qtbase: Pick CVE-2023-33285 fix

An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9,
and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer
over-read via a crafted reply from a DNS server.

Advisory:
https://nvd.nist.gov/vuln/detail/CVE-2023-33285

Patch:
https://download.qt.io/official_releases/qt/5.15/CVE-2023-33285-qtbase-5.15.diff

Signed-off-by: Marek Vasut <marex@denx.de>

2 files changed, 69 insertions, 0 deletions

diff --git a/recipes-qt/qt5/qtbase/CVE-2023-33285-qtbase-5.15.diff b/recipes-qt/qt5/qtbase/CVE-2023-33285-qtbase-5.15.diff
new file mode 100644
index 00000000..4bed901c
--- /dev/null
+++ b/recipes-qt/qt5/qtbase/CVE-2023-33285-qtbase-5.15.diff
@@ -0,0 +1,68 @@
+--- a/src/network/kernel/qdnslookup_unix.cpp

++++ b/src/network/kernel/qdnslookup_unix.cpp

+@@ -227,7 +227,6 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN

+     // responseLength in case of error, we still can extract the

+     // exact error code from the response.

+     HEADER *header = (HEADER*)response;

+-    const int answerCount = ntohs(header->ancount);

+     switch (header->rcode) {

+     case NOERROR:

+         break;

+@@ -260,18 +259,31 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN

+         return;

+     }

+

+-    // Skip the query host, type (2 bytes) and class (2 bytes).

+     char host[PACKETSZ], answer[PACKETSZ];

+     unsigned char *p = response + sizeof(HEADER);

+-    int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));

+-    if (status < 0) {

++    int status;

++

++    if (ntohs(header->qdcount) == 1) {

++        // Skip the query host, type (2 bytes) and class (2 bytes).

++        status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));

++        if (status < 0) {

++            reply->error = QDnsLookup::InvalidReplyError;

++            reply->errorString = tr("Could not expand domain name");

++            return;

++        }

++        if ((p - response) + status + 4 >= responseLength)

++            header->qdcount = 0xffff;   // invalid reply below

++        else

++            p += status + 4;

++    }

++    if (ntohs(header->qdcount) > 1) {

+         reply->error = QDnsLookup::InvalidReplyError;

+-        reply->errorString = tr("Could not expand domain name");

++        reply->errorString = tr("Invalid reply received");

+         return;

+     }

+-    p += status + 4;

+

+     // Extract results.

++    const int answerCount = ntohs(header->ancount);

+     int answerIndex = 0;

+     while ((p < response + responseLength) && (answerIndex < answerCount)) {

+         status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));

+@@ -283,6 +295,11 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN

+         const QString name = QUrl::fromAce(host);

+

+         p += status;

++

++        if ((p - response) + 10 > responseLength) {

++            // probably just a truncated reply, return what we have

++            return;

++        }

+         const quint16 type = (p[0] << 8) | p[1];

+         p += 2; // RR type

+         p += 2; // RR class

+@@ -290,6 +307,8 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN

+         p += 4;

+         const quint16 size = (p[0] << 8) | p[1];

+         p += 2;

++        if ((p - response) + size > responseLength)

++            return;             // truncated

+

+         if (type == QDnsLookup::A) {

+             if (size != 4) {

diff --git a/recipes-qt/qt5/qtbase_git.bb b/recipes-qt/qt5/qtbase_git.bb
index e80335de..66e45392 100644
--- a/recipes-qt/qt5/qtbase_git.bb
+++ b/recipes-qt/qt5/qtbase_git.bb
@@ -41,6 +41,7 @@ SRC_URI += "\
     file://0026-qsql_odbc-Patch-for-CVE-2023-24607.patch \
     file://CVE-2023-32762.patch \
     file://CVE-2023-32763-qtbase-5.15.diff \
+    file://CVE-2023-33285-qtbase-5.15.diff \
 "
 
 # Disable LTO for now, QT5 patches are being worked upstream, perhaps revisit with