Your message dated Sun, 06 Jul 2025 17:54:18 +0000
with message-id <[email protected]>
and subject line unblock qtimageformats-opensource-src
has caused the Debian Bug report #1108868,
regarding unblock: qtimageformats-opensource-src/5.15.15-4
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1108868: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108868
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
X-Debbugs-Cc: [email protected],
[email protected], Dmitry Shachnev <[email protected]>,
[email protected]
Control: affects -1 + src:qtimageformats-opensource-src
User: [email protected]
Usertags: unblock
Hi
qtimageformats-opensource-src in trixie is vulnerable to
CVE-2025-5683, cf. #1107318.
The package cannot migrate automatically as it does not contain
autopkgtests.
Dmitry what is your take on it?
Attached is the debdiff for the package fixing the issue.
Regards,
Salvatore
diff -Nru qtimageformats-opensource-src-5.15.15/debian/changelog
qtimageformats-opensource-src-5.15.15/debian/changelog
--- qtimageformats-opensource-src-5.15.15/debian/changelog 2024-10-28
22:08:53.000000000 +0100
+++ qtimageformats-opensource-src-5.15.15/debian/changelog 2025-06-06
09:57:26.000000000 +0200
@@ -1,3 +1,10 @@
+qtimageformats-opensource-src (5.15.15-4) unstable; urgency=medium
+
+ * Backport upstream patch to fix validation issue for ICNS image
+ (CVE-2025-5683, closes: #1107318).
+
+ -- Dmitry Shachnev <[email protected]> Fri, 06 Jun 2025 10:57:26 +0300
+
qtimageformats-opensource-src (5.15.15-3) unstable; urgency=medium
* Add a patch to reject broken MNG images, backported from qtbase 6.0
diff -Nru
qtimageformats-opensource-src-5.15.15/debian/patches/CVE-2025-5683.patch
qtimageformats-opensource-src-5.15.15/debian/patches/CVE-2025-5683.patch
--- qtimageformats-opensource-src-5.15.15/debian/patches/CVE-2025-5683.patch
1970-01-01 01:00:00.000000000 +0100
+++ qtimageformats-opensource-src-5.15.15/debian/patches/CVE-2025-5683.patch
2025-06-06 09:57:26.000000000 +0200
@@ -0,0 +1,31 @@
+Description: fix validation issue for ICNS image
+ The header validation logic could trigger an assert when an invalid ICNS
+ image was loaded. This patch fixes the validation logic.
+Origin: upstream,
https://code.qt.io/cgit/qt/qtimageformats.git/commit/?id=efd332516f510144
+Last-Update: 2025-06-06
+
+--- a/src/plugins/imageformats/icns/qicnshandler.cpp
++++ b/src/plugins/imageformats/icns/qicnshandler.cpp
+@@ -359,8 +359,11 @@ static inline bool isPowOf2OrDividesBy16
+
+ static inline bool isBlockHeaderValid(const ICNSBlockHeader &header, quint64
bound = 0)
+ {
+- return header.ostype != 0 && (bound == 0
+- || qBound(quint64(ICNSBlockHeaderSize),
quint64(header.length), bound) == header.length);
++ return header.ostype != 0 &&
++ (bound == 0 ||
++ // qBound can be used but requires checking the limits first
++ // this requires less operations
++ (ICNSBlockHeaderSize <= header.length && header.length <= bound));
+ }
+
+ static inline bool isIconCompressed(const ICNSEntry &icon)
+@@ -899,7 +902,7 @@ bool QICNSHandler::scanDevice()
+ return false;
+
+ const qint64 blockDataOffset = device()->pos();
+- if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize + filelength
- blockDataOffset)) {
++ if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize -
blockDataOffset + filelength)) {
+ qWarning("QICNSHandler::scanDevice(): Failed, bad header at pos
%s. OSType \"%s\", length %u",
+ QByteArray::number(blockDataOffset).constData(),
+ nameFromOSType(blockHeader.ostype).constData(),
blockHeader.length);
diff -Nru qtimageformats-opensource-src-5.15.15/debian/patches/series
qtimageformats-opensource-src-5.15.15/debian/patches/series
--- qtimageformats-opensource-src-5.15.15/debian/patches/series 2024-10-28
22:08:53.000000000 +0100
+++ qtimageformats-opensource-src-5.15.15/debian/patches/series 2025-06-06
09:57:26.000000000 +0200
@@ -1 +1,2 @@
CVE-2020-23884.patch
+CVE-2025-5683.patch
--- End Message ---
--- Begin Message ---
Unblocked qtimageformats-opensource-src.
--- End Message ---
