[qt3] backport CVE-2015-0295 (BMP image handler DoS, #1197275) fix from Qt 4
Kevin Kofler
kkofler at fedoraproject.org
Sat Feb 28 04:07:32 UTC 2015
commit 36ee0d8c26c6c4a2eea1fb29724c35d50fcfc005
Author: Kevin Kofler <Kevin at tigcc.ticalc.org>
Date: Sat Feb 28 05:07:05 2015 +0100
backport CVE-2015-0295 (BMP image handler DoS, #1197275) fix from Qt 4
* Sat Feb 28 2014 Kevin Kofler <Kevin at tigcc.ticalc.org> - 3.3.8b-62
- backport CVE-2015-0295 (BMP image handler DoS, #1197275) fix from Qt 4
qt-x11-free-3.3.8b-CVE-2015-0295.patch | 20 ++++++++++++++++++++
qt3.spec | 8 +++++++-
2 files changed, 27 insertions(+), 1 deletion(-)
---
diff --git a/qt-x11-free-3.3.8b-CVE-2015-0295.patch b/qt-x11-free-3.3.8b-CVE-2015-0295.patch
new file mode 100644
index 0000000..1ea84fe
--- /dev/null
+++ b/qt-x11-free-3.3.8b-CVE-2015-0295.patch
@@ -0,0 +1,20 @@
+diff -ur qt-x11-free-3.3.8b/src/kernel/qimage.cpp qt-x11-free-3.3.8b-CVE-2015-0295/src/kernel/qimage.cpp
+--- qt-x11-free-3.3.8b/src/kernel/qimage.cpp 2008-01-15 20:09:13.000000000 +0100
++++ qt-x11-free-3.3.8b-CVE-2015-0295/src/kernel/qimage.cpp 2015-02-28 04:59:11.000000000 +0100
+@@ -4716,10 +4716,16 @@
+ if ( (Q_ULONG)d->readBlock( (char *)&blue_mask, sizeof(blue_mask) ) != sizeof(blue_mask) )
+ return FALSE;
+ red_shift = calc_shift(red_mask);
++ if (((red_mask >> red_shift) + 1) == 0)
++ return FALSE;
+ red_scale = 256 / ((red_mask >> red_shift) + 1);
+ green_shift = calc_shift(green_mask);
++ if (((green_mask >> green_shift) + 1) == 0)
++ return FALSE;
+ green_scale = 256 / ((green_mask >> green_shift) + 1);
+ blue_shift = calc_shift(blue_mask);
++ if (((blue_mask >> blue_shift) + 1) == 0)
++ return FALSE;
+ blue_scale = 256 / ((blue_mask >> blue_shift) + 1);
+ } else if (comp == BMP_RGB && (nbits == 24 || nbits == 32)) {
+ blue_mask = 0x000000ff;
diff --git a/qt3.spec b/qt3.spec
index 9d1084d..c9b085b 100644
--- a/qt3.spec
+++ b/qt3.spec
@@ -6,7 +6,7 @@
Name: qt3
Summary: The shared library for the Qt 3 GUI toolkit
Version: 3.3.8b
-Release: 61%{?dist}
+Release: 62%{?dist}
License: QPL or GPLv2 or GPLv3
Group: System Environment/Libraries
BuildRoot: %{_tmppath}/%{name}-%{version}-%{release}-root-%(%{__id_u} -n)
@@ -91,6 +91,8 @@ Patch201: qt-x11-free-3.3.8b-gcc43.patch
Patch300: qt-x11-free-3.3.8b-CVE-2013-4549.patch
# fix for CVE-2014-0190 (QTBUG-38367) backported from Qt 4
Patch301: qt-x11-free-3.3.8b-CVE-2014-0190.patch
+# fix for CVE-2015-0295 backported from Qt 4
+Patch302: qt-x11-free-3.3.8b-CVE-2015-0295.patch
%define qt_dirname qt-3.3
%define qtdir %{_libdir}/%{qt_dirname}
@@ -343,6 +345,7 @@ sed -i.KDE3_PLUGIN_PATH \
# security patches
%patch300 -p1 -b .CVE-2013-4549
%patch301 -p1 -b .CVE-2014-0190
+%patch302 -p1 -b .CVE-2015-0295
# convert to UTF-8
iconv -f iso-8859-1 -t utf-8 < doc/man/man3/qdial.3qt > doc/man/man3/qdial.3qt_
@@ -639,6 +642,9 @@ rm -rf %{buildroot}
%changelog
+* Sat Feb 28 2014 Kevin Kofler <Kevin at tigcc.ticalc.org> - 3.3.8b-62
+- backport CVE-2015-0295 (BMP image handler DoS, #1197275) fix from Qt 4
+
* Fri Feb 27 2015 Rex Dieter <rdieter at fedoraproject.org> 3.3.8b-61
- rebuild (gcc5)
More information about the scm-commits
mailing list