From: Jan Palus Date: Thu, 1 Jun 2023 15:07:00 +0000 (+0200) Subject: upstream fix for CVE-2023-33285; rel 4 X-Git-Tag: auto/th/qt5-qtbase-5.15.9-4 X-Git-Url: http://git.pld-linux.org/gitweb.cgi?a=commitdiff_plain;h=2b4adf7a4b1d8eaf8b3919af5e7f6bd9640dbeff;p=packages%2Fqt5-qtbase.git upstream fix for CVE-2023-33285; rel 4 as advised in: https://lists.qt-project.org/pipermail/announce/2023-June/000417.html --- diff --git a/CVE-2023-33285-qtbase-5.15.diff b/CVE-2023-33285-qtbase-5.15.diff new file mode 100644 index 0000000..ec33777 --- /dev/null +++ b/CVE-2023-33285-qtbase-5.15.diff @@ -0,0 +1,68 @@ +--- a/src/network/kernel/qdnslookup_unix.cpp ++++ b/src/network/kernel/qdnslookup_unix.cpp +@@ -227,7 +227,6 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN + // responseLength in case of error, we still can extract the + // exact error code from the response. + HEADER *header = (HEADER*)response; +- const int answerCount = ntohs(header->ancount); + switch (header->rcode) { + case NOERROR: + break; +@@ -260,18 +259,31 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN + return; + } + +- // Skip the query host, type (2 bytes) and class (2 bytes). + char host[PACKETSZ], answer[PACKETSZ]; + unsigned char *p = response + sizeof(HEADER); +- int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); +- if (status < 0) { ++ int status; ++ ++ if (ntohs(header->qdcount) == 1) { ++ // Skip the query host, type (2 bytes) and class (2 bytes). ++ status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); ++ if (status < 0) { ++ reply->error = QDnsLookup::InvalidReplyError; ++ reply->errorString = tr("Could not expand domain name"); ++ return; ++ } ++ if ((p - response) + status + 4 >= responseLength) ++ header->qdcount = 0xffff; // invalid reply below ++ else ++ p += status + 4; ++ } ++ if (ntohs(header->qdcount) > 1) { + reply->error = QDnsLookup::InvalidReplyError; +- reply->errorString = tr("Could not expand domain name"); ++ reply->errorString = tr("Invalid reply received"); + return; + } +- p += status + 4; + + // Extract results. ++ const int answerCount = ntohs(header->ancount); + int answerIndex = 0; + while ((p < response + responseLength) && (answerIndex < answerCount)) { + status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); +@@ -283,6 +295,11 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN + const QString name = QUrl::fromAce(host); + + p += status; ++ ++ if ((p - response) + 10 > responseLength) { ++ // probably just a truncated reply, return what we have ++ return; ++ } + const quint16 type = (p[0] << 8) | p[1]; + p += 2; // RR type + p += 2; // RR class +@@ -290,6 +307,8 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN + p += 4; + const quint16 size = (p[0] << 8) | p[1]; + p += 2; ++ if ((p - response) + size > responseLength) ++ return; // truncated + + if (type == QDnsLookup::A) { + if (size != 4) { diff --git a/qt5-qtbase.spec b/qt5-qtbase.spec index be7b7df..153ac22 100644 --- a/qt5-qtbase.spec +++ b/qt5-qtbase.spec @@ -71,7 +71,7 @@ Summary: Qt5 - base components Summary(pl.UTF-8): Biblioteka Qt5 - podstawowe komponenty Name: qt5-%{orgname} Version: 5.15.9 -Release: 3 +Release: 4 License: LGPL v3 or GPL v2 or GPL v3 or commercial Group: X11/Libraries Source0: https://download.qt.io/official_releases/qt/5.15/%{version}/submodules/%{orgname}-everywhere-opensource-src-%{version}.tar.xz @@ -83,6 +83,7 @@ Patch1: parallel-install.patch Patch2: egl-x11.patch Patch3: CVE-2023-32763-qtbase-5.15.diff Patch4: CVE-2023-32762-qtbase-5.15.diff +Patch5: CVE-2023-33285-qtbase-5.15.diff URL: https://www.qt.io/ %{?with_directfb:BuildRequires: DirectFB-devel} BuildRequires: EGL-devel @@ -1180,6 +1181,7 @@ Generator plików makefile dla aplikacji Qt5. %patch2 -p1 %patch3 -p1 %patch4 -p1 +%patch5 -p1 %{__sed} -i -e 's,usr/X11R6/,usr/,g' mkspecs/linux-g++-64/qmake.conf