than pushed to qt (f21). "bz#1210677, CVE-2015-1860 CVE-2015-1859 CVE-2015-1858"

notifications at fedoraproject.org notifications at fedoraproject.org
Mon Apr 13 14:49:28 UTC 2015 

>From 63cda2bb9fbf98b10f632001bbdb96892f27babd Mon Sep 17 00:00:00 2001
From: Than Ngo <than at redhat.com>
Date: Mon, 13 Apr 2015 16:21:57 +0200
Subject: bz#1210677, CVE-2015-1860 CVE-2015-1859 CVE-2015-1858


diff --git a/qt-4.8.6-CVE-2015-1860_CVE-2015-1859_CVE-2015-1858.patch b/qt-4.8.6-CVE-2015-1860_CVE-2015-1859_CVE-2015-1858.patch
new file mode 100644
index 0000000..c772c1a
--- /dev/null
+++ b/qt-4.8.6-CVE-2015-1860_CVE-2015-1859_CVE-2015-1858.patch
@@ -0,0 +1,54 @@
+diff -up qt-everywhere-opensource-src-4.8.6/src/gui/image/qbmphandler.cpp.than qt-everywhere-opensource-src-4.8.6/src/gui/image/qbmphandler.cpp
+--- qt-everywhere-opensource-src-4.8.6/src/gui/image/qbmphandler.cpp.than	2015-04-13 16:03:24.347475762 +0200
++++ qt-everywhere-opensource-src-4.8.6/src/gui/image/qbmphandler.cpp	2015-04-13 16:04:42.781923479 +0200
+@@ -478,12 +478,6 @@ static bool read_dib_body(QDataStream &s
+                             p = data + (h-y-1)*bpl;
+                             break;
+                         case 2:                        // delta (jump)
+-                            // Protection
+-                            if ((uint)x >= (uint)w)
+-                                x = w-1;
+-                            if ((uint)y >= (uint)h)
+-                                y = h-1;
+-
+                             {
+                                 quint8 tmp;
+                                 d->getChar((char *)&tmp);
+@@ -491,6 +485,13 @@ static bool read_dib_body(QDataStream &s
+                                 d->getChar((char *)&tmp);
+                                 y += tmp;
+                             }
++
++                            // Protection
++                            if ((uint)x >= (uint)w)
++                                x = w-1;
++                            if ((uint)y >= (uint)h)
++                                y = h-1;
++
+                             p = data + (h-y-1)*bpl + x;
+                             break;
+                         default:                // absolute mode
+diff -up qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp.than qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp
+--- qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp.than	2015-04-13 16:10:38.284420268 +0200
++++ qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp	2015-04-13 16:11:17.406144797 +0200
+@@ -944,6 +944,8 @@ void QGIFFormat::fillRect(QImage *image,
+ 
+ void QGIFFormat::nextY(unsigned char *bits, int bpl)
+ {
++    if (out_of_bounds)
++        return;
+     int my;
+     switch (interlace) {
+     case 0: // Non-interlaced
+diff -up qt-everywhere-opensource-src-4.8.6/src/plugins/imageformats/ico/qicohandler.cpp.than qt-everywhere-opensource-src-4.8.6/src/plugins/imageformats/ico/qicohandler.cpp
+--- qt-everywhere-opensource-src-4.8.6/src/plugins/imageformats/ico/qicohandler.cpp.than	2015-04-13 16:05:02.059787728 +0200
++++ qt-everywhere-opensource-src-4.8.6/src/plugins/imageformats/ico/qicohandler.cpp	2015-04-13 16:05:41.141512553 +0200
+@@ -571,7 +571,7 @@ QImage ICOReader::iconAt(int index)
+                 QImage::Format format = QImage::Format_ARGB32;
+                 if (icoAttrib.nbits == 24)
+                     format = QImage::Format_RGB32;
+-                else if (icoAttrib.ncolors == 2)
++                else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1)
+                     format = QImage::Format_Mono;
+                 else if (icoAttrib.ncolors > 0)
+                     format = QImage::Format_Indexed8;
diff --git a/qt.spec b/qt.spec
index e76e95a..82e5f52 100644
--- a/qt.spec
+++ b/qt.spec
@@ -35,7 +35,7 @@ Summary: Qt toolkit
 Name:    qt
 Epoch:   1
 Version: 4.8.6
-Release: 27%{?dist}
+Release: 28%{?dist}
 
 # See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
 License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
@@ -199,6 +199,8 @@ Patch272: 0072-Fix-font-cache-check-in-QFontEngineFT-recalcAdvances.patch
 # CVE-2015-0295
 # http://lists.qt-project.org/pipermail/announce/2015-February/000059.html
 Patch337: 0137-Fix-a-division-by-zero-when-processing-malformed-BMP.patch
+# CVE-2015-1860 CVE-2015-1859 CVE-2015-1858
+Patch338: qt-4.8.6-CVE-2015-1860_CVE-2015-1859_CVE-2015-1858.patch
 
 # desktop files
 Source20: assistant.desktop
@@ -597,6 +599,7 @@ rm -rf src/3rdparty/clucene
 %patch267 -p1 -b .0067
 %patch272 -p1 -b .0072
 %patch337 -p1 -b .0137
+%patch338 -p1 -b .CVE-2015-1860_CVE-2015-1859_CVE-2015-1858
 
 # security fixes
 # regression fixes for the security fixes
@@ -1332,6 +1335,9 @@ fi
 
 
 %changelog
+* Mon Apr 13 2015 Than Ngo <than at redhat.com> - 1:4.8.6-28
+- bz#1210677, CVE-2015-1860 CVE-2015-1859 CVE-2015-1858
+
 * Thu Mar 26 2015 Richard Hughes <rhughes at redhat.com> - 1:4.8.6-27
 - Add an AppData file for the software center
 
-- 
cgit v0.10.2


	http://pkgs.fedoraproject.org/cgit/qt.git/commit/?h=f21&id=63cda2bb9fbf98b10f632001bbdb96892f27babd

More information about the scm-commits mailing list