[qt5-qtbase/f22-5.4.0] fix CVE-2015-0295, rebuild for fixed GCC in F22

Kevin Kofler kkofler at fedoraproject.org
Wed Mar 4 01:12:28 UTC 2015


commit 78f25df4bf828569f0618c467d9401ed19eec2ee
Author: Kevin Kofler <Kevin at tigcc.ticalc.org>
Date:   Wed Mar 4 02:11:58 2015 +0100

    fix CVE-2015-0295, rebuild for fixed GCC in F22
    
    * Wed Mar 04 2015 Kevin Kofler <Kevin at tigcc.ticalc.org> - 5.4.0-14
    - fix division by zero on malformed BMP files (QTBUG-44547, CVE-2015-0295)
    - rebuild for fixed GCC in F22

 ...ion-by-zero-when-processing-malformed-BMP.patch | 45 ++++++++++++++++++++++
 qt5-qtbase.spec                                    | 12 +++++-
 2 files changed, 56 insertions(+), 1 deletion(-)
---
diff --git a/0149-Fix-a-division-by-zero-when-processing-malformed-BMP.patch b/0149-Fix-a-division-by-zero-when-processing-malformed-BMP.patch
new file mode 100644
index 0000000..a1a5df1
--- /dev/null
+++ b/0149-Fix-a-division-by-zero-when-processing-malformed-BMP.patch
@@ -0,0 +1,45 @@
+From 661f6bfd032dacc62841037732816a583640e187 Mon Sep 17 00:00:00 2001
+From: "Richard J. Moore" <rich at kde.org>
+Date: Sat, 21 Feb 2015 17:43:21 +0000
+Subject: [PATCH 149/163] Fix a division by zero when processing malformed BMP
+ files.
+
+This fixes a division by 0 when processing a maliciously crafted BMP
+file. No impact beyond DoS.
+
+Task-number: QTBUG-44547
+Change-Id: Ifcded2c0aa712e90d23e6b3969af0ec3add53973
+Reviewed-by: Thiago Macieira <thiago.macieira at intel.com>
+Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen at theqtcompany.com>
+---
+ src/gui/image/qbmphandler.cpp | 8 ++++++++
+ 1 file changed, 8 insertions(+)
+
+diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
+index 21c1a2f..df66499 100644
+--- a/src/gui/image/qbmphandler.cpp
++++ b/src/gui/image/qbmphandler.cpp
+@@ -314,12 +314,20 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
+         }
+     } else if (comp == BMP_BITFIELDS && (nbits == 16 || nbits == 32)) {
+         red_shift = calc_shift(red_mask);
++        if (((red_mask >> red_shift) + 1) == 0)
++            return false;
+         red_scale = 256 / ((red_mask >> red_shift) + 1);
+         green_shift = calc_shift(green_mask);
++        if (((green_mask >> green_shift) + 1) == 0)
++            return false;
+         green_scale = 256 / ((green_mask >> green_shift) + 1);
+         blue_shift = calc_shift(blue_mask);
++        if (((blue_mask >> blue_shift) + 1) == 0)
++            return false;
+         blue_scale = 256 / ((blue_mask >> blue_shift) + 1);
+         alpha_shift = calc_shift(alpha_mask);
++        if (((alpha_mask >> alpha_shift) + 1) == 0)
++            return false;
+         alpha_scale = 256 / ((alpha_mask >> alpha_shift) + 1);
+     } else if (comp == BMP_RGB && (nbits == 24 || nbits == 32)) {
+         blue_mask = 0x000000ff;
+-- 
+1.9.3
+
diff --git a/qt5-qtbase.spec b/qt5-qtbase.spec
index c526e6f..24aea98 100644
--- a/qt5-qtbase.spec
+++ b/qt5-qtbase.spec
@@ -33,7 +33,7 @@
 Summary: Qt5 - QtBase components
 Name:    qt5-qtbase
 Version: 5.4.0
-Release: 13%{?dist}
+Release: 14%{?dist}
 
 # See LGPL_EXCEPTIONS.txt, for exception details
 License: LGPLv2 with exceptions or GPLv3 with exceptions
@@ -93,6 +93,10 @@ Patch100: qtbase-opensource-src-5.4.0-QTBUG-43057.patch
 Patch109: 0009-Do-not-apply-subpixel-gamma-correction-on-XCB.patch
 Patch273: 0173-qimage_conversions.cpp-Fix-build-on-big-endian-syste.patch
 
+# http://lists.qt-project.org/pipermail/announce/2015-February/000059.html
+# CVE-2015-0295
+Patch349: 0149-Fix-a-division-by-zero-when-processing-malformed-BMP.patch
+
 # macros, be mindful to keep sync'd with macros.qt5
 Source1: macros.qt5
 %define _qt5 %{name}
@@ -339,6 +343,8 @@ rm -fv mkspecs/linux-g++*/qmake.conf.multilib-optflags
 %patch109 -p1 -b .0009
 %patch273 -p1 -b .0173
 
+%patch349 -p1 -b .0149
+
 # drop -fexceptions from $RPM_OPT_FLAGS
 RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed 's|-fexceptions||g'`
 
@@ -843,6 +849,10 @@ fi
 
 
 %changelog
+* Wed Mar 04 2015 Kevin Kofler <Kevin at tigcc.ticalc.org> - 5.4.0-14
+- fix division by zero on malformed BMP files (QTBUG-44547, CVE-2015-0295)
+- rebuild for fixed GCC in F22
+
 * Mon Feb 16 2015 Rex Dieter <rdieter at fedoraproject.org> 5.4.0-13
 - -no-use-gold-linker (f22+, #1193044)
 


More information about the scm-commits mailing list