Package: release.debian.org
Severity: normal
X-Debbugs-Cc: qt6-imageform...@packages.debian.org, delta...@debian.org
Control: affects -1 + src:qt6-imageformats
User: release.debian....@packages.debian.org
Usertags: unblock
Dear Release-Team,
please unblock package qt6-imageformats.
[ Reason ]
Backporting a patch to fix CVE-2025-5683.
[ Impact ]
The patch fixes a bug that can trigger a crash with specifically crafted
ICNS images.
[ Tests ]
The patch is taken directly from the upstream LTS branch and has gone
through the usual testing in Qt upstream.
[ Risks ]
The code is effectively a 2-line patch and since it is taken directly from
upstream where it goes through QA, I deem the risk to be low.
[ Checklist ]
[x] all changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in testing
[ Other info ]
The link to the security tracker:
https://security-tracker.debian.org/tracker/CVE-2025-5683
diff -Nru qt6-imageformats-6.8.2/debian/changelog
qt6-imageformats-6.8.2/debian/changelog
--- qt6-imageformats-6.8.2/debian/changelog 2025-03-01 12:41:03.000000000
+0100
+++ qt6-imageformats-6.8.2/debian/changelog 2025-06-06 19:37:30.000000000
+0200
@@ -1,3 +1,10 @@
+qt6-imageformats (6.8.2-4) unstable; urgency=medium
+
+ [ Patrick Franz ]
+ * Backport patch to fix CVE-2025-5683 (Closes: #1107317).
+
+ -- Patrick Franz <delta...@debian.org> Fri, 06 Jun 2025 19:37:30 +0200
+
qt6-imageformats (6.8.2-3) unstable; urgency=medium
* Upload to unstable.
diff -Nru qt6-imageformats-6.8.2/debian/patches/CVE-2025-5683.diff
qt6-imageformats-6.8.2/debian/patches/CVE-2025-5683.diff
--- qt6-imageformats-6.8.2/debian/patches/CVE-2025-5683.diff 1970-01-01
01:00:00.000000000 +0100
+++ qt6-imageformats-6.8.2/debian/patches/CVE-2025-5683.diff 2025-06-06
19:35:34.000000000 +0200
@@ -0,0 +1,43 @@
+From efd332516f510144927121fa749ce819b82ec633 Mon Sep 17 00:00:00 2001
+From: Samuel Gaist <samuel.ga...@idiap.ch>
+Date: Fri, 09 May 2025 17:12:49 +0200
+Subject: [PATCH] Fix validation issue for ICNS image
+
+The header validation logic could trigger an assert when an invalid ICNS
+image was loaded. This patch fixes the validation logic.
+
+Credit to OSS-Fuzz
+
+Fixes: QTBUG-136707
+Pick-to: 6.9 6.8 6.5
+Change-Id: I9571b9fd0b53d07ceee9792c9418472e949eff30
+Reviewed-by: Eirik Aavitsland <eirik.aavitsl...@qt.io>
+---
+
+diff --git a/src/plugins/imageformats/icns/qicnshandler.cpp
b/src/plugins/imageformats/icns/qicnshandler.cpp
+index 6cf74b2..501394d 100644
+--- a/src/plugins/imageformats/icns/qicnshandler.cpp
++++ b/src/plugins/imageformats/icns/qicnshandler.cpp
+@@ -324,8 +324,11 @@
+
+ static inline bool isBlockHeaderValid(const ICNSBlockHeader &header, quint64
bound = 0)
+ {
+- return header.ostype != 0 && (bound == 0
+- || qBound(quint64(ICNSBlockHeaderSize),
quint64(header.length), bound) == header.length);
++ return header.ostype != 0 &&
++ (bound == 0 ||
++ // qBound can be used but requires checking the limits first
++ // this requires less operations
++ (ICNSBlockHeaderSize <= header.length && header.length <= bound));
+ }
+
+ static inline bool isIconCompressed(const ICNSEntry &icon)
+@@ -870,7 +873,7 @@
+ return false;
+
+ const qint64 blockDataOffset = device()->pos();
+- if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize + filelength
- blockDataOffset)) {
++ if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize -
blockDataOffset + filelength)) {
+ qWarning("QICNSHandler::scanDevice(): Failed, bad header at pos
%s. OSType \"%s\", length %u",
+ QByteArray::number(blockDataOffset).constData(),
+ nameFromOSType(blockHeader.ostype).constData(),
blockHeader.length);
diff -Nru qt6-imageformats-6.8.2/debian/patches/series
qt6-imageformats-6.8.2/debian/patches/series
--- qt6-imageformats-6.8.2/debian/patches/series 1970-01-01
01:00:00.000000000 +0100
+++ qt6-imageformats-6.8.2/debian/patches/series 2025-06-06
19:36:17.000000000 +0200
@@ -0,0 +1,2 @@
+# Fixed in 6.8.5/6.9.1
+CVE-2025-5683.diff
