NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

package/qt6/qt6base: backport fix for CVE-2023-51714

Browse Source 
This commit backports upstream patches that are needed to fix
CVE-2023-51714. The second one is the actual CVE fix, the first one is
needed to only backporting the second patch in a reasonable way.

Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
This commit is contained in:
Thomas Petazzoni 2024-08-22 12:20:31 +02:00 committed by Peter Korsgaard
parent 0436dd22fc
commit 4009842cba
3 changed files with 93 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

43
package/qt6/qt6base/0010-HPack-fix-a-Yoda-Condition.patch Normal file
View File

@ -0,0 +1,43 @@
From fc5e607b78dc6dc2a17e3586d2085e9d25412785 Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@qt.io>
Date: Tue, 12 Dec 2023 20:51:56 +0100
Subject: [PATCH] HPack: fix a Yoda Condition
Putting the variable on the LHS of a relational operation makes the
expression easier to read. In this case, we find that the whole
expression is nonsensical as an overflow protection, because if
name.size() + value.size() overflows, the result will exactly _not_
be > max() - 32, because UB will have happened.
To be fixed in a follow-up commit.
As a drive-by, add parentheses around the RHS.
Pick-to: 6.7 6.6 6.5 6.2 5.15
Change-Id: I35ce598884c37c51b74756b3bd2734b9aad63c09
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Upstream: https://github.com/qt/qtbase/commit/658607a34ead214fbacbc2cca44915655c318ea9
[Thomas: needed to backport fix for
https://security-tracker.debian.org/tracker/CVE-2023-51714]
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
src/network/access/http2/hpacktable.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
diff --git a/src/network/access/http2/hpacktable.cpp b/src/network/access/http2/hpacktable.cpp
index 0b69ee86a9b..34da5594e2b 100644
--- a/src/network/access/http2/hpacktable.cpp
+++ b/src/network/access/http2/hpacktable.cpp
@@ -27,7 +27,7 @@ HeaderSize entry_size(QByteArrayView name, QByteArrayView value)
// 32 octets of overhead."
const unsigned sum = unsigned(name.size() + value.size());
- if (std::numeric_limits<unsigned>::max() - 32 < sum)
+ if (sum > (std::numeric_limits<unsigned>::max() - 32))
return HeaderSize();
return HeaderSize(true, quint32(sum + 32));
}
--
2.46.0

48
package/qt6/qt6base/0011-HPack-fix-incorrect-integer-overflow-check.patch Normal file
View File

@ -0,0 +1,48 @@
From 01348087ee851f1781a27e7ce8a1ed0bda5441fe Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@qt.io>
Date: Tue, 12 Dec 2023 22:08:07 +0100
Subject: [PATCH] HPack: fix incorrect integer overflow check
This code never worked:
For the comparison with max() - 32 to trigger, on 32-bit platforms (or
Qt 5) signed interger overflow would have had to happen in the
addition of the two sizes. The compiler can therefore remove the
overflow check as dead code.
On Qt 6 and 64-bit platforms, the signed integer addition would be
very unlikely to overflow, but the following truncation to uint32
would yield the correct result only in a narrow 32-value window just
below UINT_MAX, if even that.
Fix by using the proper tool, qAddOverflow.
Pick-to: 6.7 6.6 6.5 6.2 5.15
Change-Id: I7599f2e75ff7f488077b0c60b81022591005661c
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Fixes: https://security-tracker.debian.org/tracker/CVE-2023-51714
Upstream: https://github.com/qt/qtbase/commit/ee5da1f2eaf8932aeca02ffea6e4c618585e29e3
Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
---
src/network/access/http2/hpacktable.cpp | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/network/access/http2/hpacktable.cpp b/src/network/access/http2/hpacktable.cpp
index 34da5594e2b..f20ec92d4c5 100644
--- a/src/network/access/http2/hpacktable.cpp
+++ b/src/network/access/http2/hpacktable.cpp
@@ -26,7 +26,9 @@ HeaderSize entry_size(QByteArrayView name, QByteArrayView value)
// for counting the number of references to the name and value would have
// 32 octets of overhead."
- const unsigned sum = unsigned(name.size() + value.size());
+ size_t sum;
+ if (qAddOverflow(size_t(name.size()), size_t(value.size()), &sum))
+ return HeaderSize();
if (sum > (std::numeric_limits<unsigned>::max() - 32))
return HeaderSize();
return HeaderSize(true, quint32(sum + 32));
--
2.46.0

2
package/qt6/qt6base/qt6base.mk
View File

@ -17,6 +17,8 @@ QT6BASE_IGNORE_CVES += CVE-2023-32762
QT6BASE_IGNORE_CVES += CVE-2023-32763
# 0009-QXmlStreamReader-Raise-error-on-unexpected-tokens.patch
QT6BASE_IGNORE_CVES += CVE-2023-38197
# 0011-HPack-fix-incorrect-integer-overflow-check.patch
QT6BASE_IGNORE_CVES += CVE-2023-38197
QT6BASE_CMAKE_BACKEND = ninja