 51ec7ebfe5f45d1c0a03d992e97053cac66e25fe Mon Sep 17 00:00:00 2001
+From: Eirik Aavitsland <eirik.aavitsland at theqtcompany.com>
+Date: Wed, 11 Mar 2015 13:34:01 +0100
+Subject: Fixes crash in bmp and ico image decoding
+
+Fuzzing test revealed that for certain malformed bmp and ico files,
+the handler would segfault.
+
+Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe
+Reviewed-by: Lars Knoll <lars.knoll at digia.com>
+---
+ src/gui/image/qbmphandler.cpp | 13 +++++++------
+ src/plugins/imageformats/ico/qicohandler.cpp | 2 +-
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
+index df66499..8acc593 100644
+--- a/src/gui/image/qbmphandler.cpp
++++ b/src/gui/image/qbmphandler.cpp
+@@ -484,12 +484,6 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
+ p = data + (h-y-1)*bpl;
+ break;
+ case 2: // delta (jump)
+- // Protection
+- if ((uint)x >= (uint)w)
+- x = w-1;
+- if ((uint)y >= (uint)h)
+- y = h-1;
+-
+ {
+ quint8 tmp;
+ d->getChar((char *)&tmp);
+@@ -497,6 +491,13 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
+ d->getChar((char *)&tmp);
+ y += tmp;
+ }
++
++ // Protection
++ if ((uint)x >= (uint)w)
++ x = w-1;
++ if ((uint)y >= (uint)h)
++ y = h-1;
++
+ p = data + (h-y-1)*bpl + x;
+ break;
+ default: // absolute mode
+diff --git a/src/plugins/imageformats/ico/qicohandler.cpp b/src/plugins/imageformats/ico/qicohandler.cpp
+index 00de0c8..ec1654e 100644
+--- a/src/plugins/imageformats/ico/qicohandler.cpp
++++ b/src/plugins/imageformats/ico/qicohandler.cpp
+@@ -567,7 +567,7 @@ QImage ICOReader::iconAt(int index)
+ QImage::Format format = QImage::Format_ARGB32;
+ if (icoAttrib.nbits == 24)
+ format = QImage::Format_RGB32;
+- else if (icoAttrib.ncolors == 2)
++ else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1)
+ format = QImage::Format_Mono;
+ else if (icoAttrib.ncolors > 0)
+ format = QImage::Format_Indexed8;
+--
+cgit v0.11.0
+
Added: CVE-2015-1860.patch
===================================================================
--- CVE-2015-1860.patch (rev 0)
+++ CVE-2015-1860.patch 2015-05-14 07:32:11 UTC (rev 239330)
@@ -0,0 +1,30 @@
+From d3048a29797ee2d80d84bbda26bb3c954584f332 Mon Sep 17 00:00:00 2001
+From: Eirik Aavitsland <eirik.aavitsland at theqtcompany.com>
+Date: Wed, 11 Mar 2015 09:00:41 +0100
+Subject: Fixes crash in gif image decoder
+
+Fuzzing test revealed that for certain malformed gif files,
+qgifhandler would segfault.
+
+Change-Id: I5bb6f60e1c61849e0d8c735edc3869945e5331c1
+Reviewed-by: Richard J. Moore <rich at kde.org>
+---
+ src/gui/image/qgifhandler.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/gui/image/qgifhandler.cpp b/src/gui/image/qgifhandler.cpp
+index 03e46ab..8d8c4ae 100644
+--- a/src/gui/image/qgifhandler.cpp
++++ b/src/gui/image/qgifhandler.cpp
+@@ -936,6 +936,8 @@ void QGIFFormat::fillRect(QImage *image, int col, int row, int w, int h, QRgb co
+
+ void QGIFFormat::nextY(unsigned char *bits, int bpl)
+ {
++ if (out_of_bounds)
++ return;
+ int my;
+ switch (interlace) {
+ case 0: // Non-interlaced
+--
+cgit v0.11.0
+
Modified: PKGBUILD
===================================================================
--- PKGBUILD 2015-05-14 07:09:47 UTC (rev 239329)
+++ PKGBUILD 2015-05-14 07:32:11 UTC (rev 239330)
@@ -28,7 +28,7 @@
'qt5-x11extras'
'qt5-xmlpatterns')
pkgver=5.4.1
-pkgrel=7
+pkgrel=8
arch=('i686' 'x86_64')
url='http://qt-project.org/'
license=('GPL3' 'LGPL' 'FDL' 'custom')
@@ -44,7 +44,9 @@
source=("http://download.qt-project.org/official_releases/qt/${pkgver%.*}/${pkgver}/single/${_pkgfqn}.tar.xz"
'0001-Revert-Rotate-images-according-to-Exif-orientation.patch'
'0001-Require-fPIC-instead-of-just-fPIE-for-reduce-relocat.patch'
- 'assistant.desktop' 'designer.desktop' 'linguist.desktop' 'qdbusviewer.desktop' 'glib-2.43.patch' 'qlockfile-deadlock.patch' 'qnam-corruption.patch')
+ 'assistant.desktop' 'designer.desktop' 'linguist.desktop' 'qdbusviewer.desktop' 'glib-2.43.patch'
+ 'qlockfile-deadlock.patch' 'qnam-corruption.patch' 'keypad-shortcuts.patch'
+ 'CVE-2015-0295.patch' 'CVE-2015-1858_1859.patch' 'CVE-2015-1860.patch')
md5sums=('7afb5f9235d8d42b5b6e832442a32a5d'
'fb1459f325a15b15b18afeac51173a1d'
'ac8fa252868161c676d876b614e24436'
@@ -54,7 +56,11 @@
'322b419b16c75d4de0ee7ad0a246caa1'
'bf756a3061e1b30b28df85dcf0c90df3'
'30d219401f77e536d215addc420b634c'
- 'd0b070d6f211948ef4842b46542b9e4f')
+ 'd0b070d6f211948ef4842b46542b9e4f'
+ '665439088fc7de52a97455c5eaf87889'
+ '871ab111d03a640b4d0250388a4307cc'
+ 'b799130014294cb3c73fc46e7e8889db'
+ '64bc4f7d5097438eb6c6f8042378b3a3')
prepare() {
cd ${_pkgfqn}
@@ -74,6 +80,15 @@
# https://codereview.qt-project.org/#/c/110150/
(cd qtbase; patch -p1 -i "$srcdir/qnam-corruption.patch")
+ # https://bugs.archlinux.org/task/44676
+ (cd qtbase; patch -p1 -i "$srcdir/keypad-shortcuts.patch")
+
+ # http://lists.qt-project.org/pipermail/announce/2015-February/000059.html
+ (cd qtbase; patch -p1 -i "$srcdir/CVE-2015-0295.patch")
+
+ # http://lists.qt-project.org/pipermail/announce/2015-April/000067.html
+ (cd qtbase; patch -p1 -i "$srcdir/CVE-2015-1858_1859.patch"; patch -p1 -i "$srcdir/CVE-2015-1860.patch")
+
# Build qmake using Arch {C,LD}FLAGS
# This also sets default {C,CXX,LD}FLAGS for projects built using qmake
sed -i -e "s|^\(QMAKE_CFLAGS_RELEASE.*\)|\1 ${CFLAGS}|" \
Added: keypad-shortcuts.patch
===================================================================
--- keypad-shortcuts.patch (rev 0)
+++ keypad-shortcuts.patch 2015-05-14 07:32:11 UTC (rev 239330)
@@ -0,0 +1,94 @@
+From c137502c7fd7550c780c9531ec414098d8101757 Mon Sep 17 00:00:00 2001
+From: Alexander Volkov <a.volkov at rusbitech.ru>
+Date: Thu, 18 Sep 2014 16:16:26 +0400
+Subject: Fix shortcuts with keypad keys
+
+The way of searching a shortcut match for a key without the keypad
+modifier introduced in 547a1bea492954d828aa0798be93384669812489 is
+not correct. QKeyEvent::setModifiers() doesn't change native scan code
+so we get the incorrect QKeyEvent object which is eventually passed to
+the implementation of QPlatformIntegration::possibleKeys().
+And then QPlatformIntegration::possibleKeys() returns the same result
+as for the original QKeyEvent object.
+
+So to fix it we have to remove Qt::KeypadModifier from keys after
+calling the implementation of QPlatformIntegration::possibleKeys(),
+as it was before 547a1bea492954d828aa0798be93384669812489.
+
+Task-number: QTBUG-33093
+Task-number: QTBUG-20191
+Change-Id: I5b33c9b6cf2c06b133166a31eba9aff9181c9483
+---
+ src/gui/kernel/qshortcutmap.cpp | 12 +++++-------
+ src/gui/kernel/qshortcutmap_p.h | 4 ++--
+ 2 files changed, 7 insertions(+), 9 deletions(-)
+
+diff --git a/src/gui/kernel/qshortcutmap.cpp b/src/gui/kernel/qshortcutmap.cpp
+index c915ed39..c13c82c 100644
+--- a/src/gui/kernel/qshortcutmap.cpp
++++ b/src/gui/kernel/qshortcutmap.cpp
+@@ -388,9 +388,7 @@ QKeySequence::SequenceMatch QShortcutMap::nextState(QKeyEvent *e)
+ result = find(e);
+ if (result == QKeySequence::NoMatch && (e->modifiers() & Qt::KeypadModifier)) {
+ // Try to find a match without keypad modifier
+- QKeyEvent event = *e;
+- event.setModifiers(e->modifiers() & ~Qt::KeypadModifier);
+- result = find(&event);
++ result = find(e, Qt::KeypadModifier);
+ }
+ if (result == QKeySequence::NoMatch && e->modifiers() & Qt::ShiftModifier) {
+ // If Shift + Key_Backtab, also try Shift + Qt::Key_Tab
+@@ -443,13 +441,13 @@ bool QShortcutMap::hasShortcutForKeySequence(const QKeySequence &seq) const
+ which can be access through matches().
+ \sa matches
+ */
+-QKeySequence::SequenceMatch QShortcutMap::find(QKeyEvent *e)
++QKeySequence::SequenceMatch QShortcutMap::find(QKeyEvent *e, int ignoredModifiers)
+ {
+ Q_D(QShortcutMap);
+ if (!d->sequences.count())
+ return QKeySequence::NoMatch;
+
+- createNewSequences(e, d->newEntries);
++ createNewSequences(e, d->newEntries, ignoredModifiers);
+ #if defined(DEBUG_QSHORTCUTMAP)
+ qDebug() << "Possible shortcut key sequences:" << d->newEntries;
+ #endif
+@@ -551,7 +549,7 @@ void QShortcutMap::clearSequence(QVector<QKeySequence> &ksl)
+ Alters \a seq to the new sequence state, based on the
+ current sequence state, and the new key event \a e.
+ */
+-void QShortcutMap::createNewSequences(QKeyEvent *e, QVector<QKeySequence> &ksl)
++void QShortcutMap::createNewSequences(QKeyEvent *e, QVector<QKeySequence> &ksl, int ignoredModifiers)
+ {
+ Q_D(QShortcutMap);
+ QList<int> possibleKeys = QKeyMapper::possibleKeys(e);
+@@ -581,7 +579,7 @@ void QShortcutMap::createNewSequences(QKeyEvent *e, QVector<QKeySequence> &ksl)
+ curKsl.setKey(0, 2);
+ curKsl.setKey(0, 3);
+ }
+- curKsl.setKey(possibleKeys.at(pkNum), index);
++ curKsl.setKey(possibleKeys.at(pkNum) & ~ignoredModifiers, index);
+ }
+ }
+ }
+diff --git a/src/gui/kernel/qshortcutmap_p.h b/src/gui/kernel/qshortcutmap_p.h
+index 3959c2c..39a8eac 100644
+--- a/src/gui/kernel/qshortcutmap_p.h
++++ b/src/gui/kernel/qshortcutmap_p.h
+@@ -96,10 +96,10 @@ private:
+ QKeySequence::SequenceMatch state();
+ void dispatchEvent(QKeyEvent *e);
+
+- QKeySequence::SequenceMatch find(QKeyEvent *e);
++ QKeySequence::SequenceMatch find(QKeyEvent *e, int ignoredModifiers = 0);
+ QKeySequence::SequenceMatch matches(const QKeySequence &seq1, const QKeySequence &seq2) const;
+ QVector<const QShortcutEntry *> matches() const;
+- void createNewSequences(QKeyEvent *e, QVector<QKeySequence> &ksl);
++ void createNewSequences(QKeyEvent *e, QVector<QKeySequence> &ksl, int ignoredModifiers);
+ void clearSequence(QVector<QKeySequence> &ksl);
+ int translateModifiers(Qt::KeyboardModifiers modifiers);
+
+--
+cgit v0.11.0
+
More information about the arch-commits
mailing list