[qt5-qtbase/f22-5.4.0] fix CVE-2015-0295, rebuild for fixed GCC in F22
Kevin Kofler
kkofler at fedoraproject.org
Wed Mar 4 01:12:28 UTC 2015
commit 78f25df4bf828569f0618c467d9401ed19eec2ee
Author: Kevin Kofler <Kevin at tigcc.ticalc.org>
Date: Wed Mar 4 02:11:58 2015 +0100
fix CVE-2015-0295, rebuild for fixed GCC in F22
* Wed Mar 04 2015 Kevin Kofler <Kevin at tigcc.ticalc.org> - 5.4.0-14
- fix division by zero on malformed BMP files (QTBUG-44547, CVE-2015-0295)
- rebuild for fixed GCC in F22
...ion-by-zero-when-processing-malformed-BMP.patch | 45 ++++++++++++++++++++++
qt5-qtbase.spec | 12 +++++-
2 files changed, 56 insertions(+), 1 deletion(-)
---
diff --git a/0149-Fix-a-division-by-zero-when-processing-malformed-BMP.patch b/0149-Fix-a-division-by-zero-when-processing-malformed-BMP.patch
new file mode 100644
index 0000000..a1a5df1
--- /dev/null
+++ b/0149-Fix-a-division-by-zero-when-processing-malformed-BMP.patch
@@ -0,0 +1,45 @@
+From 661f6bfd032dacc62841037732816a583640e187 Mon Sep 17 00:00:00 2001
+From: "Richard J. Moore" <rich at kde.org>
+Date: Sat, 21 Feb 2015 17:43:21 +0000
+Subject: [PATCH 149/163] Fix a division by zero when processing malformed BMP
+ files.
+
+This fixes a division by 0 when processing a maliciously crafted BMP
+file. No impact beyond DoS.
+
+Task-number: QTBUG-44547
+Change-Id: Ifcded2c0aa712e90d23e6b3969af0ec3add53973
+Reviewed-by: Thiago Macieira <thiago.macieira at intel.com>
+Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen at theqtcompany.com>
+---
+ src/gui/image/qbmphandler.cpp | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
+index 21c1a2f..df66499 100644
+--- a/src/gui/image/qbmphandler.cpp
++++ b/src/gui/image/qbmphandler.cpp
+@@ -314,12 +314,20 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
+ }
+ } else if (comp == BMP_BITFIELDS && (nbits == 16 || nbits == 32)) {
+ red_shift = calc_shift(red_mask);
++ if (((red_mask >> red_shift) + 1) == 0)
++ return false;
+ red_scale = 256 / ((red_mask >> red_shift) + 1);
+ green_shift = calc_shift(green_mask);
++ if (((green_mask >> green_shift) + 1) == 0)
++ return false;
+ green_scale = 256 / ((green_mask >> green_shift) + 1);
+ blue_shift = calc_shift(blue_mask);
++ if (((blue_mask >> blue_shift) + 1) == 0)
++ return false;
+ blue_scale = 256 / ((blue_mask >> blue_shift) + 1);
+ alpha_shift = calc_shift(alpha_mask);
++ if (((alpha_mask >> alpha_shift) + 1) == 0)
++ return false;
+ alpha_scale = 256 / ((alpha_mask >> alpha_shift) + 1);
+ } else if (comp == BMP_RGB && (nbits == 24 || nbits == 32)) {
+ blue_mask = 0x000000ff;
+--
+1.9.3
+
diff --git a/qt5-qtbase.spec b/qt5-qtbase.spec
index c526e6f..24aea98 100644
--- a/qt5-qtbase.spec
+++ b/qt5-qtbase.spec
@@ -33,7 +33,7 @@
Summary: Qt5 - QtBase components
Name: qt5-qtbase
Version: 5.4.0
-Release: 13%{?dist}
+Release: 14%{?dist}
# See LGPL_EXCEPTIONS.txt, for exception details
License: LGPLv2 with exceptions or GPLv3 with exceptions
@@ -93,6 +93,10 @@ Patch100: qtbase-opensource-src-5.4.0-QTBUG-43057.patch
Patch109: 0009-Do-not-apply-subpixel-gamma-correction-on-XCB.patch
Patch273: 0173-qimage_conversions.cpp-Fix-build-on-big-endian-syste.patch
+# http://lists.qt-project.org/pipermail/announce/2015-February/000059.html
+# CVE-2015-0295
+Patch349: 0149-Fix-a-division-by-zero-when-processing-malformed-BMP.patch
+
# macros, be mindful to keep sync'd with macros.qt5
Source1: macros.qt5
%define _qt5 %{name}
@@ -339,6 +343,8 @@ rm -fv mkspecs/linux-g++*/qmake.conf.multilib-optflags
%patch109 -p1 -b .0009
%patch273 -p1 -b .0173
+%patch349 -p1 -b .0149
+
# drop -fexceptions from $RPM_OPT_FLAGS
RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed 's|-fexceptions||g'`
@@ -843,6 +849,10 @@ fi
%changelog
+* Wed Mar 04 2015 Kevin Kofler <Kevin at tigcc.ticalc.org> - 5.4.0-14
+- fix division by zero on malformed BMP files (QTBUG-44547, CVE-2015-0295)
+- rebuild for fixed GCC in F22
+
* Mon Feb 16 2015 Rex Dieter <rdieter at fedoraproject.org> 5.4.0-13
- -no-use-gold-linker (f22+, #1193044)
More information about the scm-commits
mailing list