Your message dated Tue, 23 May 2023 10:38:07 +0000
with message-id <e1q1pp5-00c57q...@respighi.debian.org>
and subject line unblock qtbase-opensource-src
has caused the Debian Bug report #1036562,
regarding unblock: qtbase-opensource-src/5.15.8+dfsg-10
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact ow...@bugs.debian.org
immediately.)
--
1036562: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1036562
Debian Bug Tracking System
Contact ow...@bugs.debian.org with problems
--- Begin Message ---
Package: release.debian.org
Severity: normal
User: release.debian....@packages.debian.org
Usertags: unblock
X-Debbugs-Cc: qtbase-opensource-...@packages.debian.org, mity...@debian.org,
lisan...@debian.org
Control: affects -1 + src:qtbase-opensource-src
Please unblock package qtbase-opensource-src
[ Reason ]
This upload:
- Fixes CVE-2023-32762 and CVE-2023-32763. One prevents a crash with SVG
(not related to the one in qtsvg-opensource-src) and the other one
related to a security heade parsing in the network module.
- Adds a Break/Replaces in order to allow proper handling of systems
that still had libqtcore4 around (#1035790).
- Backports a patch in order to solve an issue with KWin:
- https://bugreports.qt.io/browse/QTBUG-98048
- https://lists.debian.org/debian-kde/2022/11/msg00019.html
[ Impact ]
- Lack of security fixes.
- Breaks the bullseye → bookworm update on some systems.
- Nasty visual effects while drag and dropping.
[ Tests ]
All the patches have been tested by upstream.
The security patches are quite straightforward.
The B/R issue is also straightforward, with a specific Qt4 version
allowing users to keep libqt4 around if necessary.
Drag and dropping just works as expected.
[ Risks ]
Sincerely I don't think there are risks here.
[ Checklist ]
[X] all changes are documented in the d/changelog
[X] I reviewed all changes and I approve them
[X] attach debdiff against the package in testing
unblock qtbase-opensource-src/5.15.8+dfsg-10
diff --git a/debian/changelog b/debian/changelog
index 8c172cff..1f5b73f0 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,17 @@
+qtbase-opensource-src (5.15.8+dfsg-10) unstable; urgency=medium
+
+ * Add patches to fix CVE-2023-32762 and CVE-2023-32763.
+
+ -- Lisandro Damián Nicanor Pérez Meyer <lisan...@debian.org> Mon, 22 May
2023 11:31:55 -0300
+
+qtbase-opensource-src (5.15.8+dfsg-9) unstable; urgency=medium
+
+ * Backport upstream patch to fix laggy drag-and-drop with KWin. See:
+ - https://bugreports.qt.io/browse/QTBUG-98048
+ - https://lists.debian.org/debian-kde/2022/11/msg00019.html
+
+ -- Dmitry Shachnev <mity...@debian.org> Sun, 21 May 2023 12:19:31 +0300
+
qtbase-opensource-src (5.15.8+dfsg-8) unstable; urgency=medium
* Add back Breaks/Replaces for libqtcore4 (closes: #1035790).
diff --git a/debian/patches/CVE-2023-32762.patch
b/debian/patches/CVE-2023-32762.patch
new file mode 100644
index 00000000..d0deff76
--- /dev/null
+++ b/debian/patches/CVE-2023-32762.patch
@@ -0,0 +1,17 @@
+---
+ src/network/access/qhsts.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+--- a/src/network/access/qhsts.cpp
++++ b/src/network/access/qhsts.cpp
+@@ -364,8 +364,8 @@ quoted-pair = "\" CHAR
+ bool QHstsHeaderParser::parse(const QList<QPair<QByteArray, QByteArray>>
&headers)
+ {
+ for (const auto &h : headers) {
+- // We use '==' since header name was already 'trimmed' for us:
+- if (h.first == "Strict-Transport-Security") {
++ // We compare directly because header name was already 'trimmed' for
us:
++ if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive)
== 0) {
+ header = h.second;
+ // RFC6797, 8.1:
+ //
diff --git a/debian/patches/cve-2023-32763.diff
b/debian/patches/cve-2023-32763.diff
new file mode 100644
index 00000000..b74413dc
--- /dev/null
+++ b/debian/patches/cve-2023-32763.diff
@@ -0,0 +1,50 @@
+---
+ src/gui/painting/qfixed_p.h | 9 +++++++++
+ src/gui/text/qtextlayout.cpp | 9 ++++++---
+ 2 files changed, 15 insertions(+), 3 deletions(-)
+
+--- a/src/gui/painting/qfixed_p.h
++++ b/src/gui/painting/qfixed_p.h
+@@ -54,6 +54,7 @@
+ #include <QtGui/private/qtguiglobal_p.h>
+ #include "QtCore/qdebug.h"
+ #include "QtCore/qpoint.h"
++#include <QtCore/private/qnumeric_p.h>
+ #include "QtCore/qsize.h"
+
+ QT_BEGIN_NAMESPACE
+@@ -182,6 +183,14 @@ Q_DECL_CONSTEXPR inline bool operator<(i
+ Q_DECL_CONSTEXPR inline bool operator>(const QFixed &f, int i) { return
f.value() > i * 64; }
+ Q_DECL_CONSTEXPR inline bool operator>(int i, const QFixed &f) { return i *
64 > f.value(); }
+
++inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
++{
++ int val;
++ bool result = add_overflow(v1.value(), v2.value(), &val);
++ r->setValue(val);
++ return result;
++}
++
+ #ifndef QT_NO_DEBUG_STREAM
+ inline QDebug &operator<<(QDebug &dbg, const QFixed &f)
+ { return dbg << f.toReal(); }
+--- a/src/gui/text/qtextlayout.cpp
++++ b/src/gui/text/qtextlayout.cpp
+@@ -2150,11 +2150,14 @@ found:
+ eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
+ } else {
+ eng->minWidth = qMax(eng->minWidth, lbh.minw);
+- eng->maxWidth += line.textWidth;
++ if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth))
++ eng->maxWidth = QFIXED_MAX;
+ }
+
+- if (line.textWidth > 0 && item < eng->layoutData->items.size())
+- eng->maxWidth += lbh.spaceData.textWidth;
++ if (line.textWidth > 0 && item < eng->layoutData->items.size()) {
++ if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth,
&eng->maxWidth))
++ eng->maxWidth = QFIXED_MAX;
++ }
+
+ line.textWidth += trailingSpace;
+ if (lbh.spaceData.length) {
diff --git a/debian/patches/qshapedpixmapwindow_no_tooltip.diff
b/debian/patches/qshapedpixmapwindow_no_tooltip.diff
new file mode 100644
index 00000000..7e4dabfb
--- /dev/null
+++ b/debian/patches/qshapedpixmapwindow_no_tooltip.diff
@@ -0,0 +1,25 @@
+Description: do not set Qt::ToolTip flag for QShapedPixmapWindow
+ This hint is not really needed in the first place and only causes
+ problems in some environments.
+ .
+ For example in KDE, the compositor animates changes in position and size
+ for all ToolTip windows. However, this is not wanted here because we use
+ this window as a thumbnail for a drag-and-drop operation.
+ Before this patch the dragged element would lag significantly behind the
+ cursor. Now it works as expected, i.e. the dragged element follows the
+ cursor immediately.
+Origin: upstream,
https://code.qt.io/cgit/qt/qtbase.git/commit/?id=180b496b537089b8
+Bug: https://bugreports.qt.io/browse/QTBUG-98048
+Last-Update: 2023-05-20
+
+--- a/src/gui/kernel/qshapedpixmapdndwindow.cpp
++++ b/src/gui/kernel/qshapedpixmapdndwindow.cpp
+@@ -56,7 +56,7 @@ QShapedPixmapWindow::QShapedPixmapWindow
+ QSurfaceFormat format;
+ format.setAlphaBufferSize(8);
+ setFormat(format);
+- setFlags(Qt::ToolTip | Qt::FramelessWindowHint |
Qt::X11BypassWindowManagerHint
++ setFlags(Qt::FramelessWindowHint | Qt::BypassWindowManagerHint
+ | Qt::WindowTransparentForInput | Qt::WindowDoesNotAcceptFocus);
+ }
+
diff --git a/debian/patches/series b/debian/patches/series
index 521474ab..afbb7882 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -14,6 +14,9 @@ fix_alt_backtick.diff
image_deletion_order.diff
qxcbwindow_set_geometry.diff
CVE-2023-24607.diff
+qshapedpixmapwindow_no_tooltip.diff
+cve-2023-32763.diff
+CVE-2023-32762.patch
# Debian specific.
gnukfreebsd.diff
--- End Message ---
--- Begin Message ---
Unblocked.
--- End Message ---
