Bug#1036562: unblock: qtbase-opensource-src/5.15.8+dfsg-10

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#1036562: unblock: qtbase-opensource-src/5.15.8+dfsg-10
From: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
Date: Mon, 22 May 2023 13:58:03 -0300
Message-id: <[🔎] 168477468395.220172.4694735403459330957.reportbug@gryffindor>
Reply-to: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>, 1036562@bugs.debian.org

Package: release.debian.org
Severity: normal
User: release.debian.org@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: qtbase-opensource-src@packages.debian.org, mitya57@debian.org, lisandro@debian.org
Control: affects -1 + src:qtbase-opensource-src

Please unblock package qtbase-opensource-src

[ Reason ]

This upload:
- Fixes CVE-2023-32762 and CVE-2023-32763. One prevents a crash with SVG
  (not related to the one in qtsvg-opensource-src) and the other one
  related to a security heade parsing in the network module.
- Adds a Break/Replaces in order to allow proper handling of systems
  that still had libqtcore4 around (#1035790).
- Backports a patch in order to solve an issue with KWin:
  - https://bugreports.qt.io/browse/QTBUG-98048
  - https://lists.debian.org/debian-kde/2022/11/msg00019.html

[ Impact ]

- Lack of security fixes.
- Breaks the bullseye → bookworm update on some systems.
- Nasty visual effects while drag and dropping.

[ Tests ]

All the patches have been tested by upstream.

The security patches are quite straightforward.
The B/R issue is also straightforward, with a specific Qt4 version
allowing users to keep libqt4 around if necessary.
Drag and dropping just works as expected.

[ Risks ]

Sincerely I don't think there are risks here.

[ Checklist ]
  [X] all changes are documented in the d/changelog
  [X] I reviewed all changes and I approve them
  [X] attach debdiff against the package in testing

unblock qtbase-opensource-src/5.15.8+dfsg-10

diff --git a/debian/changelog b/debian/changelog
index 8c172cff..1f5b73f0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+qtbase-opensource-src (5.15.8+dfsg-10) unstable; urgency=medium
+
+  * Add patches to fix CVE-2023-32762 and CVE-2023-32763.
+
+ -- Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>  Mon, 22 May 2023 11:31:55 -0300
+
+qtbase-opensource-src (5.15.8+dfsg-9) unstable; urgency=medium
+
+  * Backport upstream patch to fix laggy drag-and-drop with KWin. See:
+    - https://bugreports.qt.io/browse/QTBUG-98048
+    - https://lists.debian.org/debian-kde/2022/11/msg00019.html
+
+ -- Dmitry Shachnev <mitya57@debian.org>  Sun, 21 May 2023 12:19:31 +0300
+
 qtbase-opensource-src (5.15.8+dfsg-8) unstable; urgency=medium
 
   * Add back Breaks/Replaces for libqtcore4 (closes: #1035790).
diff --git a/debian/patches/CVE-2023-32762.patch b/debian/patches/CVE-2023-32762.patch
new file mode 100644
index 00000000..d0deff76
--- /dev/null
+++ b/debian/patches/CVE-2023-32762.patch
@@ -0,0 +1,17 @@
+---
+ src/network/access/qhsts.cpp |    4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/src/network/access/qhsts.cpp
++++ b/src/network/access/qhsts.cpp
+@@ -364,8 +364,8 @@ quoted-pair    = "\" CHAR
+ bool QHstsHeaderParser::parse(const QList<QPair<QByteArray, QByteArray>> &headers)
+ {
+     for (const auto &h : headers) {
+-        // We use '==' since header name was already 'trimmed' for us:
+-        if (h.first == "Strict-Transport-Security") {
++        // We compare directly because header name was already 'trimmed' for us:
++        if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) {
+             header = h.second;
+             // RFC6797, 8.1:
+             //
diff --git a/debian/patches/cve-2023-32763.diff b/debian/patches/cve-2023-32763.diff
new file mode 100644
index 00000000..b74413dc
--- /dev/null
+++ b/debian/patches/cve-2023-32763.diff
@@ -0,0 +1,50 @@
+---
+ src/gui/painting/qfixed_p.h  |    9 +++++++++
+ src/gui/text/qtextlayout.cpp |    9 ++++++---
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+--- a/src/gui/painting/qfixed_p.h
++++ b/src/gui/painting/qfixed_p.h
+@@ -54,6 +54,7 @@
+ #include <QtGui/private/qtguiglobal_p.h>
+ #include "QtCore/qdebug.h"
+ #include "QtCore/qpoint.h"
++#include <QtCore/private/qnumeric_p.h>
+ #include "QtCore/qsize.h"
+ 
+ QT_BEGIN_NAMESPACE
+@@ -182,6 +183,14 @@ Q_DECL_CONSTEXPR inline bool operator<(i
+ Q_DECL_CONSTEXPR inline bool operator>(const QFixed &f, int i) { return f.value() > i * 64; }
+ Q_DECL_CONSTEXPR inline bool operator>(int i, const QFixed &f) { return i * 64 > f.value(); }
+ 
++inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
++{
++    int val;
++    bool result = add_overflow(v1.value(), v2.value(), &val);
++    r->setValue(val);
++    return result;
++}
++
+ #ifndef QT_NO_DEBUG_STREAM
+ inline QDebug &operator<<(QDebug &dbg, const QFixed &f)
+ { return dbg << f.toReal(); }
+--- a/src/gui/text/qtextlayout.cpp
++++ b/src/gui/text/qtextlayout.cpp
+@@ -2150,11 +2150,14 @@ found:
+         eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
+     } else {
+         eng->minWidth = qMax(eng->minWidth, lbh.minw);
+-        eng->maxWidth += line.textWidth;
++        if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth))
++            eng->maxWidth = QFIXED_MAX;
+     }
+ 
+-    if (line.textWidth > 0 && item < eng->layoutData->items.size())
+-        eng->maxWidth += lbh.spaceData.textWidth;
++    if (line.textWidth > 0 && item < eng->layoutData->items.size()) {
++        if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, &eng->maxWidth))
++            eng->maxWidth = QFIXED_MAX;
++    }
+ 
+     line.textWidth += trailingSpace;
+     if (lbh.spaceData.length) {
diff --git a/debian/patches/qshapedpixmapwindow_no_tooltip.diff b/debian/patches/qshapedpixmapwindow_no_tooltip.diff
new file mode 100644
index 00000000..7e4dabfb
--- /dev/null
+++ b/debian/patches/qshapedpixmapwindow_no_tooltip.diff
@@ -0,0 +1,25 @@
+Description: do not set Qt::ToolTip flag for QShapedPixmapWindow
+ This hint is not really needed in the first place and only causes
+ problems in some environments.
+ .
+ For example in KDE, the compositor animates changes in position and size
+ for all ToolTip windows. However, this is not wanted here because we use
+ this window as a thumbnail for a drag-and-drop operation.
+ Before this patch the dragged element would lag significantly behind the
+ cursor. Now it works as expected, i.e. the dragged element follows the
+ cursor immediately.
+Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=180b496b537089b8
+Bug: https://bugreports.qt.io/browse/QTBUG-98048
+Last-Update: 2023-05-20
+
+--- a/src/gui/kernel/qshapedpixmapdndwindow.cpp
++++ b/src/gui/kernel/qshapedpixmapdndwindow.cpp
+@@ -56,7 +56,7 @@ QShapedPixmapWindow::QShapedPixmapWindow
+     QSurfaceFormat format;
+     format.setAlphaBufferSize(8);
+     setFormat(format);
+-    setFlags(Qt::ToolTip | Qt::FramelessWindowHint | Qt::X11BypassWindowManagerHint
++    setFlags(Qt::FramelessWindowHint | Qt::BypassWindowManagerHint
+              | Qt::WindowTransparentForInput | Qt::WindowDoesNotAcceptFocus);
+ }
+ 
diff --git a/debian/patches/series b/debian/patches/series
index 521474ab..afbb7882 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,6 +14,9 @@ fix_alt_backtick.diff
 image_deletion_order.diff
 qxcbwindow_set_geometry.diff
 CVE-2023-24607.diff
+qshapedpixmapwindow_no_tooltip.diff
+cve-2023-32763.diff
+CVE-2023-32762.patch
 
 # Debian specific.
 gnukfreebsd.diff

Reply to:

Prev by Date: qtbase-opensource-src_5.15.8+dfsg-10_source.changes ACCEPTED into unstable
Next by Date: Bug#1036563: unblock: qt6-svg/6.4.2-2
Previous by thread: qtbase-opensource-src_5.15.8+dfsg-10_source.changes ACCEPTED into unstable
Next by thread: Bug#1036563: unblock: qt6-svg/6.4.2-2
Index(es):
- Date
- Thread