Package: release.debian.org Severity: normal X-Debbugs-Cc: qtimageformats-opensource-...@packages.debian.org, t...@security.debian.org, Dmitry Shachnev <mity...@debian.org>, car...@debian.org Control: affects -1 + src:qtimageformats-opensource-src User: release.debian....@packages.debian.org Usertags: unblock
Hi qtimageformats-opensource-src in trixie is vulnerable to CVE-2025-5683, cf. #1107318. The package cannot migrate automatically as it does not contain autopkgtests. Dmitry what is your take on it? Attached is the debdiff for the package fixing the issue. Regards, Salvatore
diff -Nru qtimageformats-opensource-src-5.15.15/debian/changelog qtimageformats-opensource-src-5.15.15/debian/changelog --- qtimageformats-opensource-src-5.15.15/debian/changelog 2024-10-28 22:08:53.000000000 +0100 +++ qtimageformats-opensource-src-5.15.15/debian/changelog 2025-06-06 09:57:26.000000000 +0200 @@ -1,3 +1,10 @@ +qtimageformats-opensource-src (5.15.15-4) unstable; urgency=medium + + * Backport upstream patch to fix validation issue for ICNS image + (CVE-2025-5683, closes: #1107318). + + -- Dmitry Shachnev <mity...@debian.org> Fri, 06 Jun 2025 10:57:26 +0300 + qtimageformats-opensource-src (5.15.15-3) unstable; urgency=medium * Add a patch to reject broken MNG images, backported from qtbase 6.0 diff -Nru qtimageformats-opensource-src-5.15.15/debian/patches/CVE-2025-5683.patch qtimageformats-opensource-src-5.15.15/debian/patches/CVE-2025-5683.patch --- qtimageformats-opensource-src-5.15.15/debian/patches/CVE-2025-5683.patch 1970-01-01 01:00:00.000000000 +0100 +++ qtimageformats-opensource-src-5.15.15/debian/patches/CVE-2025-5683.patch 2025-06-06 09:57:26.000000000 +0200 @@ -0,0 +1,31 @@ +Description: fix validation issue for ICNS image + The header validation logic could trigger an assert when an invalid ICNS + image was loaded. This patch fixes the validation logic. +Origin: upstream, https://code.qt.io/cgit/qt/qtimageformats.git/commit/?id=efd332516f510144 +Last-Update: 2025-06-06 + +--- a/src/plugins/imageformats/icns/qicnshandler.cpp ++++ b/src/plugins/imageformats/icns/qicnshandler.cpp +@@ -359,8 +359,11 @@ static inline bool isPowOf2OrDividesBy16 + + static inline bool isBlockHeaderValid(const ICNSBlockHeader &header, quint64 bound = 0) + { +- return header.ostype != 0 && (bound == 0 +- || qBound(quint64(ICNSBlockHeaderSize), quint64(header.length), bound) == header.length); ++ return header.ostype != 0 && ++ (bound == 0 || ++ // qBound can be used but requires checking the limits first ++ // this requires less operations ++ (ICNSBlockHeaderSize <= header.length && header.length <= bound)); + } + + static inline bool isIconCompressed(const ICNSEntry &icon) +@@ -899,7 +902,7 @@ bool QICNSHandler::scanDevice() + return false; + + const qint64 blockDataOffset = device()->pos(); +- if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize + filelength - blockDataOffset)) { ++ if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize - blockDataOffset + filelength)) { + qWarning("QICNSHandler::scanDevice(): Failed, bad header at pos %s. OSType \"%s\", length %u", + QByteArray::number(blockDataOffset).constData(), + nameFromOSType(blockHeader.ostype).constData(), blockHeader.length); diff -Nru qtimageformats-opensource-src-5.15.15/debian/patches/series qtimageformats-opensource-src-5.15.15/debian/patches/series --- qtimageformats-opensource-src-5.15.15/debian/patches/series 2024-10-28 22:08:53.000000000 +0100 +++ qtimageformats-opensource-src-5.15.15/debian/patches/series 2025-06-06 09:57:26.000000000 +0200 @@ -1 +1,2 @@ CVE-2020-23884.patch +CVE-2025-5683.patch
