[Buildroot] [PATCH 1/3] package/qt5/qt5base: security bump

[Buildroot] [PATCH 1/3] package/qt5/qt5base: security bump

[Quentin Schulz]

From: Quentin Schulz <quentin.schulz@theobroma-systems.com>

This fixes CVE-2022-25255 and CVE-2022-25634.

Cc: Quentin Schulz <foss+buildroot@0leil.net>
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
---
 package/qt5/qt5base/qt5base.hash | 2 +-
 package/qt5/qt5base/qt5base.mk   | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

diff --git a/package/qt5/qt5base/qt5base.hash b/package/qt5/qt5base/qt5base.hash
index 1b9ff43ab2..c031f71c77 100644
--- a/package/qt5/qt5base/qt5base.hash
+++ b/package/qt5/qt5base/qt5base.hash
@@ -1,5 +1,5 @@
 # Locally calculated
-sha256  96b1c96041ae7b5186c94f231979217bd50e3c0a4caeba32982faa8054a6d113  qtbase-d16bf02a11953dcac01dca73e6f3778f293adefe.tar.bz2
+sha256  18c17d441fbefa9dd13d1d6bfb5f542c986ba86cc37930247f9e4d782df2244b  qtbase-f31e001a9399e4e620847ea2c3e90749350140ae.tar.bz2
 
 # Hashes for license files:
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  LICENSE.GPL2
diff --git a/package/qt5/qt5base/qt5base.mk b/package/qt5/qt5base/qt5base.mk
index ef02edfc1d..8fd5800822 100644
--- a/package/qt5/qt5base/qt5base.mk
+++ b/package/qt5/qt5base/qt5base.mk
@@ -4,7 +4,7 @@
 #
 ################################################################################
 
-QT5BASE_VERSION = d16bf02a11953dcac01dca73e6f3778f293adefe
+QT5BASE_VERSION = f31e001a9399e4e620847ea2c3e90749350140ae
 QT5BASE_SITE = $(QT5_SITE)/qtbase/-/archive/$(QT5BASE_VERSION)
 QT5BASE_SOURCE = qtbase-$(QT5BASE_VERSION).tar.bz2
 
@@ -15,6 +15,10 @@ QT5BASE_SYNC_QT_HEADERS = YES
 # 0010-Avoid-processing-intensive-painting-of-high-number-o.patch
 # 0011-Improve-fix-for-avoiding-huge-number-of-tiny-dashes.patch
 QT5BASE_IGNORE_CVES += CVE-2021-38593
+# From commit 2766b2cba6ca4b1c430304df5437e2a6c874b107 "QProcess/Unix: ensure we don't accidentally execute something from CWD"
+QT5BASE_IGNORE_CVES += CVE-2022-25255
+# From commit e68ca8e51375d963b2391715f70b42707992dbd8 "Windows: use QSystemLibrary instead of LoadLibrary directly"
+QT5BASE_IGNORE_CVES += CVE-2022-25634
 
 # A few comments:
 #  * -no-pch to workaround the issue described at
-- 
2.35.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 2/3] package/qt5/qt5base: remove leftover patch

[Quentin Schulz]

From: Quentin Schulz <quentin.schulz@theobroma-systems.com>

CVE-2021-38593 fixes originally missed a usecase that was covered by the
to-be-removed patch. However, this patch was incorrect and added some
issues on its own, which was then fixed by now-removed
0012-Refix-for-avoiding-huge-number-of-tiny-dashes.patch.

Unfortunately for us, the to-be-removed patch (fixed by
0012-Refix-for-avoiding-huge-number-of-tiny-dashes.patch) can actually
be applied (with fuzz; by `patch` only) on top of the now-removed patch.
When the move to KDE Qt fork was made, some patches were removed as they
were already part of the new git fork. However, the to-be-removed patch
was not. This means the
0012-Refix-for-avoiding-huge-number-of-tiny-dashes.patch was actually
undone when Buildroot patched qt5base.

Let's remove this patch to fix this oversight.

As a reference:
e7ea2ed27c Improve fix for avoiding huge number of tiny dashes
fixed by
65b3aa6a1c Refix for avoiding huge number of tiny dashes
in the git repo.

Fixes: 5770a645a3a49 "package/qt5: bump packages to latest kde submodule versions"
Cc: Quentin Schulz <foss+buildroot@0leil.net>
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
---
 ...-avoiding-huge-number-of-tiny-dashes.patch | 37 -------------------
 1 file changed, 37 deletions(-)
 delete mode 100644 package/qt5/qt5base/0006-Improve-fix-for-avoiding-huge-number-of-tiny-dashes.patch

diff --git a/package/qt5/qt5base/0006-Improve-fix-for-avoiding-huge-number-of-tiny-dashes.patch b/package/qt5/qt5base/0006-Improve-fix-for-avoiding-huge-number-of-tiny-dashes.patch
deleted file mode 100644
index 16e0f20200..0000000000
--- a/package/qt5/qt5base/0006-Improve-fix-for-avoiding-huge-number-of-tiny-dashes.patch
+++ /dev/null
@@ -1,37 +0,0 @@
-From 856d11f695fb6effe26a359f9ad0efdf24067085 Mon Sep 17 00:00:00 2001
-From: Eirik Aavitsland <eirik.aavitsland@qt.io>
-Date: Fri, 23 Jul 2021 15:53:56 +0200
-Subject: [PATCH] Improve fix for avoiding huge number of tiny dashes
-MIME-Version: 1.0
-Content-Type: text/plain; charset=UTF-8
-Content-Transfer-Encoding: 8bit
-
-Some pathological cases were not caught by the previous fix.
-
-Fixes: QTBUG-95239
-Pick-to: 6.2 6.1 5.15
-Change-Id: I0337ee3923ff93ccb36c4d7b810a9c0667354cc5
-Reviewed-by: Robert Löhning <robert.loehning@qt.io>
-(cherry picked from commit 6b400e3147dcfd8cc3a393ace1bd118c93762e0c)
-[Retrieved from: https://invent.kde.org/qt/qt/qtbase/-/commit/fed5713eeba5bf8e0ee413cb4e77109bfa7c2bce]
-Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
----
- src/gui/painting/qpaintengineex.cpp | 2 +-
- 1 file changed, 1 insertion(+), 1 deletion(-)
-
-diff --git a/src/gui/painting/qpaintengineex.cpp b/src/gui/painting/qpaintengineex.cpp
-index 55fdb0c2a0..19e4b23423 100644
---- a/src/gui/painting/qpaintengineex.cpp
-+++ b/src/gui/painting/qpaintengineex.cpp
-@@ -426,7 +426,7 @@ void QPaintEngineEx::stroke(const QVectorPath &path, const QPen &inPen)
-             patternLength *= pen.widthF();
-         if (qFuzzyIsNull(patternLength)) {
-             pen.setStyle(Qt::NoPen);
--        } else if (extent / patternLength > 10000) {
-+        } else if (qFuzzyIsNull(extent) || extent / patternLength > 10000) {
-             // approximate stream of tiny dashes with semi-transparent solid line
-             pen.setStyle(Qt::SolidLine);
-             QColor color(pen.color());
--- 
-2.34.1
-
-- 
2.35.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

[Buildroot] [PATCH 3/3] package/qt5/qt5base: update comment pointing to patches fixing CVE-2021-38593

[Quentin Schulz]

From: Quentin Schulz <quentin.schulz@theobroma-systems.com>

The patches aren't in Buildroot anymore but in the qt5base sources
directly, so let's give the commit hash of the fixes instead.

Cc: Quentin Schulz <foss+buildroot@0leil.net>
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
---
 package/qt5/qt5base/qt5base.mk | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/package/qt5/qt5base/qt5base.mk b/package/qt5/qt5base/qt5base.mk
index 8fd5800822..972d217ef1 100644
--- a/package/qt5/qt5base/qt5base.mk
+++ b/package/qt5/qt5base/qt5base.mk
@@ -12,8 +12,9 @@ QT5BASE_DEPENDENCIES = host-pkgconf pcre2 zlib
 QT5BASE_INSTALL_STAGING = YES
 QT5BASE_SYNC_QT_HEADERS = YES
 
-# 0010-Avoid-processing-intensive-painting-of-high-number-o.patch
-# 0011-Improve-fix-for-avoiding-huge-number-of-tiny-dashes.patch
+# From commits:
+# 4ce7053a59 "Avoid processing-intensive painting of high number of tiny dashes"
+# e7ea2ed27c "Improve fix for avoiding huge number of tiny dashes"
 QT5BASE_IGNORE_CVES += CVE-2021-38593
 # From commit 2766b2cba6ca4b1c430304df5437e2a6c874b107 "QProcess/Unix: ensure we don't accidentally execute something from CWD"
 QT5BASE_IGNORE_CVES += CVE-2022-25255
-- 
2.35.1

_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/3] package/qt5/qt5base: security bump

[Arnout Vandecappelle]

On 17/03/2022 17:38, Quentin Schulz wrote:
> From: Quentin Schulz <quentin.schulz@theobroma-systems.com>
> 
> This fixes CVE-2022-25255 and CVE-2022-25634.
> 
> Cc: Quentin Schulz <foss+buildroot@0leil.net>
> Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
> ---
>   package/qt5/qt5base/qt5base.hash | 2 +-
>   package/qt5/qt5base/qt5base.mk   | 6 +++++-
>   2 files changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/package/qt5/qt5base/qt5base.hash b/package/qt5/qt5base/qt5base.hash
> index 1b9ff43ab2..c031f71c77 100644
> --- a/package/qt5/qt5base/qt5base.hash
> +++ b/package/qt5/qt5base/qt5base.hash
> @@ -1,5 +1,5 @@
>   # Locally calculated
> -sha256  96b1c96041ae7b5186c94f231979217bd50e3c0a4caeba32982faa8054a6d113  qtbase-d16bf02a11953dcac01dca73e6f3778f293adefe.tar.bz2
> +sha256  18c17d441fbefa9dd13d1d6bfb5f542c986ba86cc37930247f9e4d782df2244b  qtbase-f31e001a9399e4e620847ea2c3e90749350140ae.tar.bz2
>   
>   # Hashes for license files:
>   sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  LICENSE.GPL2
> diff --git a/package/qt5/qt5base/qt5base.mk b/package/qt5/qt5base/qt5base.mk
> index ef02edfc1d..8fd5800822 100644
> --- a/package/qt5/qt5base/qt5base.mk
> +++ b/package/qt5/qt5base/qt5base.mk
> @@ -4,7 +4,7 @@
>   #
>   ################################################################################
>   
> -QT5BASE_VERSION = d16bf02a11953dcac01dca73e6f3778f293adefe
> +QT5BASE_VERSION = f31e001a9399e4e620847ea2c3e90749350140ae
>   QT5BASE_SITE = $(QT5_SITE)/qtbase/-/archive/$(QT5BASE_VERSION)
>   QT5BASE_SOURCE = qtbase-$(QT5BASE_VERSION).tar.bz2
>   
> @@ -15,6 +15,10 @@ QT5BASE_SYNC_QT_HEADERS = YES
>   # 0010-Avoid-processing-intensive-painting-of-high-number-o.patch
>   # 0011-Improve-fix-for-avoiding-huge-number-of-tiny-dashes.patch
>   QT5BASE_IGNORE_CVES += CVE-2021-38593

  FYI, this no longer applies cleanly to master.

  Regards,
  Arnout

> +# From commit 2766b2cba6ca4b1c430304df5437e2a6c874b107 "QProcess/Unix: ensure we don't accidentally execute something from CWD"
> +QT5BASE_IGNORE_CVES += CVE-2022-25255
> +# From commit e68ca8e51375d963b2391715f70b42707992dbd8 "Windows: use QSystemLibrary instead of LoadLibrary directly"
> +QT5BASE_IGNORE_CVES += CVE-2022-25634
>   
>   # A few comments:
>   #  * -no-pch to workaround the issue described at
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/3] package/qt5/qt5base: remove leftover patch

[Arnout Vandecappelle]

On 17/03/2022 17:38, Quentin Schulz wrote:
> From: Quentin Schulz <quentin.schulz@theobroma-systems.com>
> 
> CVE-2021-38593 fixes originally missed a usecase that was covered by the
> to-be-removed patch. However, this patch was incorrect and added some
> issues on its own, which was then fixed by now-removed
> 0012-Refix-for-avoiding-huge-number-of-tiny-dashes.patch.
> 
> Unfortunately for us, the to-be-removed patch (fixed by
> 0012-Refix-for-avoiding-huge-number-of-tiny-dashes.patch) can actually
> be applied (with fuzz; by `patch` only) on top of the now-removed patch.
> When the move to KDE Qt fork was made, some patches were removed as they
> were already part of the new git fork. However, the to-be-removed patch
> was not. This means the
> 0012-Refix-for-avoiding-huge-number-of-tiny-dashes.patch was actually
> undone when Buildroot patched qt5base.
> 
> Let's remove this patch to fix this oversight.
> 
> As a reference:
> e7ea2ed27c Improve fix for avoiding huge number of tiny dashes
> fixed by
> 65b3aa6a1c Refix for avoiding huge number of tiny dashes
> in the git repo.
> 
> Fixes: 5770a645a3a49 "package/qt5: bump packages to latest kde submodule versions"
> Cc: Quentin Schulz <foss+buildroot@0leil.net>
> Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>

  Applied to master, thanks.

  I've also renumbered patches 7 and 8.

  Regards,
  Arnout

> ---
>   ...-avoiding-huge-number-of-tiny-dashes.patch | 37 -------------------
>   1 file changed, 37 deletions(-)
>   delete mode 100644 package/qt5/qt5base/0006-Improve-fix-for-avoiding-huge-number-of-tiny-dashes.patch
> 
> diff --git a/package/qt5/qt5base/0006-Improve-fix-for-avoiding-huge-number-of-tiny-dashes.patch b/package/qt5/qt5base/0006-Improve-fix-for-avoiding-huge-number-of-tiny-dashes.patch
> deleted file mode 100644
> index 16e0f20200..0000000000
> --- a/package/qt5/qt5base/0006-Improve-fix-for-avoiding-huge-number-of-tiny-dashes.patch
> +++ /dev/null
> @@ -1,37 +0,0 @@
> -From 856d11f695fb6effe26a359f9ad0efdf24067085 Mon Sep 17 00:00:00 2001
> -From: Eirik Aavitsland <eirik.aavitsland@qt.io>
> -Date: Fri, 23 Jul 2021 15:53:56 +0200
> -Subject: [PATCH] Improve fix for avoiding huge number of tiny dashes
> -MIME-Version: 1.0
> -Content-Type: text/plain; charset=UTF-8
> -Content-Transfer-Encoding: 8bit
> -
> -Some pathological cases were not caught by the previous fix.
> -
> -Fixes: QTBUG-95239
> -Pick-to: 6.2 6.1 5.15
> -Change-Id: I0337ee3923ff93ccb36c4d7b810a9c0667354cc5
> -Reviewed-by: Robert Löhning <robert.loehning@qt.io>
> -(cherry picked from commit 6b400e3147dcfd8cc3a393ace1bd118c93762e0c)
> -[Retrieved from: https://invent.kde.org/qt/qt/qtbase/-/commit/fed5713eeba5bf8e0ee413cb4e77109bfa7c2bce]
> -Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
> ----
> - src/gui/painting/qpaintengineex.cpp | 2 +-
> - 1 file changed, 1 insertion(+), 1 deletion(-)
> -
> -diff --git a/src/gui/painting/qpaintengineex.cpp b/src/gui/painting/qpaintengineex.cpp
> -index 55fdb0c2a0..19e4b23423 100644
> ---- a/src/gui/painting/qpaintengineex.cpp
> -+++ b/src/gui/painting/qpaintengineex.cpp
> -@@ -426,7 +426,7 @@ void QPaintEngineEx::stroke(const QVectorPath &path, const QPen &inPen)
> -             patternLength *= pen.widthF();
> -         if (qFuzzyIsNull(patternLength)) {
> -             pen.setStyle(Qt::NoPen);
> --        } else if (extent / patternLength > 10000) {
> -+        } else if (qFuzzyIsNull(extent) || extent / patternLength > 10000) {
> -             // approximate stream of tiny dashes with semi-transparent solid line
> -             pen.setStyle(Qt::SolidLine);
> -             QColor color(pen.color());
> ---
> -2.34.1
> -
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 2/3] package/qt5/qt5base: remove leftover patch

[Peter Korsgaard]

>>>>> "Quentin" == Quentin Schulz <foss+buildroot@0leil.net> writes:

 > From: Quentin Schulz <quentin.schulz@theobroma-systems.com>
 > CVE-2021-38593 fixes originally missed a usecase that was covered by the
 > to-be-removed patch. However, this patch was incorrect and added some
 > issues on its own, which was then fixed by now-removed
 > 0012-Refix-for-avoiding-huge-number-of-tiny-dashes.patch.

 > Unfortunately for us, the to-be-removed patch (fixed by
 > 0012-Refix-for-avoiding-huge-number-of-tiny-dashes.patch) can actually
 > be applied (with fuzz; by `patch` only) on top of the now-removed patch.
 > When the move to KDE Qt fork was made, some patches were removed as they
 > were already part of the new git fork. However, the to-be-removed patch
 > was not. This means the
 > 0012-Refix-for-avoiding-huge-number-of-tiny-dashes.patch was actually
 > undone when Buildroot patched qt5base.

 > Let's remove this patch to fix this oversight.

 > As a reference:
 > e7ea2ed27c Improve fix for avoiding huge number of tiny dashes
 > fixed by
 > 65b3aa6a1c Refix for avoiding huge number of tiny dashes
 > in the git repo.

 > Fixes: 5770a645a3a49 "package/qt5: bump packages to latest kde submodule versions"
 > Cc: Quentin Schulz <foss+buildroot@0leil.net>
 > Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>

Committed to 2022.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 1/3] package/qt5/qt5base: security bump

[Peter Korsgaard]

>>>>> "Quentin" == Quentin Schulz <foss+buildroot@0leil.net> writes:

 > From: Quentin Schulz <quentin.schulz@theobroma-systems.com>
 > This fixes CVE-2022-25255 and CVE-2022-25634.

 > Cc: Quentin Schulz <foss+buildroot@0leil.net>
 > Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>

Committed to 2022.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot

Re: [Buildroot] [PATCH 3/3] package/qt5/qt5base: update comment pointing to patches fixing CVE-2021-38593

[Peter Korsgaard]

>>>>> "Quentin" == Quentin Schulz <foss+buildroot@0leil.net> writes:

 > From: Quentin Schulz <quentin.schulz@theobroma-systems.com>
 > The patches aren't in Buildroot anymore but in the qt5base sources
 > directly, so let's give the commit hash of the fixes instead.

 > Cc: Quentin Schulz <foss+buildroot@0leil.net>
 > Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>

Committed to 2022.02.x, thanks.

-- 
Bye, Peter Korsgaard
_______________________________________________
buildroot mailing list
buildroot@buildroot.org
https://lists.buildroot.org/mailman/listinfo/buildroot