commit: e4e6f57cf6b634a506908ae401ff9488368c3e92 Author: orbea <orbea <AT> riseup <DOT> net> AuthorDate: Tue Jun 13 03:26:42 2023 +0000 Commit: orbea <orbea <AT> riseup <DOT> net> CommitDate: Tue Jun 13 03:26:42 2023 +0000 URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=e4e6f57c
dev-qt/qtbase: drop unused patch Signed-off-by: orbea <orbea <AT> riseup.net> .../qtbase/files/qtbase-6.5.0-CVE-2023-33285.patch | 101 --------------------- 1 file changed, 101 deletions(-) diff --git a/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-33285.patch b/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-33285.patch deleted file mode 100644 index c982cce..0000000 --- a/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-33285.patch +++ /dev/null @@ -1,101 +0,0 @@ -From a2dc11b37fd71f785c342c40549f54edfdd1a6f8 Mon Sep 17 00:00:00 2001 -From: Thiago Macieira <[email protected]> -Date: Thu, 11 May 2023 21:40:15 -0700 -Subject: [PATCH] QDnsLookup/Unix: make sure we don't overflow the buffer -MIME-Version: 1.0 -Content-Type: text/plain; charset=utf8 -Content-Transfer-Encoding: 8bit - -The DNS Records are variable length and encode their size in 16 bits -before the Record Data (RDATA). Ensure that both the RDATA and the -Record header fields before it fall inside the buffer we have. - -Additionally reject any replies containing more than one query records. - -[ChangeLog][QtNetwork][QDnsLookup] Fixed a bug that could cause a buffer -overflow in Unix systems while parsing corrupt, malicious, or truncated -replies. - -Pick-to: 5.15 6.2 6.5.1 -Change-Id: I3e3bfef633af4130a03afffd175e4b9547654b95 -Reviewed-by: MÃ¥rten Nordheim <[email protected]> -Reviewed-by: Jani Heikkinen <[email protected]> -(cherry picked from commit 7dba2c87619d558a61a30eb30cc1d9c3fe6df94c) -Reviewed-by: Daniel Smith <[email protected]> ---- - src/network/kernel/qdnslookup_unix.cpp | 31 +++++++++++++++++++++++++------ - 1 file changed, 25 insertions(+), 6 deletions(-) - -diff --git a/src/network/kernel/qdnslookup_unix.cpp b/src/network/kernel/qdnslookup_unix.cpp -index 8db79028f775..ad7bb51f67a5 100644 ---- a/src/network/kernel/qdnslookup_unix.cpp -+++ b/src/network/kernel/qdnslookup_unix.cpp -@@ -193,7 +193,6 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN - // responseLength in case of error, we still can extract the - // exact error code from the response. - HEADER *header = (HEADER*)response; -- const int answerCount = ntohs(header->ancount); - switch (header->rcode) { - case NOERROR: - break; -@@ -227,18 +226,31 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN - return; - } - -- // Skip the query host, type (2 bytes) and class (2 bytes). - char host[PACKETSZ], answer[PACKETSZ]; - unsigned char *p = response + sizeof(HEADER); -- int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); -- if (status < 0) { -+ int status; -+ -+ if (ntohs(header->qdcount) == 1) { -+ // Skip the query host, type (2 bytes) and class (2 bytes). -+ status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); -+ if (status < 0) { -+ reply->error = QDnsLookup::InvalidReplyError; -+ reply->errorString = tr("Could not expand domain name"); -+ return; -+ } -+ if ((p - response) + status + 4 >= responseLength) -+ header->qdcount = 0xffff; // invalid reply below -+ else -+ p += status + 4; -+ } -+ if (ntohs(header->qdcount) > 1) { - reply->error = QDnsLookup::InvalidReplyError; -- reply->errorString = tr("Could not expand domain name"); -+ reply->errorString = tr("Invalid reply received"); - return; - } -- p += status + 4; - - // Extract results. -+ const int answerCount = ntohs(header->ancount); - int answerIndex = 0; - while ((p < response + responseLength) && (answerIndex < answerCount)) { - status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); -@@ -250,6 +262,11 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN - const QString name = QUrl::fromAce(host); - - p += status; -+ -+ if ((p - response) + 10 > responseLength) { -+ // probably just a truncated reply, return what we have -+ return; -+ } - const quint16 type = (p[0] << 8) | p[1]; - p += 2; // RR type - p += 2; // RR class -@@ -257,6 +274,8 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN - p += 4; - const quint16 size = (p[0] << 8) | p[1]; - p += 2; -+ if ((p - response) + size > responseLength) -+ return; // truncated - - if (type == QDnsLookup::A) { - if (size != 4) { --- -2.16.3 -
