than pushed to qt (master). "bz#1210677, CVE-2015-1860 CVE-2015-1859 CVE-2015-1858"
notifications at fedoraproject.org
notifications at fedoraproject.org
Mon Apr 13 14:22:19 UTC 2015
>From 63cda2bb9fbf98b10f632001bbdb96892f27babd Mon Sep 17 00:00:00 2001
From: Than Ngo <than at redhat.com>
Date: Mon, 13 Apr 2015 16:21:57 +0200
Subject: bz#1210677, CVE-2015-1860 CVE-2015-1859 CVE-2015-1858
diff --git a/qt-4.8.6-CVE-2015-1860_CVE-2015-1859_CVE-2015-1858.patch b/qt-4.8.6-CVE-2015-1860_CVE-2015-1859_CVE-2015-1858.patch
new file mode 100644
index 0000000..c772c1a
--- /dev/null
+++ b/qt-4.8.6-CVE-2015-1860_CVE-2015-1859_CVE-2015-1858.patch
@@ -0,0 +1,54 @@
+diff -up qt-everywhere-opensource-src-4.8.6/src/gui/image/qbmphandler.cpp.than qt-everywhere-opensource-src-4.8.6/src/gui/image/qbmphandler.cpp
+--- qt-everywhere-opensource-src-4.8.6/src/gui/image/qbmphandler.cpp.than 2015-04-13 16:03:24.347475762 +0200
++++ qt-everywhere-opensource-src-4.8.6/src/gui/image/qbmphandler.cpp 2015-04-13 16:04:42.781923479 +0200
+@@ -478,12 +478,6 @@ static bool read_dib_body(QDataStream &s
+ p = data + (h-y-1)*bpl;
+ break;
+ case 2: // delta (jump)
+- // Protection
+- if ((uint)x >= (uint)w)
+- x = w-1;
+- if ((uint)y >= (uint)h)
+- y = h-1;
+-
+ {
+ quint8 tmp;
+ d->getChar((char *)&tmp);
+@@ -491,6 +485,13 @@ static bool read_dib_body(QDataStream &s
+ d->getChar((char *)&tmp);
+ y += tmp;
+ }
++
++ // Protection
++ if ((uint)x >= (uint)w)
++ x = w-1;
++ if ((uint)y >= (uint)h)
++ y = h-1;
++
+ p = data + (h-y-1)*bpl + x;
+ break;
+ default: // absolute mode
+diff -up qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp.than qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp
+--- qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp.than 2015-04-13 16:10:38.284420268 +0200
++++ qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp 2015-04-13 16:11:17.406144797 +0200
+@@ -944,6 +944,8 @@ void QGIFFormat::fillRect(QImage *image,
+
+ void QGIFFormat::nextY(unsigned char *bits, int bpl)
+ {
++ if (out_of_bounds)
++ return;
+ int my;
+ switch (interlace) {
+ case 0: // Non-interlaced
+diff -up qt-everywhere-opensource-src-4.8.6/src/plugins/imageformats/ico/qicohandler.cpp.than qt-everywhere-opensource-src-4.8.6/src/plugins/imageformats/ico/qicohandler.cpp
+--- qt-everywhere-opensource-src-4.8.6/src/plugins/imageformats/ico/qicohandler.cpp.than 2015-04-13 16:05:02.059787728 +0200
++++ qt-everywhere-opensource-src-4.8.6/src/plugins/imageformats/ico/qicohandler.cpp 2015-04-13 16:05:41.141512553 +0200
+@@ -571,7 +571,7 @@ QImage ICOReader::iconAt(int index)
+ QImage::Format format = QImage::Format_ARGB32;
+ if (icoAttrib.nbits == 24)
+ format = QImage::Format_RGB32;
+- else if (icoAttrib.ncolors == 2)
++ else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1)
+ format = QImage::Format_Mono;
+ else if (icoAttrib.ncolors > 0)
+ format = QImage::Format_Indexed8;
diff --git a/qt.spec b/qt.spec
index e76e95a..82e5f52 100644
--- a/qt.spec
+++ b/qt.spec
@@ -35,7 +35,7 @@ Summary: Qt toolkit
Name: qt
Epoch: 1
Version: 4.8.6
-Release: 27%{?dist}
+Release: 28%{?dist}
# See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
@@ -199,6 +199,8 @@ Patch272: 0072-Fix-font-cache-check-in-QFontEngineFT-recalcAdvances.patch
# CVE-2015-0295
# http://lists.qt-project.org/pipermail/announce/2015-February/000059.html
Patch337: 0137-Fix-a-division-by-zero-when-processing-malformed-BMP.patch
+# CVE-2015-1860 CVE-2015-1859 CVE-2015-1858
+Patch338: qt-4.8.6-CVE-2015-1860_CVE-2015-1859_CVE-2015-1858.patch
# desktop files
Source20: assistant.desktop
@@ -597,6 +599,7 @@ rm -rf src/3rdparty/clucene
%patch267 -p1 -b .0067
%patch272 -p1 -b .0072
%patch337 -p1 -b .0137
+%patch338 -p1 -b .CVE-2015-1860_CVE-2015-1859_CVE-2015-1858
# security fixes
# regression fixes for the security fixes
@@ -1332,6 +1335,9 @@ fi
%changelog
+* Mon Apr 13 2015 Than Ngo <than at redhat.com> - 1:4.8.6-28
+- bz#1210677, CVE-2015-1860 CVE-2015-1859 CVE-2015-1858
+
* Thu Mar 26 2015 Richard Hughes <rhughes at redhat.com> - 1:4.8.6-27
- Add an AppData file for the software center
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/qt.git/commit/?h=master&id=63cda2bb9fbf98b10f632001bbdb96892f27babd
More information about the scm-commits
mailing list