diff --git a/qt-4.8.6-CVE-2015-1860_CVE-2015-1859_CVE-2015-1858.patch b/qt-4.8.6-CVE-2015-1860_CVE-2015-1859_CVE-2015-1858.patch new file mode 100644 index 0000000..c772c1a --- /dev/null +++ b/qt-4.8.6-CVE-2015-1860_CVE-2015-1859_CVE-2015-1858.patch @@ -0,0 +1,54 @@ +diff -up qt-everywhere-opensource-src-4.8.6/src/gui/image/qbmphandler.cpp.than qt-everywhere-opensource-src-4.8.6/src/gui/image/qbmphandler.cpp +--- qt-everywhere-opensource-src-4.8.6/src/gui/image/qbmphandler.cpp.than 2015-04-13 16:03:24.347475762 +0200 ++++ qt-everywhere-opensource-src-4.8.6/src/gui/image/qbmphandler.cpp 2015-04-13 16:04:42.781923479 +0200 +@@ -478,12 +478,6 @@ static bool read_dib_body(QDataStream &s + p = data + (h-y-1)*bpl; + break; + case 2: // delta (jump) +- // Protection +- if ((uint)x >= (uint)w) +- x = w-1; +- if ((uint)y >= (uint)h) +- y = h-1; +- + { + quint8 tmp; + d->getChar((char *)&tmp); +@@ -491,6 +485,13 @@ static bool read_dib_body(QDataStream &s + d->getChar((char *)&tmp); + y += tmp; + } ++ ++ // Protection ++ if ((uint)x >= (uint)w) ++ x = w-1; ++ if ((uint)y >= (uint)h) ++ y = h-1; ++ + p = data + (h-y-1)*bpl + x; + break; + default: // absolute mode +diff -up qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp.than qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp +--- qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp.than 2015-04-13 16:10:38.284420268 +0200 ++++ qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp 2015-04-13 16:11:17.406144797 +0200 +@@ -944,6 +944,8 @@ void QGIFFormat::fillRect(QImage *image, + + void QGIFFormat::nextY(unsigned char *bits, int bpl) + { ++ if (out_of_bounds) ++ return; + int my; + switch (interlace) { + case 0: // Non-interlaced +diff -up qt-everywhere-opensource-src-4.8.6/src/plugins/imageformats/ico/qicohandler.cpp.than qt-everywhere-opensource-src-4.8.6/src/plugins/imageformats/ico/qicohandler.cpp +--- qt-everywhere-opensource-src-4.8.6/src/plugins/imageformats/ico/qicohandler.cpp.than 2015-04-13 16:05:02.059787728 +0200 ++++ qt-everywhere-opensource-src-4.8.6/src/plugins/imageformats/ico/qicohandler.cpp 2015-04-13 16:05:41.141512553 +0200 +@@ -571,7 +571,7 @@ QImage ICOReader::iconAt(int index) + QImage::Format format = QImage::Format_ARGB32; + if (icoAttrib.nbits == 24) + format = QImage::Format_RGB32; +- else if (icoAttrib.ncolors == 2) ++ else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1) + format = QImage::Format_Mono; + else if (icoAttrib.ncolors > 0) + format = QImage::Format_Indexed8; diff --git a/qt.spec b/qt.spec index e76e95a..82e5f52 100644 --- a/qt.spec +++ b/qt.spec @@ -35,7 +35,7 @@ Summary: Qt toolkit Name: qt Epoch: 1 Version: 4.8.6 -Release: 27%{?dist} +Release: 28%{?dist} # See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT @@ -199,6 +199,8 @@ Patch272: 0072-Fix-font-cache-check-in-QFontEngineFT-recalcAdvances.patch # CVE-2015-0295 # http://lists.qt-project.org/pipermail/announce/2015-February/000059.html Patch337: 0137-Fix-a-division-by-zero-when-processing-malformed-BMP.patch +# CVE-2015-1860 CVE-2015-1859 CVE-2015-1858 +Patch338: qt-4.8.6-CVE-2015-1860_CVE-2015-1859_CVE-2015-1858.patch # desktop files Source20: assistant.desktop @@ -597,6 +599,7 @@ rm -rf src/3rdparty/clucene %patch267 -p1 -b .0067 %patch272 -p1 -b .0072 %patch337 -p1 -b .0137 +%patch338 -p1 -b .CVE-2015-1860_CVE-2015-1859_CVE-2015-1858 # security fixes # regression fixes for the security fixes @@ -1332,6 +1335,9 @@ fi %changelog +* Mon Apr 13 2015 Than Ngo - 1:4.8.6-28 +- bz#1210677, CVE-2015-1860 CVE-2015-1859 CVE-2015-1858 + * Thu Mar 26 2015 Richard Hughes - 1:4.8.6-27 - Add an AppData file for the software center