[qt3] backport CVE-2015-0295 (BMP image handler DoS, #1197275) fix from Qt 4

Kevin Kofler kkofler at fedoraproject.org
Sat Feb 28 04:07:32 UTC 2015 

commit 36ee0d8c26c6c4a2eea1fb29724c35d50fcfc005
Author: Kevin Kofler <Kevin at tigcc.ticalc.org>
Date:   Sat Feb 28 05:07:05 2015 +0100

    backport CVE-2015-0295 (BMP image handler DoS, #1197275) fix from Qt 4
    
    * Sat Feb 28 2014 Kevin Kofler <Kevin at tigcc.ticalc.org> - 3.3.8b-62
    - backport CVE-2015-0295 (BMP image handler DoS, #1197275) fix from Qt 4

 qt-x11-free-3.3.8b-CVE-2015-0295.patch | 20 ++++++++++++++++++++
 qt3.spec                               |  8 +++++++-
 2 files changed, 27 insertions(+), 1 deletion(-)
---
diff --git a/qt-x11-free-3.3.8b-CVE-2015-0295.patch b/qt-x11-free-3.3.8b-CVE-2015-0295.patch
new file mode 100644
index 0000000..1ea84fe
--- /dev/null
+++ b/qt-x11-free-3.3.8b-CVE-2015-0295.patch
@@ -0,0 +1,20 @@
+diff -ur qt-x11-free-3.3.8b/src/kernel/qimage.cpp qt-x11-free-3.3.8b-CVE-2015-0295/src/kernel/qimage.cpp
+--- qt-x11-free-3.3.8b/src/kernel/qimage.cpp	2008-01-15 20:09:13.000000000 +0100
++++ qt-x11-free-3.3.8b-CVE-2015-0295/src/kernel/qimage.cpp	2015-02-28 04:59:11.000000000 +0100
+@@ -4716,10 +4716,16 @@
+ 	if ( (Q_ULONG)d->readBlock( (char *)&blue_mask, sizeof(blue_mask) ) != sizeof(blue_mask) )
+ 	    return FALSE;
+ 	red_shift = calc_shift(red_mask);
++	if (((red_mask >> red_shift) + 1) == 0)
++	    return FALSE;
+ 	red_scale = 256 / ((red_mask >> red_shift) + 1);
+ 	green_shift = calc_shift(green_mask);
++	if (((green_mask >> green_shift) + 1) == 0)
++	    return FALSE;
+ 	green_scale = 256 / ((green_mask >> green_shift) + 1);
+ 	blue_shift = calc_shift(blue_mask);
++	if (((blue_mask >> blue_shift) + 1) == 0)
++	    return FALSE;
+ 	blue_scale = 256 / ((blue_mask >> blue_shift) + 1);
+     } else if (comp == BMP_RGB && (nbits == 24 || nbits == 32)) {
+ 	blue_mask = 0x000000ff;
diff --git a/qt3.spec b/qt3.spec
index 9d1084d..c9b085b 100644
--- a/qt3.spec
+++ b/qt3.spec
@@ -6,7 +6,7 @@
 Name: qt3
 Summary: The shared library for the Qt 3 GUI toolkit
 Version: 3.3.8b
-Release: 61%{?dist}
+Release: 62%{?dist}
 License: QPL or GPLv2 or GPLv3
 Group: System Environment/Libraries
 BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -91,6 +91,8 @@ Patch201: qt-x11-free-3.3.8b-gcc43.patch
 Patch300: qt-x11-free-3.3.8b-CVE-2013-4549.patch
 # fix for CVE-2014-0190 (QTBUG-38367) backported from Qt 4
 Patch301: qt-x11-free-3.3.8b-CVE-2014-0190.patch
+# fix for CVE-2015-0295 backported from Qt 4
+Patch302: qt-x11-free-3.3.8b-CVE-2015-0295.patch
 
 %define qt_dirname qt-3.3
 %define qtdir %{_libdir}/%{qt_dirname}
@@ -343,6 +345,7 @@ sed -i.KDE3_PLUGIN_PATH \
 # security patches
 %patch300 -p1 -b .CVE-2013-4549
 %patch301 -p1 -b .CVE-2014-0190
+%patch302 -p1 -b .CVE-2015-0295
 
 # convert to UTF-8
 iconv -f iso-8859-1 -t utf-8 < doc/man/man3/qdial.3qt > doc/man/man3/qdial.3qt_
@@ -639,6 +642,9 @@ rm -rf %{buildroot}
 
 
 %changelog
+* Sat Feb 28 2014 Kevin Kofler <Kevin at tigcc.ticalc.org> - 3.3.8b-62
+- backport CVE-2015-0295 (BMP image handler DoS, #1197275) fix from Qt 4
+
 * Fri Feb 27 2015 Rex Dieter <rdieter at fedoraproject.org> 3.3.8b-61
 - rebuild (gcc5)

More information about the scm-commits mailing list