epienbro pushed to mingw-qt (f21). "Fix CVE-2015-0295, CVE-2015-1860, CVE-2015-1859 and CVE-2015-1858"

notifications at fedoraproject.org notifications at fedoraproject.org
Fri Apr 24 13:56:57 UTC 2015 

>From 931a110915cee00367efbe1fdc8522943ab9e1c1 Mon Sep 17 00:00:00 2001
From: Erik van Pienbroek <epienbro at fedoraproject.org>
Date: Fri, 24 Apr 2015 15:52:35 +0200
Subject: Fix CVE-2015-0295, CVE-2015-1860, CVE-2015-1859 and CVE-2015-1858


diff --git a/0137-Fix-a-division-by-zero-when-processing-malformed-BMP.patch b/0137-Fix-a-division-by-zero-when-processing-malformed-BMP.patch
new file mode 100644
index 0000000..ab2293b
--- /dev/null
+++ b/0137-Fix-a-division-by-zero-when-processing-malformed-BMP.patch
@@ -0,0 +1,42 @@
+From e50aa2252cdd5cb53eef7d8c4503c7edff634f68 Mon Sep 17 00:00:00 2001
+From: "Richard J. Moore" <rich at kde.org>
+Date: Tue, 24 Feb 2015 19:02:35 +0000
+Subject: [PATCH 137/138] Fix a division by zero when processing malformed BMP
+ files.
+
+This fixes a division by 0 when processing a maliciously crafted BMP
+file. No impact beyond DoS.
+
+Backport of 661f6bfd032dacc62841037732816a583640e187
+
+Task-number: QTBUG-44547
+Change-Id: I43f06e752b11cb50669101460902a82b885ae618
+Reviewed-by: Thiago Macieira <thiago.macieira at intel.com>
+---
+ src/gui/image/qbmphandler.cpp | 6 ++++++
+ 1 file changed, 6 insertions(+)
+
+diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
+index b22e842..30fa9e0 100644
+--- a/src/gui/image/qbmphandler.cpp
++++ b/src/gui/image/qbmphandler.cpp
+@@ -319,10 +319,16 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
+         }
+     } else if (comp == BMP_BITFIELDS && (nbits == 16 || nbits == 32)) {
+         red_shift = calc_shift(red_mask);
++        if (((red_mask >> red_shift) + 1) == 0)
++            return false;
+         red_scale = 256 / ((red_mask >> red_shift) + 1);
+         green_shift = calc_shift(green_mask);
++        if (((green_mask >> green_shift) + 1) == 0)
++            return false;
+         green_scale = 256 / ((green_mask >> green_shift) + 1);
+         blue_shift = calc_shift(blue_mask);
++        if (((blue_mask >> blue_shift) + 1) == 0)
++            return false;
+         blue_scale = 256 / ((blue_mask >> blue_shift) + 1);
+     } else if (comp == BMP_RGB && (nbits == 24 || nbits == 32)) {
+         blue_mask = 0x000000ff;
+-- 
+1.9.3
+
diff --git a/mingw-qt.spec b/mingw-qt.spec
index 0d42fb3..fca7d40 100644
--- a/mingw-qt.spec
+++ b/mingw-qt.spec
@@ -14,7 +14,7 @@
 
 Name:           mingw-qt
 Version:        4.8.6
-Release:        7%{?pre}%{?dist}
+Release:        8%{?pre}%{?dist}
 Summary:        Qt for Windows
 
 License:        GPLv3 with exceptions or LGPLv2 with exceptions
@@ -84,6 +84,13 @@ Patch31:        qt4-use-correct-pkg-config-static-flags.patch
 # Add support for gcc5 (needed to build WebKit)
 Patch32:        qt4-fix-gcc5-compatibility.patch
 
+# CVE-2015-0295
+# http://lists.qt-project.org/pipermail/announce/2015-February/000059.html
+Patch33:        0137-Fix-a-division-by-zero-when-processing-malformed-BMP.patch
+
+# CVE-2015-1860 CVE-2015-1859 CVE-2015-1858
+Patch34:        qt-4.8.6-CVE-2015-1860_CVE-2015-1859_CVE-2015-1858.patch
+
 BuildRequires:  mingw32-filesystem >= 95
 BuildRequires:  mingw32-gcc
 BuildRequires:  mingw32-gcc-c++
@@ -258,6 +265,8 @@ Static version of the mingw64-qt library.
 %patch30 -p1 -b .out_of_tree
 %patch31 -p1 -b .pkgconfig_static
 %patch32 -p1 -b .gcc5
+%patch33 -p1 -b .CVE-2015-0295
+%patch34 -p1
 
 # Patch 19 (openssl) needs an additional change
 # qt loads openssl libraries (ssleay32, libeay32)  at runtime, but they are called libssl-OPENSSL_SONAME
@@ -1117,6 +1126,9 @@ sed -i s@'$${QT_LIBINFIX}d'@'d$${QT_LIBINFIX}'@ $RPM_BUILD_ROOT%{mingw64_datadir
 
 
 %changelog
+* Fri Apr 24 2015 Erik van Pienbroek <epienbro at fedorproject.org> - 4.8.6-8
+- Fix CVE-2015-0295, CVE-2015-1860, CVE-2015-1859 and CVE-2015-1858
+
 * Sat Mar 21 2015 Erik van Pienbroek <epienbro at fedoraproject.org> - 4.8.6-7
 - Fix FTBFS against latest mingw-dbus
 - Fix FTBFS against gcc5
diff --git a/qt-4.8.6-CVE-2015-1860_CVE-2015-1859_CVE-2015-1858.patch b/qt-4.8.6-CVE-2015-1860_CVE-2015-1859_CVE-2015-1858.patch
new file mode 100644
index 0000000..c772c1a
--- /dev/null
+++ b/qt-4.8.6-CVE-2015-1860_CVE-2015-1859_CVE-2015-1858.patch
@@ -0,0 +1,54 @@
+diff -up qt-everywhere-opensource-src-4.8.6/src/gui/image/qbmphandler.cpp.than qt-everywhere-opensource-src-4.8.6/src/gui/image/qbmphandler.cpp
+--- qt-everywhere-opensource-src-4.8.6/src/gui/image/qbmphandler.cpp.than	2015-04-13 16:03:24.347475762 +0200
++++ qt-everywhere-opensource-src-4.8.6/src/gui/image/qbmphandler.cpp	2015-04-13 16:04:42.781923479 +0200
+@@ -478,12 +478,6 @@ static bool read_dib_body(QDataStream &s
+                             p = data + (h-y-1)*bpl;
+                             break;
+                         case 2:                        // delta (jump)
+-                            // Protection
+-                            if ((uint)x >= (uint)w)
+-                                x = w-1;
+-                            if ((uint)y >= (uint)h)
+-                                y = h-1;
+-
+                             {
+                                 quint8 tmp;
+                                 d->getChar((char *)&tmp);
+@@ -491,6 +485,13 @@ static bool read_dib_body(QDataStream &s
+                                 d->getChar((char *)&tmp);
+                                 y += tmp;
+                             }
++
++                            // Protection
++                            if ((uint)x >= (uint)w)
++                                x = w-1;
++                            if ((uint)y >= (uint)h)
++                                y = h-1;
++
+                             p = data + (h-y-1)*bpl + x;
+                             break;
+                         default:                // absolute mode
+diff -up qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp.than qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp
+--- qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp.than	2015-04-13 16:10:38.284420268 +0200
++++ qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp	2015-04-13 16:11:17.406144797 +0200
+@@ -944,6 +944,8 @@ void QGIFFormat::fillRect(QImage *image,
+ 
+ void QGIFFormat::nextY(unsigned char *bits, int bpl)
+ {
++    if (out_of_bounds)
++        return;
+     int my;
+     switch (interlace) {
+     case 0: // Non-interlaced
+diff -up qt-everywhere-opensource-src-4.8.6/src/plugins/imageformats/ico/qicohandler.cpp.than qt-everywhere-opensource-src-4.8.6/src/plugins/imageformats/ico/qicohandler.cpp
+--- qt-everywhere-opensource-src-4.8.6/src/plugins/imageformats/ico/qicohandler.cpp.than	2015-04-13 16:05:02.059787728 +0200
++++ qt-everywhere-opensource-src-4.8.6/src/plugins/imageformats/ico/qicohandler.cpp	2015-04-13 16:05:41.141512553 +0200
+@@ -571,7 +571,7 @@ QImage ICOReader::iconAt(int index)
+                 QImage::Format format = QImage::Format_ARGB32;
+                 if (icoAttrib.nbits == 24)
+                     format = QImage::Format_RGB32;
+-                else if (icoAttrib.ncolors == 2)
++                else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1)
+                     format = QImage::Format_Mono;
+                 else if (icoAttrib.ncolors > 0)
+                     format = QImage::Format_Indexed8;
-- 
cgit v0.10.2


	http://pkgs.fedoraproject.org/cgit/mingw-qt.git/commit/?h=f21&id=931a110915cee00367efbe1fdc8522943ab9e1c1

More information about the scm-commits mailing list