diff -Nru qtbase-opensource-src-5.2.1+dfsg/debian/changelog qtbase-opensource-src-5.2.1+dfsg/debian/changelog --- qtbase-opensource-src-5.2.1+dfsg/debian/changelog 2014-05-12 08:40:30.000000000 +0000 +++ qtbase-opensource-src-5.2.1+dfsg/debian/changelog 2015-05-27 17:56:10.000000000 +0000 @@ -1,3 +1,28 @@ +qtbase-opensource-src (5.2.1+dfsg-1ubuntu14.3) trusty-security; urgency=medium + + * SECURITY UPDATE: denial of service via crafted GIF image + - debian/patches/CVE-2014-0190.patch: check for broken image in + src/gui/image/qgifhandler.cpp. + - CVE-2014-0190 + * SECURITY UPDATE: denial of service via crafted BMP + - debian/patches/CVE-2015-0295.patch: fix division by zero in + src/gui/image/qbmphandler.cpp. + - CVE-2015-0295 + * SECURITY UPDATE: denial of service and possible code execution via + crafted BMP or ICO images + - debian/patches/CVE-2015-1858-1859.patch: move check to better + location in src/gui/image/qbmphandler.cpp, check depth in + src/plugins/imageformats/ico/qicohandler.cpp. + - CVE-2015-1858 + - CVE-2015-1859 + * SECURITY UPDATE: denial of service and possible code exection via + crafted GIF image + - debian/patches/CVE-2015-1860.patch: check bounds in + src/gui/image/qgifhandler.cpp. + - CVE-2015-1860 + + -- Marc Deslauriers Wed, 27 May 2015 13:55:50 -0400 + qtbase-opensource-src (5.2.1+dfsg-1ubuntu14.2) trusty; urgency=medium * debian/patches/xi2-use-master-device.patch: diff -Nru qtbase-opensource-src-5.2.1+dfsg/debian/patches/CVE-2014-0190.patch qtbase-opensource-src-5.2.1+dfsg/debian/patches/CVE-2014-0190.patch --- qtbase-opensource-src-5.2.1+dfsg/debian/patches/CVE-2014-0190.patch 1970-01-01 00:00:00.000000000 +0000 +++ qtbase-opensource-src-5.2.1+dfsg/debian/patches/CVE-2014-0190.patch 2015-05-27 17:53:35.000000000 +0000 @@ -0,0 +1,41 @@ +From eb1325047f2697d24e93ebaf924900affc876bc1 Mon Sep 17 00:00:00 2001 +From: Lars Knoll +Date: Thu, 24 Apr 2014 15:33:27 +0200 +Subject: [PATCH] Don't crash on broken GIF images + +Broken GIF images could set invalid width and height +values inside the image, leading to Qt creating a null +QImage for it. In that case we need to abort decoding +the image and return an error. + +Initial patch by Rich Moore. + +Task-number: QTBUG-38367 +Change-Id: Id82a4036f478bd6e49c402d6598f57e7e5bb5e1e +Security-advisory: CVE-2014-0190 +Reviewed-by: Richard J. Moore +--- + src/gui/image/qgifhandler.cpp | 7 +++++++ + 1 files changed, 7 insertions(+), 0 deletions(-) + +diff --git a/src/gui/image/qgifhandler.cpp b/src/gui/image/qgifhandler.cpp +index eeb62af..19b8382 100644 +--- a/src/gui/image/qgifhandler.cpp ++++ b/src/gui/image/qgifhandler.cpp +@@ -359,6 +359,13 @@ int QGIFFormat::decode(QImage *image, const uchar *buffer, int length, + memset(bits, 0, image->byteCount()); + } + ++ // Check if the previous attempt to create the image failed. If it ++ // did then the image is broken and we should give up. ++ if (image->isNull()) { ++ state = Error; ++ return -1; ++ } ++ + disposePrevious(image); + disposed = false; + +-- +1.7.1 + diff -Nru qtbase-opensource-src-5.2.1+dfsg/debian/patches/CVE-2015-0295.patch qtbase-opensource-src-5.2.1+dfsg/debian/patches/CVE-2015-0295.patch --- qtbase-opensource-src-5.2.1+dfsg/debian/patches/CVE-2015-0295.patch 1970-01-01 00:00:00.000000000 +0000 +++ qtbase-opensource-src-5.2.1+dfsg/debian/patches/CVE-2015-0295.patch 2015-05-27 17:55:17.000000000 +0000 @@ -0,0 +1,39 @@ +Backport of: + +From 661f6bfd032dacc62841037732816a583640e187 Mon Sep 17 00:00:00 2001 +From: Richard J. Moore +Date: Sat, 21 Feb 2015 17:43:21 +0000 +Subject: [PATCH] Fix a division by zero when processing malformed BMP files. + +This fixes a division by 0 when processing a maliciously crafted BMP +file. No impact beyond DoS. + +Task-number: QTBUG-44547 +Change-Id: Ifcded2c0aa712e90d23e6b3969af0ec3add53973 +Reviewed-by: Thiago Macieira +Reviewed-by: Oswald Buddenhagen +--- + src/gui/image/qbmphandler.cpp | 8 ++++++++ + 1 files changed, 8 insertions(+), 0 deletions(-) + +Index: qtbase-opensource-src-5.2.1+dfsg/src/gui/image/qbmphandler.cpp +=================================================================== +--- qtbase-opensource-src-5.2.1+dfsg.orig/src/gui/image/qbmphandler.cpp 2015-05-27 13:53:47.752594135 -0400 ++++ qtbase-opensource-src-5.2.1+dfsg/src/gui/image/qbmphandler.cpp 2015-05-27 13:54:44.441291055 -0400 +@@ -319,10 +319,16 @@ + } + } else if (comp == BMP_BITFIELDS && (nbits == 16 || nbits == 32)) { + red_shift = calc_shift(red_mask); ++ if (((red_mask >> red_shift) + 1) == 0) ++ return false; + red_scale = 256 / ((red_mask >> red_shift) + 1); + green_shift = calc_shift(green_mask); ++ if (((green_mask >> green_shift) + 1) == 0) ++ return false; + green_scale = 256 / ((green_mask >> green_shift) + 1); + blue_shift = calc_shift(blue_mask); ++ if (((blue_mask >> blue_shift) + 1) == 0) ++ return false; + blue_scale = 256 / ((blue_mask >> blue_shift) + 1); + } else if (comp == BMP_RGB && (nbits == 24 || nbits == 32)) { + blue_mask = 0x000000ff; diff -Nru qtbase-opensource-src-5.2.1+dfsg/debian/patches/CVE-2015-1858-1859.patch qtbase-opensource-src-5.2.1+dfsg/debian/patches/CVE-2015-1858-1859.patch --- qtbase-opensource-src-5.2.1+dfsg/debian/patches/CVE-2015-1858-1859.patch 1970-01-01 00:00:00.000000000 +0000 +++ qtbase-opensource-src-5.2.1+dfsg/debian/patches/CVE-2015-1858-1859.patch 2015-05-27 17:55:36.000000000 +0000 @@ -0,0 +1,59 @@ +From 51ec7ebfe5f45d1c0a03d992e97053cac66e25fe Mon Sep 17 00:00:00 2001 +From: Eirik Aavitsland +Date: Wed, 11 Mar 2015 13:34:01 +0100 +Subject: [PATCH] Fixes crash in bmp and ico image decoding + +Fuzzing test revealed that for certain malformed bmp and ico files, +the handler would segfault. + +Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe +Reviewed-by: Lars Knoll +--- + src/gui/image/qbmphandler.cpp | 13 +++++++------ + src/plugins/imageformats/ico/qicohandler.cpp | 2 +- + 2 files changed, 8 insertions(+), 7 deletions(-) + +Index: qtbase-opensource-src-5.2.1+dfsg/src/gui/image/qbmphandler.cpp +=================================================================== +--- qtbase-opensource-src-5.2.1+dfsg.orig/src/gui/image/qbmphandler.cpp 2015-05-27 13:55:33.345892038 -0400 ++++ qtbase-opensource-src-5.2.1+dfsg/src/gui/image/qbmphandler.cpp 2015-05-27 13:55:33.341891989 -0400 +@@ -478,12 +478,6 @@ + p = data + (h-y-1)*bpl; + break; + case 2: // delta (jump) +- // Protection +- if ((uint)x >= (uint)w) +- x = w-1; +- if ((uint)y >= (uint)h) +- y = h-1; +- + { + quint8 tmp; + d->getChar((char *)&tmp); +@@ -491,6 +485,13 @@ + d->getChar((char *)&tmp); + y += tmp; + } ++ ++ // Protection ++ if ((uint)x >= (uint)w) ++ x = w-1; ++ if ((uint)y >= (uint)h) ++ y = h-1; ++ + p = data + (h-y-1)*bpl + x; + break; + default: // absolute mode +Index: qtbase-opensource-src-5.2.1+dfsg/src/plugins/imageformats/ico/qicohandler.cpp +=================================================================== +--- qtbase-opensource-src-5.2.1+dfsg.orig/src/plugins/imageformats/ico/qicohandler.cpp 2015-05-27 13:55:33.345892038 -0400 ++++ qtbase-opensource-src-5.2.1+dfsg/src/plugins/imageformats/ico/qicohandler.cpp 2015-05-27 13:55:33.341891989 -0400 +@@ -571,7 +571,7 @@ + QImage::Format format = QImage::Format_ARGB32; + if (icoAttrib.nbits == 24) + format = QImage::Format_RGB32; +- else if (icoAttrib.ncolors == 2) ++ else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1) + format = QImage::Format_Mono; + else if (icoAttrib.ncolors > 0) + format = QImage::Format_Indexed8; diff -Nru qtbase-opensource-src-5.2.1+dfsg/debian/patches/CVE-2015-1860.patch qtbase-opensource-src-5.2.1+dfsg/debian/patches/CVE-2015-1860.patch --- qtbase-opensource-src-5.2.1+dfsg/debian/patches/CVE-2015-1860.patch 1970-01-01 00:00:00.000000000 +0000 +++ qtbase-opensource-src-5.2.1+dfsg/debian/patches/CVE-2015-1860.patch 2015-05-27 17:55:45.000000000 +0000 @@ -0,0 +1,27 @@ +From d3048a29797ee2d80d84bbda26bb3c954584f332 Mon Sep 17 00:00:00 2001 +From: Eirik Aavitsland +Date: Wed, 11 Mar 2015 09:00:41 +0100 +Subject: [PATCH] Fixes crash in gif image decoder + +Fuzzing test revealed that for certain malformed gif files, +qgifhandler would segfault. + +Change-Id: I5bb6f60e1c61849e0d8c735edc3869945e5331c1 +Reviewed-by: Richard J. Moore +--- + src/gui/image/qgifhandler.cpp | 2 ++ + 1 files changed, 2 insertions(+), 0 deletions(-) + +Index: qtbase-opensource-src-5.2.1+dfsg/src/gui/image/qgifhandler.cpp +=================================================================== +--- qtbase-opensource-src-5.2.1+dfsg.orig/src/gui/image/qgifhandler.cpp 2015-05-27 13:55:42.318002271 -0400 ++++ qtbase-opensource-src-5.2.1+dfsg/src/gui/image/qgifhandler.cpp 2015-05-27 13:55:42.314002222 -0400 +@@ -944,6 +944,8 @@ + + void QGIFFormat::nextY(unsigned char *bits, int bpl) + { ++ if (out_of_bounds) ++ return; + int my; + switch (interlace) { + case 0: // Non-interlaced diff -Nru qtbase-opensource-src-5.2.1+dfsg/debian/patches/series qtbase-opensource-src-5.2.1+dfsg/debian/patches/series --- qtbase-opensource-src-5.2.1+dfsg/debian/patches/series 2014-05-12 08:40:30.000000000 +0000 +++ qtbase-opensource-src-5.2.1+dfsg/debian/patches/series 2015-05-27 17:55:41.000000000 +0000 @@ -31,3 +31,7 @@ When-looking-up-the-window-hierarchy-stop-at-foreign.patch Add_better_support_for_keymap_update_handling.patch xi2-use-master-device.patch +CVE-2014-0190.patch +CVE-2015-0295.patch +CVE-2015-1858-1859.patch +CVE-2015-1860.patch