[gentoo-commits] repo/gentoo:master commit in: dev-qt/qtbase/files/, dev-qt/qtbase/

Wed, 23 Apr 2025 05:20:18 -0700 

commit:     a47d7f2a22efec0a7cc17b7a25d904e89164c056
Author:     Ionen Wolkens <ionen <AT> gentoo <DOT> org>
AuthorDate: Wed Apr 23 10:59:40 2025 +0000
Commit:     Ionen Wolkens <ionen <AT> gentoo <DOT> org>
CommitDate: Wed Apr 23 12:19:13 2025 +0000
URL:        https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a47d7f2a

dev-qt/qtbase: backport fix for CVE-2025-3512

Signed-off-by: Ionen Wolkens <ionen <AT> gentoo.org>

 .../qtbase/files/qtbase-6.8.3-CVE-2025-3512.patch  | 163 +++++++++++++++++++++
 ...{qtbase-6.8.3.ebuild => qtbase-6.8.3-r1.ebuild} |   1 +
 2 files changed, 164 insertions(+)

diff --git a/dev-qt/qtbase/files/qtbase-6.8.3-CVE-2025-3512.patch 
b/dev-qt/qtbase/files/qtbase-6.8.3-CVE-2025-3512.patch
new file mode 100644
index 000000000000..b6bf7e4e5e05
--- /dev/null
+++ b/dev-qt/qtbase/files/qtbase-6.8.3-CVE-2025-3512.patch
@@ -0,0 +1,163 @@
+https://www.qt.io/blog/security-advisory-qtextmarkdownimporter-hbo
+https://codereview.qt-project.org/c/qt/qtbase/+/635699
+--- a/src/gui/text/qtextmarkdownimporter.cpp
++++ b/src/gui/text/qtextmarkdownimporter.cpp
+@@ -28,5 +28,6 @@
+ static const QChar qtmi_Space = u' ';
+ 
+-static constexpr auto markerString() noexcept { return "---"_L1; }
++static constexpr auto lfMarkerString() noexcept { return "---\n"_L1; }
++static constexpr auto crlfMarkerString() noexcept { return "---r\n"_L1; }
+ 
+ // TODO maybe eliminate the margins after all views recognize 
BlockQuoteLevel, CSS can format it, etc.
+@@ -120,4 +121,45 @@
+ }
+ 
++/*! \internal
++    Split any Front Matter from the Markdown document \a md.
++    Returns a pair of QStringViews: if \a md begins with qualifying Front 
Matter
++    (according to the specification at 
https://jekyllrb.com/docs/front-matter/ ),
++    put it into the \c frontMatter view, omitting both markers; and put the 
remaining
++    Markdown into \c rest. If no Front Matter is found, return all of \a md 
in \c rest.
++*/
++static auto splitFrontMatter(QStringView md)
++{
++    struct R {
++        QStringView frontMatter, rest;
++        explicit operator bool() const noexcept { return 
!frontMatter.isEmpty(); }
++    };
++
++    const auto NotFound = R{{}, md};
++
++    /*  Front Matter must start with '---\n' or '---\r\n' on the very first 
line,
++        and Front Matter must end with another such line.
++        If that is not the case, we return NotFound: then the whole document 
is
++        to be passed on to the Markdown parser, in which '---\n' is 
interpreted
++        as a "thematic break" (like <hr/> in HTML). */
++    QLatin1StringView marker;
++    if (md.startsWith(lfMarkerString()))
++        marker = lfMarkerString();
++    else if (md.startsWith(crlfMarkerString()))
++        marker = crlfMarkerString();
++    else
++        return NotFound;
++
++    const auto frontMatterStart = marker.size();
++    const auto endMarkerPos = md.indexOf(marker, frontMatterStart);
++
++    if (endMarkerPos < 0 || md[endMarkerPos - 1] != QChar::LineFeed)
++        return NotFound;
++
++    Q_ASSERT(frontMatterStart < md.size());
++    Q_ASSERT(endMarkerPos < md.size());
++    const auto frontMatter = md.sliced(frontMatterStart, endMarkerPos - 
frontMatterStart);
++    return R{frontMatter, md.sliced(endMarkerPos + marker.size())};
++}
++
+ void QTextMarkdownImporter::import(const QString &markdown)
+ {
+@@ -144,19 +186,12 @@
+     QStringView md = markdown;
+ 
+-    if (m_features.testFlag(QTextMarkdownImporter::FeatureFrontMatter) && 
md.startsWith(markerString())) {
+-        qsizetype endMarkerPos = md.indexOf(markerString(), 
markerString().size() + 1);
+-        if (endMarkerPos > 4) {
+-            qsizetype firstLinePos = 4; // first line of yaml
+-            while (md.at(firstLinePos) == '\n'_L1 || md.at(firstLinePos) == 
'\r'_L1)
+-                ++firstLinePos;
+-            auto frontMatter = md.sliced(firstLinePos, endMarkerPos - 
firstLinePos);
+-            firstLinePos = endMarkerPos + 4; // first line of markdown after 
yaml
+-            while (md.size() > firstLinePos && (md.at(firstLinePos) == 
'\n'_L1 || md.at(firstLinePos) == '\r'_L1))
+-                ++firstLinePos;
+-            md = md.sliced(firstLinePos);
+-            doc->setMetaInformation(QTextDocument::FrontMatter, 
frontMatter.toString());
+-            qCDebug(lcMD) << "extracted FrontMatter: size" << 
frontMatter.size();
++    if (m_features.testFlag(QTextMarkdownImporter::FeatureFrontMatter)) {
++        if (const auto split = splitFrontMatter(md)) {
++            doc->setMetaInformation(QTextDocument::FrontMatter, 
split.frontMatter.toString());
++            qCDebug(lcMD) << "extracted FrontMatter: size" << 
split.frontMatter.size();
++            md = split.rest;
+         }
+     }
++
+     const auto mdUtf8 = md.toUtf8();
+     m_cursor.beginEditBlock();
+--- a/tests/auto/gui/text/qtextmarkdownimporter/data/front-marker-malformed1.md
++++ b/tests/auto/gui/text/qtextmarkdownimporter/data/front-marker-malformed1.md
+@@ -0,0 +1,3 @@
++---
++name: "Pluto"---
++Pluto may not be a planet. And this document does not contain Front Matter.
+--- a/tests/auto/gui/text/qtextmarkdownimporter/data/front-marker-malformed2.md
++++ b/tests/auto/gui/text/qtextmarkdownimporter/data/front-marker-malformed2.md
+@@ -0,0 +1,5 @@
++---
++name: "Sloppy"
++--- 
++This document has trailing whitespace after its second Front Matter marker.
++Therefore the marker does not qualify, and the document does not have Front 
Matter.
+--- a/tests/auto/gui/text/qtextmarkdownimporter/data/front-marker-malformed3.md
++++ b/tests/auto/gui/text/qtextmarkdownimporter/data/front-marker-malformed3.md
+@@ -0,0 +1,4 @@
++---
++name: "Aborted YAML"
++description: "The ending marker does not end with a newline, so it's invalid."
++---
+\ No newline at end of file
+--- a/tests/auto/gui/text/qtextmarkdownimporter/data/oss-fuzz-42533775.md
++++ b/tests/auto/gui/text/qtextmarkdownimporter/data/oss-fuzz-42533775.md
+@@ -0,0 +1 @@
++---  ---
+\ No newline at end of file
+--- a/tests/auto/gui/text/qtextmarkdownimporter/data/yaml-crlf.md
++++ b/tests/auto/gui/text/qtextmarkdownimporter/data/yaml-crlf.md
+@@ -0,0 +1,10 @@
++---
++name: "Venus"
++discoverer: "Galileo Galilei"
++title: "A description of the planet Venus"
++keywords:
++  - planets
++  - solar system
++  - astronomy
++---
++*Venus* is the second planet from the Sun, orbiting it every 224.7 Earth days.
+--- a/tests/auto/gui/text/qtextmarkdownimporter/tst_qtextmarkdownimporter.cpp
++++ b/tests/auto/gui/text/qtextmarkdownimporter/tst_qtextmarkdownimporter.cpp
+@@ -549,4 +549,5 @@
+     QTest::newRow("fuzz20450") << "attempted to insert into a list that no 
longer exists";
+     QTest::newRow("fuzz20580") << "";
++    QTest::newRow("oss-fuzz-42533775") << ""; // caused a heap-buffer-overflow
+ }
+ 
+@@ -645,8 +646,13 @@
+ {
+     QTest::addColumn<QString>("inputFile");
++    QTest::addColumn<int>("expectedFrontMatterSize");
+     QTest::addColumn<int>("expectedBlockCount");
+ 
+-    QTest::newRow("yaml + markdown") << QFINDTESTDATA("data/yaml.md") << 1;
+-    QTest::newRow("yaml only") << QFINDTESTDATA("data/yaml-only.md") << 0;
++    QTest::newRow("yaml + markdown") << QFINDTESTDATA("data/yaml.md") << 140 
<< 1;
++    QTest::newRow("yaml + markdown with CRLFs") << 
QFINDTESTDATA("data/yaml-crlf.md") << 140 << 1;
++    QTest::newRow("yaml only") << QFINDTESTDATA("data/yaml-only.md") << 59 << 
0;
++    QTest::newRow("malformed 1") << 
QFINDTESTDATA("data/front-marker-malformed1.md") << 0 << 1;
++    QTest::newRow("malformed 2") << 
QFINDTESTDATA("data/front-marker-malformed2.md") << 0 << 2;
++    QTest::newRow("malformed 3") << 
QFINDTESTDATA("data/front-marker-malformed3.md") << 0 << 1;
+ }
+ 
+@@ -654,4 +660,5 @@
+ {
+     QFETCH(QString, inputFile);
++    QFETCH(int, expectedFrontMatterSize);
+     QFETCH(int, expectedBlockCount);
+ 
+@@ -673,5 +680,7 @@
+     }
+     QCOMPARE(blockCount, expectedBlockCount); // yaml is not part of the 
markdown text
+-    QCOMPARE(doc.metaInformation(QTextDocument::FrontMatter), yaml); // 
without fences
++    if (expectedFrontMatterSize)
++        QCOMPARE(doc.metaInformation(QTextDocument::FrontMatter), yaml); // 
without fences
++    QCOMPARE(doc.metaInformation(QTextDocument::FrontMatter).size(), 
expectedFrontMatterSize);
+ }
+ 

diff --git a/dev-qt/qtbase/qtbase-6.8.3.ebuild 
b/dev-qt/qtbase/qtbase-6.8.3-r1.ebuild
similarity index 99%
rename from dev-qt/qtbase/qtbase-6.8.3.ebuild
rename to dev-qt/qtbase/qtbase-6.8.3-r1.ebuild
index b4e282c77128..0780ba202fe4 100644
--- a/dev-qt/qtbase/qtbase-6.8.3.ebuild
+++ b/dev-qt/qtbase/qtbase-6.8.3-r1.ebuild
@@ -147,6 +147,7 @@ PATCHES=(
        "${FILESDIR}"/${PN}-6.6.3-gcc14-avx512fp16.patch
        "${FILESDIR}"/${PN}-6.8.0-qcontiguouscache.patch
        "${FILESDIR}"/${PN}-6.8.2-cross.patch
+       "${FILESDIR}"/${PN}-6.8.3-CVE-2025-3512.patch
 )
 
 src_prepare() {

Reply via email to