Bug#783973: jessie-pu: package qt4-x11/4:4.8.6+git64-g5dc8b2b+dfsg-3

Fri, 01 May 2015 12:06:56 -0700 

Package: release.debian.org
Severity: normal
Tags: jessie
User: release.debian....@packages.debian.org
Usertags: pu

Hi RT!

I'm attaching a patch against qt4's version in Jessie which solves 3 CVEs.

The fixes are already in sid, and I do expect them to be in Stretch by the
time of the first point release.

Kinds regards, Lisandro.

-- System Information:
Debian Release: 8.0
  APT prefers unstable
  APT policy: (990, 'unstable'), (500, 'testing'), (101, 'experimental')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.16.0-4-amd64 (SMP w/2 CPU cores)
Locale: LANG=es_AR.UTF-8, LC_CTYPE=es_AR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash
Init: systemd (via /run/systemd/system)

diff --git a/debian/changelog b/debian/changelog
index eeb3bb0..0c604b9 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+qt4-x11 (4:4.8.6+git64-g5dc8b2b+dfsg-3+deb8u1) UNRELEASED; urgency=medium
+
+  [ Lisandro Damián Nicanor Pérez Meyer ]
+  * Add fixes_crash_in_gif_image_decoder.patch and
+    fixes_crash_in_bmp_and_ico_image_decoder.patch to fix CVE-2015-1858,
+    CVE-2015-1859 and CVE-2015-1860 (Closes: #783133).
+
+ -- Debian Qt/KDE Maintainers <debian-qt-...@lists.debian.org>  Fri, 01 May 2015 15:52:55 -0300
+
 qt4-x11 (4:4.8.6+git64-g5dc8b2b+dfsg-3) unstable; urgency=medium
 
   * Team upload.
diff --git a/debian/patches/fixes_crash_in_bmp_and_ico_image_decoder.patch b/debian/patches/fixes_crash_in_bmp_and_ico_image_decoder.patch
new file mode 100644
index 0000000..392bb59
--- /dev/null
+++ b/debian/patches/fixes_crash_in_bmp_and_ico_image_decoder.patch
@@ -0,0 +1,56 @@
+From 3e55cd6dc467303a3c35312e9fcb255c2c048b32 Mon Sep 17 00:00:00 2001
+From: Eirik Aavitsland <eirik.aavitsl...@theqtcompany.com>
+Date: Wed, 11 Mar 2015 13:34:01 +0100
+Subject: [PATCH] Fixes crash in bmp and ico image decoding
+
+Fuzzing test revealed that for certain malformed bmp and ico files,
+the handler would segfault.
+
+Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe
+(cherry picked from qtbase/2adbbae5432aa9d8cc41c6fcf55c2e310d2d4078)
+Reviewed-by: Richard J. Moore <r...@kde.org>
+---
+ src/gui/image/qbmphandler.cpp                | 13 +++++++------
+ src/plugins/imageformats/ico/qicohandler.cpp |  2 +-
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+--- a/src/gui/image/qbmphandler.cpp
++++ b/src/gui/image/qbmphandler.cpp
+@@ -472,12 +472,6 @@ static bool read_dib_body(QDataStream &s
+                             p = data + (h-y-1)*bpl;
+                             break;
+                         case 2:                        // delta (jump)
+-                            // Protection
+-                            if ((uint)x >= (uint)w)
+-                                x = w-1;
+-                            if ((uint)y >= (uint)h)
+-                                y = h-1;
+-
+                             {
+                                 quint8 tmp;
+                                 d->getChar((char *)&tmp);
+@@ -485,6 +479,13 @@ static bool read_dib_body(QDataStream &s
+                                 d->getChar((char *)&tmp);
+                                 y += tmp;
+                             }
++
++                            // Protection
++                            if ((uint)x >= (uint)w)
++                                x = w-1;
++                            if ((uint)y >= (uint)h)
++                                y = h-1;
++
+                             p = data + (h-y-1)*bpl + x;
+                             break;
+                         default:                // absolute mode
+--- a/src/plugins/imageformats/ico/qicohandler.cpp
++++ b/src/plugins/imageformats/ico/qicohandler.cpp
+@@ -571,7 +571,7 @@ QImage ICOReader::iconAt(int index)
+                 QImage::Format format = QImage::Format_ARGB32;
+                 if (icoAttrib.nbits == 24)
+                     format = QImage::Format_RGB32;
+-                else if (icoAttrib.ncolors == 2)
++                else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1)
+                     format = QImage::Format_Mono;
+                 else if (icoAttrib.ncolors > 0)
+                     format = QImage::Format_Indexed8;
diff --git a/debian/patches/fixes_crash_in_gif_image_decoder.patch b/debian/patches/fixes_crash_in_gif_image_decoder.patch
new file mode 100644
index 0000000..fed0c78
--- /dev/null
+++ b/debian/patches/fixes_crash_in_gif_image_decoder.patch
@@ -0,0 +1,26 @@
+From a1cf194c54be57d6ab55dfd26b9562a60532208e Mon Sep 17 00:00:00 2001
+From: Eirik Aavitsland <eirik.aavitsl...@theqtcompany.com>
+Date: Wed, 11 Mar 2015 09:00:41 +0100
+Subject: [PATCH] Fixes crash in gif image decoder
+
+Fuzzing test revealed that for certain malformed gif files,
+qgifhandler would segfault.
+
+Change-Id: I5bb6f60e1c61849e0d8c735edc3869945e5331c1
+(cherry picked from qtbase/ea2c5417fcd374302f5019e67f72af5facbd29f6)
+Reviewed-by: Richard J. Moore <r...@kde.org>
+---
+ src/gui/image/qgifhandler.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+--- a/src/gui/image/qgifhandler.cpp
++++ b/src/gui/image/qgifhandler.cpp
+@@ -951,6 +951,8 @@ void QGIFFormat::fillRect(QImage *image,
+ 
+ void QGIFFormat::nextY(unsigned char *bits, int bpl)
+ {
++    if (out_of_bounds)
++        return;
+     int my;
+     switch (interlace) {
+     case 0: // Non-interlaced
diff --git a/debian/patches/series b/debian/patches/series
index 88ccc32..1a54a0b 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -3,6 +3,8 @@ Add_support_for_QT_USE_DRAG_DISTANCE_env_var.patch
 QTBUG-21900_Buttons_in_Qt_applications_not_clickable_when_run_under_gnome-shell.patch
 dont_crash_on_broken_gif_images.patch
 xmlpatterns_stack_overflow_fix.diff
+fixes_crash_in_bmp_and_ico_image_decoder.patch
+fixes_crash_in_gif_image_decoder.patch
 
 # Patches submitted upstream but still not accepted
 aarch64_arm64_fix_arch_detection.patch

Reply via email to