diff options
author | Marek Vasut <marex@denx.de> | 2023-10-10 16:37:39 +0200 |
---|---|---|
committer | Martin Jansa <martin.jansa@gmail.com> | 2023-10-11 14:18:48 +0200 |
commit | 41a2d0e65575721ef8e44dd0975e5b477688c8aa (patch) | |
tree | fe07ae7db051fccdebfbb234dcf08fffb0a4e712 | |
parent | 2a64bf65f12c01b1b3d79bf63bea30ff2bacf421 (diff) |
qtbase: Refresh direct import patches with devtool
Run 'devtool modify qtbase ; devtool finish --force-patch-refresh qtbase ...'
on the qtbase patches directly imported from Qt website [1] to refresh them
and remove all application fuzz. Add the CVE: tags while at it.
[1] https://download.qt.io/official_releases/qt/5.15/
Signed-off-by: Marek Vasut <marex@denx.de>
-rw-r--r-- | recipes-qt/qt5/qtbase/CVE-2023-32763-qtbase-5.15.diff | 108 | ||||
-rw-r--r-- | recipes-qt/qt5/qtbase/CVE-2023-33285-qtbase-5.15.diff | 149 | ||||
-rw-r--r-- | recipes-qt/qt5/qtbase/CVE-2023-34410-qtbase-5.15.diff | 122 | ||||
-rw-r--r-- | recipes-qt/qt5/qtbase/CVE-2023-37369-qtbase-5.15.diff | 27 | ||||
-rw-r--r-- | recipes-qt/qt5/qtbase/CVE-2023-38197-qtbase-5.15.diff | 32 | ||||
-rw-r--r-- | recipes-qt/qt5/qtbase/CVE-2023-43114-5.15.patch | 16 |
6 files changed, 264 insertions, 190 deletions
diff --git a/recipes-qt/qt5/qtbase/CVE-2023-32763-qtbase-5.15.diff b/recipes-qt/qt5/qtbase/CVE-2023-32763-qtbase-5.15.diff index ebb53e55..52056325 100644 --- a/recipes-qt/qt5/qtbase/CVE-2023-32763-qtbase-5.15.diff +++ b/recipes-qt/qt5/qtbase/CVE-2023-32763-qtbase-5.15.diff @@ -1,47 +1,61 @@ ---- a/src/gui/painting/qfixed_p.h
-+++ b/src/gui/painting/qfixed_p.h
-@@ -54,6 +54,7 @@
- #include <QtGui/private/qtguiglobal_p.h>
- #include "QtCore/qdebug.h"
- #include "QtCore/qpoint.h"
-+#include <QtCore/private/qnumeric_p.h>
- #include "QtCore/qsize.h"
-
- QT_BEGIN_NAMESPACE
-@@ -182,6 +183,14 @@ Q_DECL_CONSTEXPR inline bool operator<(int i, const QFixed &f) { return i * 64 <
- Q_DECL_CONSTEXPR inline bool operator>(const QFixed &f, int i) { return f.value() > i * 64; }
- Q_DECL_CONSTEXPR inline bool operator>(int i, const QFixed &f) { return i * 64 > f.value(); }
-
-+inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
-+{
-+ int val;
-+ bool result = add_overflow(v1.value(), v2.value(), &val);
-+ r->setValue(val);
-+ return result;
-+}
-+
- #ifndef QT_NO_DEBUG_STREAM
- inline QDebug &operator<<(QDebug &dbg, const QFixed &f)
- { return dbg << f.toReal(); }
-
-
---- a/src/gui/text/qtextlayout.cpp
-+++ b/src/gui/text/qtextlayout.cpp
-@@ -2163,11 +2163,14 @@ found:
- eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
- } else {
- eng->minWidth = qMax(eng->minWidth, lbh.minw);
-- eng->maxWidth += line.textWidth;
-+ if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth))
-+ eng->maxWidth = QFIXED_MAX;
- }
-
-- if (line.textWidth > 0 && item < eng->layoutData->items.size())
-- eng->maxWidth += lbh.spaceData.textWidth;
-+ if (line.textWidth > 0 && item < eng->layoutData->items.size()) {
-+ if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, &eng->maxWidth))
-+ eng->maxWidth = QFIXED_MAX;
-+ }
-
- line.textWidth += trailingSpace;
- if (lbh.spaceData.length) {
\ No newline at end of file +From 4964af998a1788eba15e0b4ab3382e1ebb709daf Mon Sep 17 00:00:00 2001 +From: Marek Vasut <marex@denx.de> +Date: Tue, 10 Oct 2023 16:06:27 +0200 +Subject: [PATCH] qtbase: Pick CVE-2023-32763 fix + +CVE: CVE-2023-32763 +Upstream-Status: Backport [https://download.qt.io/official_releases/qt/5.15/CVE-2023-32763-qtbase-5.15.diff] +--- + src/gui/painting/qfixed_p.h | 9 +++++++++ + src/gui/text/qtextlayout.cpp | 9 ++++++--- + 2 files changed, 15 insertions(+), 3 deletions(-) + +diff --git a/src/gui/painting/qfixed_p.h b/src/gui/painting/qfixed_p.h +index 846592881c..57d750a4b3 100644 +--- a/src/gui/painting/qfixed_p.h ++++ b/src/gui/painting/qfixed_p.h +@@ -54,6 +54,7 @@ + #include <QtGui/private/qtguiglobal_p.h> + #include "QtCore/qdebug.h" + #include "QtCore/qpoint.h" ++#include <QtCore/private/qnumeric_p.h> + #include "QtCore/qsize.h" + + QT_BEGIN_NAMESPACE +@@ -182,6 +183,14 @@ Q_DECL_CONSTEXPR inline bool operator<(int i, const QFixed &f) { return i * 64 < + Q_DECL_CONSTEXPR inline bool operator>(const QFixed &f, int i) { return f.value() > i * 64; } + Q_DECL_CONSTEXPR inline bool operator>(int i, const QFixed &f) { return i * 64 > f.value(); } + ++inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r) ++{ ++ int val; ++ bool result = add_overflow(v1.value(), v2.value(), &val); ++ r->setValue(val); ++ return result; ++} ++ + #ifndef QT_NO_DEBUG_STREAM + inline QDebug &operator<<(QDebug &dbg, const QFixed &f) + { return dbg << f.toReal(); } +diff --git a/src/gui/text/qtextlayout.cpp b/src/gui/text/qtextlayout.cpp +index 26ac37b016..f6c69ff4a2 100644 +--- a/src/gui/text/qtextlayout.cpp ++++ b/src/gui/text/qtextlayout.cpp +@@ -2150,11 +2150,14 @@ found: + eng->maxWidth = qMax(eng->maxWidth, line.textWidth); + } else { + eng->minWidth = qMax(eng->minWidth, lbh.minw); +- eng->maxWidth += line.textWidth; ++ if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth)) ++ eng->maxWidth = QFIXED_MAX; + } + +- if (line.textWidth > 0 && item < eng->layoutData->items.size()) +- eng->maxWidth += lbh.spaceData.textWidth; ++ if (line.textWidth > 0 && item < eng->layoutData->items.size()) { ++ if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, &eng->maxWidth)) ++ eng->maxWidth = QFIXED_MAX; ++ } + + line.textWidth += trailingSpace; + if (lbh.spaceData.length) { diff --git a/recipes-qt/qt5/qtbase/CVE-2023-33285-qtbase-5.15.diff b/recipes-qt/qt5/qtbase/CVE-2023-33285-qtbase-5.15.diff index 4bed901c..0e545296 100644 --- a/recipes-qt/qt5/qtbase/CVE-2023-33285-qtbase-5.15.diff +++ b/recipes-qt/qt5/qtbase/CVE-2023-33285-qtbase-5.15.diff @@ -1,68 +1,81 @@ ---- a/src/network/kernel/qdnslookup_unix.cpp
-+++ b/src/network/kernel/qdnslookup_unix.cpp
-@@ -227,7 +227,6 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
- // responseLength in case of error, we still can extract the
- // exact error code from the response.
- HEADER *header = (HEADER*)response;
-- const int answerCount = ntohs(header->ancount);
- switch (header->rcode) {
- case NOERROR:
- break;
-@@ -260,18 +259,31 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
- return;
- }
-
-- // Skip the query host, type (2 bytes) and class (2 bytes).
- char host[PACKETSZ], answer[PACKETSZ];
- unsigned char *p = response + sizeof(HEADER);
-- int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
-- if (status < 0) {
-+ int status;
-+
-+ if (ntohs(header->qdcount) == 1) {
-+ // Skip the query host, type (2 bytes) and class (2 bytes).
-+ status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
-+ if (status < 0) {
-+ reply->error = QDnsLookup::InvalidReplyError;
-+ reply->errorString = tr("Could not expand domain name");
-+ return;
-+ }
-+ if ((p - response) + status + 4 >= responseLength)
-+ header->qdcount = 0xffff; // invalid reply below
-+ else
-+ p += status + 4;
-+ }
-+ if (ntohs(header->qdcount) > 1) {
- reply->error = QDnsLookup::InvalidReplyError;
-- reply->errorString = tr("Could not expand domain name");
-+ reply->errorString = tr("Invalid reply received");
- return;
- }
-- p += status + 4;
-
- // Extract results.
-+ const int answerCount = ntohs(header->ancount);
- int answerIndex = 0;
- while ((p < response + responseLength) && (answerIndex < answerCount)) {
- status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
-@@ -283,6 +295,11 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
- const QString name = QUrl::fromAce(host);
-
- p += status;
-+
-+ if ((p - response) + 10 > responseLength) {
-+ // probably just a truncated reply, return what we have
-+ return;
-+ }
- const quint16 type = (p[0] << 8) | p[1];
- p += 2; // RR type
- p += 2; // RR class
-@@ -290,6 +307,8 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
- p += 4;
- const quint16 size = (p[0] << 8) | p[1];
- p += 2;
-+ if ((p - response) + size > responseLength)
-+ return; // truncated
-
- if (type == QDnsLookup::A) {
- if (size != 4) {
+From 70be54588f7227e0100d511530170b5cdb46ee5a Mon Sep 17 00:00:00 2001 +From: Marek Vasut <marex@denx.de> +Date: Tue, 10 Oct 2023 16:08:05 +0200 +Subject: [PATCH] qtbase: Pick CVE-2023-33285 fix + +CVE: CVE-2023-33285 +Upstream-Status: Backport [https://download.qt.io/official_releases/qt/5.15/CVE-2023-33285-qtbase-5.15.diff] +--- + src/network/kernel/qdnslookup_unix.cpp | 31 +++++++++++++++++++++----- + 1 file changed, 25 insertions(+), 6 deletions(-) + +diff --git a/src/network/kernel/qdnslookup_unix.cpp b/src/network/kernel/qdnslookup_unix.cpp +index 12b40fc35d..99e999d436 100644 +--- a/src/network/kernel/qdnslookup_unix.cpp ++++ b/src/network/kernel/qdnslookup_unix.cpp +@@ -227,7 +227,6 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN + // responseLength in case of error, we still can extract the + // exact error code from the response. + HEADER *header = (HEADER*)response; +- const int answerCount = ntohs(header->ancount); + switch (header->rcode) { + case NOERROR: + break; +@@ -260,18 +259,31 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN + return; + } + +- // Skip the query host, type (2 bytes) and class (2 bytes). + char host[PACKETSZ], answer[PACKETSZ]; + unsigned char *p = response + sizeof(HEADER); +- int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); +- if (status < 0) { ++ int status; ++ ++ if (ntohs(header->qdcount) == 1) { ++ // Skip the query host, type (2 bytes) and class (2 bytes). ++ status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); ++ if (status < 0) { ++ reply->error = QDnsLookup::InvalidReplyError; ++ reply->errorString = tr("Could not expand domain name"); ++ return; ++ } ++ if ((p - response) + status + 4 >= responseLength) ++ header->qdcount = 0xffff; // invalid reply below ++ else ++ p += status + 4; ++ } ++ if (ntohs(header->qdcount) > 1) { + reply->error = QDnsLookup::InvalidReplyError; +- reply->errorString = tr("Could not expand domain name"); ++ reply->errorString = tr("Invalid reply received"); + return; + } +- p += status + 4; + + // Extract results. ++ const int answerCount = ntohs(header->ancount); + int answerIndex = 0; + while ((p < response + responseLength) && (answerIndex < answerCount)) { + status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); +@@ -283,6 +295,11 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN + const QString name = QUrl::fromAce(host); + + p += status; ++ ++ if ((p - response) + 10 > responseLength) { ++ // probably just a truncated reply, return what we have ++ return; ++ } + const quint16 type = (p[0] << 8) | p[1]; + p += 2; // RR type + p += 2; // RR class +@@ -290,6 +307,8 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN + p += 4; + const quint16 size = (p[0] << 8) | p[1]; + p += 2; ++ if ((p - response) + size > responseLength) ++ return; // truncated + + if (type == QDnsLookup::A) { + if (size != 4) { diff --git a/recipes-qt/qt5/qtbase/CVE-2023-34410-qtbase-5.15.diff b/recipes-qt/qt5/qtbase/CVE-2023-34410-qtbase-5.15.diff index 726846c5..0f3e288b 100644 --- a/recipes-qt/qt5/qtbase/CVE-2023-34410-qtbase-5.15.diff +++ b/recipes-qt/qt5/qtbase/CVE-2023-34410-qtbase-5.15.diff @@ -1,54 +1,68 @@ ---- a/src/network/ssl/qsslsocket_schannel.cpp
-+++ b/src/network/ssl/qsslsocket_schannel.cpp
-@@ -1880,6 +1880,28 @@ bool QSslSocketBackendPrivate::verifyCertContext(CERT_CONTEXT *certContext)
- if (configuration.peerVerifyDepth > 0 && DWORD(configuration.peerVerifyDepth) < verifyDepth)
- verifyDepth = DWORD(configuration.peerVerifyDepth);
-
-+ const auto &caCertificates = q->sslConfiguration().caCertificates();
-+
-+ if (!rootCertOnDemandLoadingAllowed()
-+ && !(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN)
-+ && (q->peerVerifyMode() == QSslSocket::VerifyPeer
-+ || (isClient && q->peerVerifyMode() == QSslSocket::AutoVerifyPeer))) {
-+ // When verifying a peer Windows "helpfully" builds a chain that
-+ // may include roots from the system store. But we don't want that if
-+ // the user has set their own CA certificates.
-+ // Since Windows claims this is not a partial chain the root is included
-+ // and we have to check that it is one of our configured CAs.
-+ CERT_CHAIN_ELEMENT *element = chain->rgpElement[chain->cElement - 1];
-+ QSslCertificate certificate = getCertificateFromChainElement(element);
-+ if (!caCertificates.contains(certificate)) {
-+ auto error = QSslError(QSslError::CertificateUntrusted, certificate);
-+ sslErrors += error;
-+ emit q->peerVerifyError(error);
-+ if (q->state() != QAbstractSocket::ConnectedState)
-+ return false;
-+ }
-+ }
-+
- for (DWORD i = 0; i < verifyDepth; i++) {
- CERT_CHAIN_ELEMENT *element = chain->rgpElement[i];
- QSslCertificate certificate = getCertificateFromChainElement(element);
-
-
---- a/src/network/ssl/qsslsocket.cpp
-+++ b/src/network/ssl/qsslsocket.cpp
-@@ -2221,6 +2221,10 @@ QSslSocketPrivate::QSslSocketPrivate()
- , flushTriggered(false)
- {
- QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
-+ // If the global configuration doesn't allow root certificates to be loaded
-+ // on demand then we have to disable it for this socket as well.
-+ if (!configuration.allowRootCertOnDemandLoading)
-+ allowRootCertOnDemandLoading = false;
- }
-
- /*!
-@@ -2470,6 +2474,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri
- ptr->sessionProtocol = global->sessionProtocol;
- ptr->ciphers = global->ciphers;
- ptr->caCertificates = global->caCertificates;
-+ ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;
- ptr->protocol = global->protocol;
- ptr->peerVerifyMode = global->peerVerifyMode;
- ptr->peerVerifyDepth = global->peerVerifyDepth;
\ No newline at end of file +From ec348cf21e3cecfda0e1d7db6f2ecf423509f55a Mon Sep 17 00:00:00 2001 +From: Marek Vasut <marex@denx.de> +Date: Tue, 10 Oct 2023 16:09:29 +0200 +Subject: [PATCH] qtbase: Pick CVE-2023-34410 fix + +CVE: CVE-2023-34410 +Upstream-Status: Backport [https://download.qt.io/official_releases/qt/5.15/CVE-2023-34410-qtbase-5.15.diff] +--- + src/network/ssl/qsslsocket.cpp | 5 +++++ + src/network/ssl/qsslsocket_schannel.cpp | 22 ++++++++++++++++++++++ + 2 files changed, 27 insertions(+) + +diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp +index 5bb6e7ee4a..2a0b3a4f1d 100644 +--- a/src/network/ssl/qsslsocket.cpp ++++ b/src/network/ssl/qsslsocket.cpp +@@ -2221,6 +2221,10 @@ QSslSocketPrivate::QSslSocketPrivate() + , flushTriggered(false) + { + QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration); ++ // If the global configuration doesn't allow root certificates to be loaded ++ // on demand then we have to disable it for this socket as well. ++ if (!configuration.allowRootCertOnDemandLoading) ++ allowRootCertOnDemandLoading = false; + } + + /*! +@@ -2470,6 +2474,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri + ptr->sessionProtocol = global->sessionProtocol; + ptr->ciphers = global->ciphers; + ptr->caCertificates = global->caCertificates; ++ ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading; + ptr->protocol = global->protocol; + ptr->peerVerifyMode = global->peerVerifyMode; + ptr->peerVerifyDepth = global->peerVerifyDepth; +diff --git a/src/network/ssl/qsslsocket_schannel.cpp b/src/network/ssl/qsslsocket_schannel.cpp +index c956ce3c2b..d1b23af29b 100644 +--- a/src/network/ssl/qsslsocket_schannel.cpp ++++ b/src/network/ssl/qsslsocket_schannel.cpp +@@ -1880,6 +1880,28 @@ bool QSslSocketBackendPrivate::verifyCertContext(CERT_CONTEXT *certContext) + if (configuration.peerVerifyDepth > 0 && DWORD(configuration.peerVerifyDepth) < verifyDepth) + verifyDepth = DWORD(configuration.peerVerifyDepth); + ++ const auto &caCertificates = q->sslConfiguration().caCertificates(); ++ ++ if (!rootCertOnDemandLoadingAllowed() ++ && !(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN) ++ && (q->peerVerifyMode() == QSslSocket::VerifyPeer ++ || (isClient && q->peerVerifyMode() == QSslSocket::AutoVerifyPeer))) { ++ // When verifying a peer Windows "helpfully" builds a chain that ++ // may include roots from the system store. But we don't want that if ++ // the user has set their own CA certificates. ++ // Since Windows claims this is not a partial chain the root is included ++ // and we have to check that it is one of our configured CAs. ++ CERT_CHAIN_ELEMENT *element = chain->rgpElement[chain->cElement - 1]; ++ QSslCertificate certificate = getCertificateFromChainElement(element); ++ if (!caCertificates.contains(certificate)) { ++ auto error = QSslError(QSslError::CertificateUntrusted, certificate); ++ sslErrors += error; ++ emit q->peerVerifyError(error); ++ if (q->state() != QAbstractSocket::ConnectedState) ++ return false; ++ } ++ } ++ + for (DWORD i = 0; i < verifyDepth; i++) { + CERT_CHAIN_ELEMENT *element = chain->rgpElement[i]; + QSslCertificate certificate = getCertificateFromChainElement(element); diff --git a/recipes-qt/qt5/qtbase/CVE-2023-37369-qtbase-5.15.diff b/recipes-qt/qt5/qtbase/CVE-2023-37369-qtbase-5.15.diff index ad2984fb..4fde5493 100644 --- a/recipes-qt/qt5/qtbase/CVE-2023-37369-qtbase-5.15.diff +++ b/recipes-qt/qt5/qtbase/CVE-2023-37369-qtbase-5.15.diff @@ -1,5 +1,18 @@ +From 8b7ecba1bab3a02af1c5d5b2278b88e931e612e6 Mon Sep 17 00:00:00 2001 +From: Marek Vasut <marex@denx.de> +Date: Tue, 10 Oct 2023 16:10:40 +0200 +Subject: [PATCH] qtbase: Pick CVE-2023-37369 fix + +CVE: CVE-2023-37369 +Upstream-Status: Backport [https://download.qt.io/official_releases/qt/5.15/CVE-2023-37369-qtbase-5.15.diff] +--- + src/corelib/serialization/qxmlstream.cpp | 39 +++++++++++++++--------- + src/corelib/serialization/qxmlstream.g | 25 +++++++++++++-- + src/corelib/serialization/qxmlstream_p.h | 25 +++++++++++++-- + 3 files changed, 69 insertions(+), 20 deletions(-) + diff --git a/src/corelib/serialization/qxmlstream.cpp b/src/corelib/serialization/qxmlstream.cpp -index 7cd457ba3a..11d162cb79 100644 +index b2f846544d..6c98e7c013 100644 --- a/src/corelib/serialization/qxmlstream.cpp +++ b/src/corelib/serialization/qxmlstream.cpp @@ -1302,15 +1302,18 @@ inline int QXmlStreamReaderPrivate::fastScanContentCharList() @@ -88,7 +101,7 @@ index 7cd457ba3a..11d162cb79 100644 { diff --git a/src/corelib/serialization/qxmlstream.g b/src/corelib/serialization/qxmlstream.g -index 4321fed68a..8c6a1a5887 100644 +index b623de9505..e431028506 100644 --- a/src/corelib/serialization/qxmlstream.g +++ b/src/corelib/serialization/qxmlstream.g @@ -516,7 +516,16 @@ public: @@ -117,7 +130,7 @@ index 4321fed68a..8c6a1a5887 100644 QXmlStreamEntityResolver *entityResolver; -@@ -1811,7 +1821,12 @@ space_opt ::= space; +@@ -1809,7 +1819,12 @@ space_opt ::= space; qname ::= LETTER; /. case $rule_number: { @@ -131,7 +144,7 @@ index 4321fed68a..8c6a1a5887 100644 if (atEnd) { resume($rule_number); return false; -@@ -1822,7 +1837,11 @@ qname ::= LETTER; +@@ -1820,7 +1835,11 @@ qname ::= LETTER; name ::= LETTER; /. case $rule_number: @@ -145,7 +158,7 @@ index 4321fed68a..8c6a1a5887 100644 resume($rule_number); return false; diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h -index e5bde7b98e..b01484cac3 100644 +index 103b123b10..80e7f74080 100644 --- a/src/corelib/serialization/qxmlstream_p.h +++ b/src/corelib/serialization/qxmlstream_p.h @@ -1005,7 +1005,16 @@ public: @@ -174,7 +187,7 @@ index e5bde7b98e..b01484cac3 100644 QXmlStreamEntityResolver *entityResolver; -@@ -1939,7 +1949,12 @@ bool QXmlStreamReaderPrivate::parse() +@@ -1937,7 +1947,12 @@ bool QXmlStreamReaderPrivate::parse() break; case 262: { @@ -188,7 +201,7 @@ index e5bde7b98e..b01484cac3 100644 if (atEnd) { resume(262); return false; -@@ -1947,7 +1962,11 @@ bool QXmlStreamReaderPrivate::parse() +@@ -1945,7 +1960,11 @@ bool QXmlStreamReaderPrivate::parse() } break; case 263: diff --git a/recipes-qt/qt5/qtbase/CVE-2023-38197-qtbase-5.15.diff b/recipes-qt/qt5/qtbase/CVE-2023-38197-qtbase-5.15.diff index e9e622bc..cb631519 100644 --- a/recipes-qt/qt5/qtbase/CVE-2023-38197-qtbase-5.15.diff +++ b/recipes-qt/qt5/qtbase/CVE-2023-38197-qtbase-5.15.diff @@ -1,8 +1,20 @@ +From ae3946f38904b626a73a64f2829f60c911e2943b Mon Sep 17 00:00:00 2001 +From: Marek Vasut <marex@denx.de> +Date: Tue, 10 Oct 2023 16:11:57 +0200 +Subject: [PATCH] qtbase: Pick CVE-2023-38197 fix + +CVE: CVE-2023-38197 +Upstream-Status: Backport [https://download.qt.io/official_releases/qt/5.15/CVE-2023-38197-qtbase-5.15.diff] +--- + src/corelib/serialization/qxmlstream.cpp | 144 +++++++++++++++++++++-- + src/corelib/serialization/qxmlstream_p.h | 11 ++ + 2 files changed, 147 insertions(+), 8 deletions(-) + diff --git a/src/corelib/serialization/qxmlstream.cpp b/src/corelib/serialization/qxmlstream.cpp -index bf8a2a9..6ab5d49 100644 +index 6c98e7c013..2553d3e09a 100644 --- a/src/corelib/serialization/qxmlstream.cpp +++ b/src/corelib/serialization/qxmlstream.cpp -@@ -160,7 +160,7 @@ +@@ -160,7 +160,7 @@ enum { StreamEOF = ~0U }; addData() or by waiting for it to arrive on the device(). \value UnexpectedElementError The parser encountered an element @@ -11,7 +23,7 @@ index bf8a2a9..6ab5d49 100644 */ -@@ -295,13 +295,34 @@ +@@ -295,13 +295,34 @@ QXmlStreamEntityResolver *QXmlStreamReader::entityResolver() const QXmlStreamReader is a well-formed XML 1.0 parser that does \e not include external parsed entities. As long as no error occurs, the @@ -53,7 +65,7 @@ index bf8a2a9..6ab5d49 100644 If an error occurs while parsing, atEnd() and hasError() return true, and error() returns the error that occurred. The functions -@@ -620,6 +641,7 @@ +@@ -620,6 +641,7 @@ QXmlStreamReader::TokenType QXmlStreamReader::readNext() d->token = -1; return readNext(); } @@ -61,7 +73,7 @@ index bf8a2a9..6ab5d49 100644 return d->type; } -@@ -740,6 +762,14 @@ +@@ -740,6 +762,14 @@ static const short QXmlStreamReader_tokenTypeString_indices[] = { }; @@ -76,7 +88,7 @@ index bf8a2a9..6ab5d49 100644 /*! \property QXmlStreamReader::namespaceProcessing The namespace-processing flag of the stream reader -@@ -775,6 +805,16 @@ +@@ -775,6 +805,16 @@ QString QXmlStreamReader::tokenString() const QXmlStreamReader_tokenTypeString_indices[d->type]); } @@ -93,7 +105,7 @@ index bf8a2a9..6ab5d49 100644 #endif // QT_NO_XMLSTREAMREADER QXmlStreamPrivateTagStack::QXmlStreamPrivateTagStack() -@@ -866,6 +906,8 @@ +@@ -866,6 +906,8 @@ void QXmlStreamReaderPrivate::init() type = QXmlStreamReader::NoToken; error = QXmlStreamReader::NoError; @@ -102,7 +114,7 @@ index bf8a2a9..6ab5d49 100644 } /* -@@ -4061,6 +4103,92 @@ +@@ -4061,6 +4103,92 @@ void QXmlStreamWriter::writeCurrentToken(const QXmlStreamReader &reader) } } @@ -196,10 +208,10 @@ index bf8a2a9..6ab5d49 100644 \fn bool QXmlStreamAttributes::hasAttribute(const QString &qualifiedName) const \since 4.5 diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h -index 8f7c9e0..708059b 100644 +index 80e7f74080..6db58386db 100644 --- a/src/corelib/serialization/qxmlstream_p.h +++ b/src/corelib/serialization/qxmlstream_p.h -@@ -804,6 +804,17 @@ +@@ -804,6 +804,17 @@ public: #endif bool atEnd; diff --git a/recipes-qt/qt5/qtbase/CVE-2023-43114-5.15.patch b/recipes-qt/qt5/qtbase/CVE-2023-43114-5.15.patch index da59ce54..4b75db3a 100644 --- a/recipes-qt/qt5/qtbase/CVE-2023-43114-5.15.patch +++ b/recipes-qt/qt5/qtbase/CVE-2023-43114-5.15.patch @@ -1,5 +1,16 @@ +From 7ec5e6dff1d6f6b2f3abcb1a2802f174ac189d9e Mon Sep 17 00:00:00 2001 +From: Marek Vasut <marex@denx.de> +Date: Tue, 10 Oct 2023 16:13:57 +0200 +Subject: [PATCH] qtbase: Pick CVE-2023-43114 fix + +CVE: CVE-2023-43114 +Upstream-Status: Backport [https://download.qt.io/official_releases/qt/5.15/CVE-2023-43114-5.15.patch] +--- + .../windows/qwindowsfontdatabase.cpp | 67 ++++++++++++++----- + 1 file changed, 51 insertions(+), 16 deletions(-) + diff --git a/src/platformsupport/fontdatabases/windows/qwindowsfontdatabase.cpp b/src/platformsupport/fontdatabases/windows/qwindowsfontdatabase.cpp -index ba683cf686..217a968c64 100644 +index 09d2d916fe..0e6fe5eb84 100644 --- a/src/platformsupport/fontdatabases/windows/qwindowsfontdatabase.cpp +++ b/src/platformsupport/fontdatabases/windows/qwindowsfontdatabase.cpp @@ -1471,36 +1471,70 @@ QT_WARNING_POP @@ -115,6 +126,3 @@ index ba683cf686..217a968c64 100644 if (values) { QFontValues fontValues; --- -2.27.0.windows.1 - |