diff -Nru qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/debian/changelog qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/debian/changelog --- qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/debian/changelog 2015-03-06 11:10:46.000000000 +0000 +++ qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/debian/changelog 2015-06-03 13:34:59.000000000 +0000 @@ -1,3 +1,24 @@ +qt4-x11 (4:4.8.6+git64-g5dc8b2b+dfsg-3~ubuntu7) wily; urgency=medium + + * SECURITY UPDATE: denial of service via crafted BMP + - debian/patches/CVE-2015-0295.patch: fix division by zero in + src/gui/image/qbmphandler.cpp. + - CVE-2015-0295 + * SECURITY UPDATE: denial of service and possible code execution via + crafted BMP or ICO images + - debian/patches/CVE-2015-1858-1859.patch: move check to better + location in src/gui/image/qbmphandler.cpp, check depth in + src/plugins/imageformats/ico/qicohandler.cpp. + - CVE-2015-1858 + - CVE-2015-1859 + * SECURITY UPDATE: denial of service and possible code exection via + crafted GIF image + - debian/patches/CVE-2015-1860.patch: check bounds in + src/gui/image/qgifhandler.cpp. + - CVE-2015-1860 + + -- Marc Deslauriers Wed, 03 Jun 2015 09:34:49 -0400 + qt4-x11 (4:4.8.6+git64-g5dc8b2b+dfsg-3~ubuntu6) vivid; urgency=medium * Fix detection of GCC 5. diff -Nru qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/debian/control qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/debian/control --- qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/debian/control 2014-11-22 16:47:37.000000000 +0000 +++ qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/debian/control 2015-06-03 13:35:11.000000000 +0000 @@ -1,7 +1,8 @@ Source: qt4-x11 Section: libs Priority: optional -Maintainer: Debian/Kubuntu Qt/KDE Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian/Kubuntu Qt/KDE Maintainers Uploaders: Fathi Boudra , Modestas Vainius , Sune Vuorela , diff -Nru qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/debian/patches/CVE-2015-0295.patch qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/debian/patches/CVE-2015-0295.patch --- qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/debian/patches/CVE-2015-0295.patch 1970-01-01 00:00:00.000000000 +0000 +++ qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/debian/patches/CVE-2015-0295.patch 2015-05-25 17:34:37.000000000 +0000 @@ -0,0 +1,39 @@ +Backport of: + +From 661f6bfd032dacc62841037732816a583640e187 Mon Sep 17 00:00:00 2001 +From: Richard J. Moore +Date: Sat, 21 Feb 2015 17:43:21 +0000 +Subject: [PATCH] Fix a division by zero when processing malformed BMP files. + +This fixes a division by 0 when processing a maliciously crafted BMP +file. No impact beyond DoS. + +Task-number: QTBUG-44547 +Change-Id: Ifcded2c0aa712e90d23e6b3969af0ec3add53973 +Reviewed-by: Thiago Macieira +Reviewed-by: Oswald Buddenhagen +--- + src/gui/image/qbmphandler.cpp | 8 ++++++++ + 1 files changed, 8 insertions(+), 0 deletions(-) + +Index: qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/src/gui/image/qbmphandler.cpp +=================================================================== +--- qt4-x11-4.8.6+git64-g5dc8b2b+dfsg.orig/src/gui/image/qbmphandler.cpp 2015-05-25 13:33:13.362312974 -0400 ++++ qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/src/gui/image/qbmphandler.cpp 2015-05-25 13:34:14.742873933 -0400 +@@ -319,10 +319,16 @@ + } + } else if (comp == BMP_BITFIELDS && (nbits == 16 || nbits == 32)) { + red_shift = calc_shift(red_mask); ++ if (((red_mask >> red_shift) + 1) == 0) ++ return false; + red_scale = 256 / ((red_mask >> red_shift) + 1); + green_shift = calc_shift(green_mask); ++ if (((green_mask >> green_shift) + 1) == 0) ++ return false; + green_scale = 256 / ((green_mask >> green_shift) + 1); + blue_shift = calc_shift(blue_mask); ++ if (((blue_mask >> blue_shift) + 1) == 0) ++ return false; + blue_scale = 256 / ((blue_mask >> blue_shift) + 1); + } else if (comp == BMP_RGB && (nbits == 24 || nbits == 32)) { + blue_mask = 0x000000ff; diff -Nru qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/debian/patches/CVE-2015-1858-1859.patch qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/debian/patches/CVE-2015-1858-1859.patch --- qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/debian/patches/CVE-2015-1858-1859.patch 1970-01-01 00:00:00.000000000 +0000 +++ qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/debian/patches/CVE-2015-1858-1859.patch 2015-05-25 17:34:55.000000000 +0000 @@ -0,0 +1,59 @@ +From 51ec7ebfe5f45d1c0a03d992e97053cac66e25fe Mon Sep 17 00:00:00 2001 +From: Eirik Aavitsland +Date: Wed, 11 Mar 2015 13:34:01 +0100 +Subject: [PATCH] Fixes crash in bmp and ico image decoding + +Fuzzing test revealed that for certain malformed bmp and ico files, +the handler would segfault. + +Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe +Reviewed-by: Lars Knoll +--- + src/gui/image/qbmphandler.cpp | 13 +++++++------ + src/plugins/imageformats/ico/qicohandler.cpp | 2 +- + 2 files changed, 8 insertions(+), 7 deletions(-) + +Index: qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/src/gui/image/qbmphandler.cpp +=================================================================== +--- qt4-x11-4.8.6+git64-g5dc8b2b+dfsg.orig/src/gui/image/qbmphandler.cpp 2015-05-25 13:34:52.883223566 -0400 ++++ qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/src/gui/image/qbmphandler.cpp 2015-05-25 13:34:52.879223529 -0400 +@@ -478,12 +478,6 @@ + p = data + (h-y-1)*bpl; + break; + case 2: // delta (jump) +- // Protection +- if ((uint)x >= (uint)w) +- x = w-1; +- if ((uint)y >= (uint)h) +- y = h-1; +- + { + quint8 tmp; + d->getChar((char *)&tmp); +@@ -491,6 +485,13 @@ + d->getChar((char *)&tmp); + y += tmp; + } ++ ++ // Protection ++ if ((uint)x >= (uint)w) ++ x = w-1; ++ if ((uint)y >= (uint)h) ++ y = h-1; ++ + p = data + (h-y-1)*bpl + x; + break; + default: // absolute mode +Index: qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/src/plugins/imageformats/ico/qicohandler.cpp +=================================================================== +--- qt4-x11-4.8.6+git64-g5dc8b2b+dfsg.orig/src/plugins/imageformats/ico/qicohandler.cpp 2015-05-25 13:34:52.883223566 -0400 ++++ qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/src/plugins/imageformats/ico/qicohandler.cpp 2015-05-25 13:34:52.879223529 -0400 +@@ -571,7 +571,7 @@ + QImage::Format format = QImage::Format_ARGB32; + if (icoAttrib.nbits == 24) + format = QImage::Format_RGB32; +- else if (icoAttrib.ncolors == 2) ++ else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1) + format = QImage::Format_Mono; + else if (icoAttrib.ncolors > 0) + format = QImage::Format_Indexed8; diff -Nru qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/debian/patches/CVE-2015-1860.patch qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/debian/patches/CVE-2015-1860.patch --- qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/debian/patches/CVE-2015-1860.patch 1970-01-01 00:00:00.000000000 +0000 +++ qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/debian/patches/CVE-2015-1860.patch 2015-05-25 17:35:04.000000000 +0000 @@ -0,0 +1,27 @@ +From d3048a29797ee2d80d84bbda26bb3c954584f332 Mon Sep 17 00:00:00 2001 +From: Eirik Aavitsland +Date: Wed, 11 Mar 2015 09:00:41 +0100 +Subject: [PATCH] Fixes crash in gif image decoder + +Fuzzing test revealed that for certain malformed gif files, +qgifhandler would segfault. + +Change-Id: I5bb6f60e1c61849e0d8c735edc3869945e5331c1 +Reviewed-by: Richard J. Moore +--- + src/gui/image/qgifhandler.cpp | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +Index: qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/src/gui/image/qgifhandler.cpp +=================================================================== +--- qt4-x11-4.8.6+git64-g5dc8b2b+dfsg.orig/src/gui/image/qgifhandler.cpp 2015-05-25 13:35:02.255309602 -0400 ++++ qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/src/gui/image/qgifhandler.cpp 2015-05-25 13:35:02.251309565 -0400 +@@ -951,6 +951,8 @@ + + void QGIFFormat::nextY(unsigned char *bits, int bpl) + { ++ if (out_of_bounds) ++ return; + int my; + switch (interlace) { + case 0: // Non-interlaced diff -Nru qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/debian/patches/series qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/debian/patches/series --- qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/debian/patches/series 2015-03-06 11:06:33.000000000 +0000 +++ qt4-x11-4.8.6+git64-g5dc8b2b+dfsg/debian/patches/series 2015-05-25 17:35:00.000000000 +0000 @@ -73,3 +73,6 @@ kubuntu_qclipboard_fix_recursive.diff gcc-5.diff +CVE-2015-0295.patch +CVE-2015-1858-1859.patch +CVE-2015-1860.patch