rdieter pushed to qt5-qtbase (f20). "Multiple Vulnerabilities in Qt Image Format Handling (CVE-2015-1860 CVE-2015-1859 CVE-2015-1858)"
notifications at fedoraproject.org
notifications at fedoraproject.org
Mon Apr 13 17:51:42 UTC 2015
>From 9a602903fd5fc0260e0d36effe5a381f8c0eab30 Mon Sep 17 00:00:00 2001
From: Rex Dieter <rdieter at math.unl.edu>
Date: Mon, 13 Apr 2015 12:50:19 -0500
Subject: Multiple Vulnerabilities in Qt Image Format Handling (CVE-2015-1860
CVE-2015-1859 CVE-2015-1858)
diff --git a/0200-Fixes-crash-in-gif-image-decoder.patch b/0200-Fixes-crash-in-gif-image-decoder.patch
new file mode 100644
index 0000000..db7cefc
--- /dev/null
+++ b/0200-Fixes-crash-in-gif-image-decoder.patch
@@ -0,0 +1,30 @@
+From d3048a29797ee2d80d84bbda26bb3c954584f332 Mon Sep 17 00:00:00 2001
+From: Eirik Aavitsland <eirik.aavitsland at theqtcompany.com>
+Date: Wed, 11 Mar 2015 09:00:41 +0100
+Subject: [PATCH 200/238] Fixes crash in gif image decoder
+
+Fuzzing test revealed that for certain malformed gif files,
+qgifhandler would segfault.
+
+Change-Id: I5bb6f60e1c61849e0d8c735edc3869945e5331c1
+Reviewed-by: Richard J. Moore <rich at kde.org>
+---
+ src/gui/image/qgifhandler.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/gui/image/qgifhandler.cpp b/src/gui/image/qgifhandler.cpp
+index 03e46ab..8d8c4ae 100644
+--- a/src/gui/image/qgifhandler.cpp
++++ b/src/gui/image/qgifhandler.cpp
+@@ -936,6 +936,8 @@ void QGIFFormat::fillRect(QImage *image, int col, int row, int w, int h, QRgb co
+
+ void QGIFFormat::nextY(unsigned char *bits, int bpl)
+ {
++ if (out_of_bounds)
++ return;
+ int my;
+ switch (interlace) {
+ case 0: // Non-interlaced
+--
+1.9.3
+
diff --git a/0201-Fixes-crash-in-bmp-and-ico-image-decoding.patch b/0201-Fixes-crash-in-bmp-and-ico-image-decoding.patch
new file mode 100644
index 0000000..94e91c0
--- /dev/null
+++ b/0201-Fixes-crash-in-bmp-and-ico-image-decoding.patch
@@ -0,0 +1,62 @@
+From 51ec7ebfe5f45d1c0a03d992e97053cac66e25fe Mon Sep 17 00:00:00 2001
+From: Eirik Aavitsland <eirik.aavitsland at theqtcompany.com>
+Date: Wed, 11 Mar 2015 13:34:01 +0100
+Subject: [PATCH 201/238] Fixes crash in bmp and ico image decoding
+
+Fuzzing test revealed that for certain malformed bmp and ico files,
+the handler would segfault.
+
+Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe
+Reviewed-by: Lars Knoll <lars.knoll at digia.com>
+---
+ src/gui/image/qbmphandler.cpp | 13 +++++++------
+ src/plugins/imageformats/ico/qicohandler.cpp | 2 +-
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
+index df66499..8acc593 100644
+--- a/src/gui/image/qbmphandler.cpp
++++ b/src/gui/image/qbmphandler.cpp
+@@ -484,12 +484,6 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
+ p = data + (h-y-1)*bpl;
+ break;
+ case 2: // delta (jump)
+- // Protection
+- if ((uint)x >= (uint)w)
+- x = w-1;
+- if ((uint)y >= (uint)h)
+- y = h-1;
+-
+ {
+ quint8 tmp;
+ d->getChar((char *)&tmp);
+@@ -497,6 +491,13 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
+ d->getChar((char *)&tmp);
+ y += tmp;
+ }
++
++ // Protection
++ if ((uint)x >= (uint)w)
++ x = w-1;
++ if ((uint)y >= (uint)h)
++ y = h-1;
++
+ p = data + (h-y-1)*bpl + x;
+ break;
+ default: // absolute mode
+diff --git a/src/plugins/imageformats/ico/qicohandler.cpp b/src/plugins/imageformats/ico/qicohandler.cpp
+index 00de0c8..ec1654e 100644
+--- a/src/plugins/imageformats/ico/qicohandler.cpp
++++ b/src/plugins/imageformats/ico/qicohandler.cpp
+@@ -567,7 +567,7 @@ QImage ICOReader::iconAt(int index)
+ QImage::Format format = QImage::Format_ARGB32;
+ if (icoAttrib.nbits == 24)
+ format = QImage::Format_RGB32;
+- else if (icoAttrib.ncolors == 2)
++ else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1)
+ format = QImage::Format_Mono;
+ else if (icoAttrib.ncolors > 0)
+ format = QImage::Format_Indexed8;
+--
+1.9.3
+
diff --git a/qt5-qtbase.spec b/qt5-qtbase.spec
index 593211d..2b2b3e1 100644
--- a/qt5-qtbase.spec
+++ b/qt5-qtbase.spec
@@ -37,7 +37,7 @@
Summary: Qt5 - QtBase components
Name: qt5-qtbase
Version: 5.4.1
-Release: 8%{?dist}
+Release: 9%{?dist}
# See LGPL_EXCEPTIONS.txt, for exception details
License: LGPLv2 with exceptions or GPLv3 with exceptions
@@ -103,6 +103,9 @@ Patch336: 0136-Make-sure-there-s-a-scene-before-using-it.patch
# http://lists.qt-project.org/pipermail/announce/2015-February/000059.html
# CVE-2015-0295
Patch349: 0149-Fix-a-division-by-zero-when-processing-malformed-BMP.patch
+# CVE-2015-1858, CVE-2015-1859, CVE-2015-1860
+Patch400: 0200-Fixes-crash-in-gif-image-decoder.patch
+Patch401: 0201-Fixes-crash-in-bmp-and-ico-image-decoding.patch
# macros, be mindful to keep sync'd with macros.qt5
Source1: macros.qt5
@@ -359,6 +362,8 @@ rm -fv mkspecs/linux-g++*/qmake.conf.multilib-optflags
%patch332 -p1 -b .0132
%patch336 -p1 -b .0136
%patch349 -p1 -b .0149
+%patch400 -p1 -b .0200
+%patch401 -p1 -b .0201
# drop -fexceptions from $RPM_OPT_FLAGS
RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed 's|-fexceptions||g'`
@@ -870,6 +875,9 @@ fi
%changelog
+* Mon Apr 13 2015 Rex Dieter <rdieter at fedoraproject.org> 5.4.1-9
+- Multiple Vulnerabilities in Qt Image Format Handling (CVE-2015-1860 CVE-2015-1859 CVE-2015-1858)
+
* Fri Apr 10 2015 Rex Dieter <rdieter at fedoraproject.org> - 5.4.1-8
- -dbus=runtime on el6 (#1196359)
- %%build: -no-directfb
--
cgit v0.10.2
http://pkgs.fedoraproject.org/cgit/qt5-qtbase.git/commit/?h=f20&id=9a602903fd5fc0260e0d36effe5a381f8c0eab30
More information about the scm-commits
mailing list