[main] Migrating CVE fixes for qt5 packages. (CP #1481) (#2738)

2022-04-14 13:48:47 -07:00 · 2022-04-14 13:48:47 -07:00 · 54d9483d7c
--- a/SPECS/qt5-qtbase/qt5-qtbase.signatures.json
+++ b/SPECS/qt5-qtbase/qt5-qtbase.signatures.json
@ -2,7 +2,7 @@
 "Signatures": {
  "macros.qt5-qtbase": "a2a2f8f341f17493bcba3cef1c5c6c32072648f981bc0aefde68055aab74a31b",
  "qconfig-multilib.h": "2d01cdbfd11a887a1729f1ce2c4e0ad0c080509cc009279090bd68521845be93",
-  "qtbase-everywhere-src-5.12.5.tar.xz": "fc8abffbbda9da3e593d8d62b56bc17dbaab13ff71b72915ddda11dabde4d625",
+  "qtbase-everywhere-src-5.12.11.tar.xz": "1c1b4e33137ca77881074c140d54c3c9747e845a31338cfe8680f171f0bc3a39",
  "qtlogging.ini": "7493edc0df47c1bb9040331694922d4500b897b30515d698ec482c866ee5d9d3"
 }
 }
--- a/SPECS/qt5-qtbase/qt5-qtbase.spec
+++ b/SPECS/qt5-qtbase/qt5-qtbase.spec
@ -3,18 +3,9 @@
 %global multilib_basearchs x86_64 %{?mips64} ppc64 s390x sparc64

 # support openssl-1.1 -> mariner currently DOES NOT support it.
-%if 0%{?fedora} > 26
-%global openssl11 1
-%endif
+%global openssl11 0
 %global openssl -openssl-linked

-# workaround https://bugzilla.redhat.com/show_bug.cgi?id=1668865
-# for current stable releases
-%if 0%{?fedora} && 0%{?fedora} < 30
-%global no_feature_statx -no-feature-statx
-%global no_feature_renameat2 -no-feature-renameat2
-%endif
-
 # support qtchooser (adds qtchooser .conf file)
 %global qtchooser 1
 %if 0%{?qtchooser}
@ -41,8 +32,8 @@

 Name:         qt5-qtbase
 Summary:      Qt5 - QtBase components
-Version:      5.12.5
-Release:      6%{?dist}
+Version:      5.12.11
+Release:      3%{?dist}
 # See LICENSE.GPL3-EXCEPT.txt, for exception details
 License:      GFDL AND LGPLv3 AND GPLv2 AND GPLv3 with exceptions AND QT License Agreement 4.0
 Vendor:       Microsoft Corporation
@ -130,11 +121,6 @@ Patch64: qt5-qtbase-5.12.1-firebird.patch
 # fix for new mariadb
 Patch65: qtbase-opensource-src-5.9.0-mysql.patch

-# use categorized logging for xcb log entries
-# https://bugreports.qt.io/browse/QTBUG-55167
-# https://bugzilla.redhat.com/show_bug.cgi?id=1497564
-Patch67: https://bugreports.qt.io/secure/attachment/66353/xcberror_filter.patch
-
 # python3
 Patch68: qtbase-everywhere-src-5.11.1-python3.patch

@ -217,10 +203,7 @@ Requires: %{name}-devel%{?_isa} = %{version}-%{release}
 # debating whether to do 1 subpkg per library or not -- rex
 %package gui
 Summary: Qt5 GUI-related libraries
-#Requires: %{name}%{?_isa} = %{version}-%{release}
-%if 0%{?fedora} > 20
 Recommends: mesa-dri-drivers
-%endif
 Obsoletes: qt5-qtbase-x11 < 5.2.0
 Provides:  qt5-qtbase-x11 = %{version}-%{release}
 # for Source6: 10-qt5-check-opengl2.sh:
@ -246,16 +229,10 @@ Qt5 libraries used for drawing widgets and OpenGL items.
 %patch54 -p1 -b .qmake_LFLAGS
 %patch61 -p1 -b .qt5-qtbase-cxxflag
 %patch64 -p1 -b .firebird
-%if 0%{?fedora} > 27
 %patch65 -p1 -b .mysql
-%endif
-# FIXME/REBASE
-#patch67 -p1 -b .xcberror_filter
 %patch68 -p1

-%if 0%{?fedora} > 30
 %patch80 -p1 -b .use-wayland-on-gnome.patch
-%endif

 ## upstream patches

@ -283,6 +260,7 @@ sed -i -e "s|^#!/usr/bin/env perl$|#!%{__perl}|" \
 # gcc 11 requires <limits> to be explicitly included for std::numeric_limits
 sed -i 's/#  include <utility>/#  include <utility>\n#  include <limits>/g' src/corelib/global/qglobal.h

+
 %build
 ## FIXME/TODO:
 # * for %%ix86, add sse2 enabled builds for Qt5Gui, Qt5Core, QtNetwork, see also:
@ -400,7 +378,7 @@ translationdir=%{_qt5_translationdir}

 Name: Qt5
 Description: Qt5 Configuration
-Version: 5.12.5
+Version: %{version}
 EOF

 # rpm macros
@ -531,7 +509,7 @@ fi
 %license LICENSE.FDL
 %license LICENSE.GPL*
 %license LICENSE.LGPL*
-%license LICENSE.QT-LICENSE-AGREEMENT-4.0
+%license LICENSE.QT-LICENSE-AGREEMENT-4.2
 %if 0%{?qtchooser}
 %dir %{_sysconfdir}/xdg/qtchooser
 # not editable config files, so not using %%config here
@ -734,10 +712,6 @@ fi
 %{_qt5_plugindir}/generic/libqevdevmouseplugin.so
 %{_qt5_plugindir}/generic/libqevdevtabletplugin.so
 %{_qt5_plugindir}/generic/libqevdevtouchplugin.so
-%if 0%{?fedora}
-%{_qt5_plugindir}/generic/libqlibinputplugin.so
-%{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QLibInputPlugin.cmake
-%endif
 %{_qt5_plugindir}/generic/libqtuiotouchplugin.so
 %{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QEvdevKeyboardPlugin.cmake
 %{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QEvdevMousePlugin.cmake
@ -764,8 +738,16 @@ fi
 %{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QXdgDesktopPortalThemePlugin.cmake

 %changelog
-* Fri Nov 12 2021 Andrew Phelps <anphel@microsoft.com> - 5.12.5-6
- Fix gcc11 build issue
+* Wed Apr 13 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 5.12.11-3
+- Migrating CVE fixes from Mariner's 1.0 version.
+- Switching to Fedora 36' (license: MIT) patch for GCC 11 build issues.
+- Removing Fedora-specific macros.
+
+* Mon Aug 09 2021 Andrew Phelps <anphel@microsoft.com> - 5.12.11-2
+- Fix version number in Qt5.pc
+
+* Wed Aug 04 2021 Nicolas Guibourge <nicolasg@microsoft.com> - 5.12.11-1
+- Move to version 5.12.11 to address CVE-2015-9541, CVE-2020-0570 and CVE-2020-13962.

 * Fri Apr 16 2021 Pawel Winogrodzki <pawelwi@microsoft.com> - 5.12.5-5
 - Added explicit 'Requires' on 'icu'.
--- a/SPECS/qt5-qtbase/xcberror_filter.patch
+++ b/SPECS/qt5-qtbase/xcberror_filter.patch
@ -1,41 +0,0 @@
-From 911762e077c8b2f9795171c1e628942a0a979801 Mon Sep 17 00:00:00 2001
-From: Jan Grulich <jgrulich@redhat.com>
-Date: Fri, 15 Dec 2017 11:56:12 +0100
-Subject: foo
-
-
-diff --git a/src/plugins/platforms/xcb/qxcbconnection.cpp b/src/plugins/platforms/xcb/qxcbconnection.cpp
-index 536c709..c6eb1b1 100644
--- a/src/plugins/platforms/xcb/qxcbconnection.cpp
-+++ b/src/plugins/platforms/xcb/qxcbconnection.cpp
-@@ -111,6 +111,8 @@ Q_LOGGING_CATEGORY(lcQpaXInputEvents, "qt.qpa.input.events")
- Q_LOGGING_CATEGORY(lcQpaScreen, "qt.qpa.screen")
- Q_LOGGING_CATEGORY(lcQpaEvents, "qt.qpa.events")
- Q_LOGGING_CATEGORY(lcQpaXcb, "qt.qpa.xcb") // for general (uncategorized) XCB logging
-+Q_LOGGING_CATEGORY(lcQpaXcbError, "qt.qpa.xcb.xcberror")
-+// TODO: How to categorize by xcberror type? (e.g. only BadWindow)
- Q_LOGGING_CATEGORY(lcQpaPeeker, "qt.qpa.peeker")
-
- // this event type was added in libxcb 1.10,
-@@ -964,7 +966,8 @@ void QXcbConnection::handleXcbError(xcb_generic_error_t *error)
-     uint clamped_error_code = qMin<uint>(error->error_code, (sizeof(xcb_errors) / sizeof(xcb_errors[0])) - 1);
-     uint clamped_major_code = qMin<uint>(error->major_code, (sizeof(xcb_protocol_request_codes) / sizeof(xcb_protocol_request_codes[0])) - 1);
-
-    qWarning("QXcbConnection: XCB error: %d (%s), sequence: %d, resource id: %d, major code: %d (%s), minor code: %d",
-+    qCWarning(lcQpaXcbError,
-+           "QXcbConnection: XCB error: %d (%s), sequence: %d, resource id: %d, major code: %d (%s), minor code: %d",
-            int(error->error_code), xcb_errors[clamped_error_code],
-            int(error->sequence), int(error->resource_id),
-            int(error->major_code), xcb_protocol_request_codes[clamped_major_code],
-diff --git a/src/plugins/platforms/xcb/qxcbconnection.h b/src/plugins/platforms/xcb/qxcbconnection.h
-index 999dc06..554611c 100644
--- a/src/plugins/platforms/xcb/qxcbconnection.h
-+++ b/src/plugins/platforms/xcb/qxcbconnection.h
-@@ -91,6 +91,7 @@ Q_DECLARE_LOGGING_CATEGORY(lcQpaXInputEvents)
- Q_DECLARE_LOGGING_CATEGORY(lcQpaScreen)
- Q_DECLARE_LOGGING_CATEGORY(lcQpaEvents)
- Q_DECLARE_LOGGING_CATEGORY(lcQpaXcb)
-+Q_DECLARE_LOGGING_CATEGORY(lcQpaXcbError)
- Q_DECLARE_LOGGING_CATEGORY(lcQpaPeeker)
-
- class QXcbVirtualDesktop;
--- a/SPECS/qt5-qtsvg/CVE-2018-21035.nopatch
+++ b/SPECS/qt5-qtsvg/CVE-2018-21035.nopatch
--- a/SPECS/qt5-qtsvg/CVE-2021-38593.nopatch
+++ b/SPECS/qt5-qtsvg/CVE-2021-38593.nopatch
--- a/SPECS/qt5-qtsvg/CVE-2022-25634.nopatch
+++ b/SPECS/qt5-qtsvg/CVE-2022-25634.nopatch
--- a/SPECS/qt5-qtsvg/qt5-qtsvg.signatures.json
+++ b/SPECS/qt5-qtsvg/qt5-qtsvg.signatures.json
@ -1,5 +1,5 @@
 {
 "Signatures": {
-  "qtsvg-everywhere-src-5.12.5.tar.xz": "75a791cf749f671d7ea9090b403ca513f745795018db512e7eecbf418b679840"
+  "qtsvg-everywhere-src-5.12.11.tar.xz": "7a6857a2f68cfbebb9f791396b401a98e951c9bff9bfeb1b5b01914c3ea1a0ed"
 }
 }
--- a/SPECS/qt5-qtsvg/qt5-qtsvg.spec
+++ b/SPECS/qt5-qtsvg/qt5-qtsvg.spec
@ -1,19 +1,25 @@
-Summary:      Qt5 - Support for rendering and displaying SVG
-Name:         qt5-qtsvg
-Version:      5.12.5
-Release:      3%{?dist}
-Vendor:       Microsoft Corporation
-Distribution: Mariner
+%define majmin %(echo %{version} | cut -d. -f1-2)

-# See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
-License: LGPLv2 with exceptions or GPLv3 with exceptions
-Url:     http://www.qt.io
-%global majmin %(echo %{version} | cut -d. -f1-2)
-Source0: https://download.qt.io/official_releases/qt/%{majmin}/%{version}/submodules/qtsvg-everywhere-src-%{version}.tar.xz
+Summary:        Qt5 - Support for rendering and displaying SVG
+Name:           qt5-qtsvg
+Version:        5.12.11
+Release:        3%{?dist}
+# See LICENSE.GPL3-EXCEPT.txt, for exception details
+License:        GFDL AND GPLv2+ with exceptions AND LGPLv2.1+
+Vendor:         Microsoft Corporation
+Distribution:   Mariner
+URL:            https://www.qt.io
+Source0:        https://download.qt.io/official_releases/qt/%{majmin}/%{version}/submodules/qtsvg-everywhere-src-%{version}.tar.xz
+# No gui add no patch
+Patch100:       CVE-2021-38593.nopatch
+Patch101:       CVE-2018-21035.nopatch
+# Vulnerability is limited to the Windows OS.
+Patch102:       CVE-2022-25634.nopatch
+
+BuildRequires:  qt5-qtbase-devel >= %{version}
+BuildRequires:  qt5-qtbase-private-devel
+BuildRequires:  zlib-devel

-BuildRequires: qt5-qtbase-devel >= %{version}
-BuildRequires: zlib-devel
-BuildRequires: qt5-qtbase-private-devel
 %{?_qt5:Requires: %{_qt5}%{?_isa} = %{_qt5_version}}

 %description
@ -22,30 +28,28 @@ two-dimensional vector graphics. Qt provides classes for rendering and
 displaying SVG drawings in widgets and on other paint devices.

 %package devel
-Summary: Development files for %{name}
-Requires: %{name}%{?_isa} = %{version}-%{release}
-Requires: qt5-qtbase-devel%{?_isa}
+Summary:        Development files for %{name}
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+Requires:       qt5-qtbase-devel%{?_isa}
+
 %description devel
 %{summary}.

 %package examples
-Summary: Programming examples for %{name}
-Requires: %{name}%{?_isa} = %{version}-%{release}
+Summary:        Programming examples for %{name}
+Requires:       %{name}%{?_isa} = %{version}-%{release}
+
 %description examples
 %{summary}.

-
 %prep
-%setup -n qtsvg-everywhere-src-%{version} -q
-
-
+%autosetup -p1 -n qtsvg-everywhere-src-%{version}

 %build
 qmake-qt5 .

 %make_build

-
 %install
 make install INSTALL_ROOT=%{buildroot}

@ -80,8 +84,17 @@ popd
 %files examples
 %{_qt5_examplesdir}/

-
 %changelog
+* Fri Mar 11 2022 Pawel Winogrodzki <pawelwi@microsoft.com> - 5.12.11-3
+- Adding a nopatch for CVE-2022-25634 - vulnerability limited to the Windows OS.
+- License verified.
+
+* Thu Sep 30 2021 Suresh Babu Chalamalasetty <schalam@microsoft.com> - 5.12.11-2
+- Add nopatches for CVE-2021-38593 and CVE-2018-21035.
+
+* Wed Aug 4 2021 Nicolas Guibourge <nicolasg@microsoft.com> - 5.12.11-1
+- Move to version 5.12.11.
+
 * Mon Mar 30 2020 Joe Schmitt <joschmit@microsoft.com> - 5.12.5-3
 - Update Vendor and Distribution tags

--- a/cgmanifest.json
+++ b/cgmanifest.json
@ -25354,8 +25354,8 @@
        "type": "other",
        "other": {
          "name": "qt5-qtbase",
-          "version": "5.12.5",
-          "downloadUrl": "https://download.qt.io/official_releases/qt/5.12/5.12.5/submodules/qtbase-everywhere-src-5.12.5.tar.xz"
+          "version": "5.12.11",
+          "downloadUrl": "https://download.qt.io/official_releases/qt/5.12/5.12.11/submodules/qtbase-everywhere-src-5.12.11.tar.xz"
        }
      }
    },
@ -25394,8 +25394,8 @@
        "type": "other",
        "other": {
          "name": "qt5-qtsvg",
-          "version": "5.12.5",
-          "downloadUrl": "https://download.qt.io/official_releases/qt/5.12/5.12.5/submodules/qtsvg-everywhere-src-5.12.5.tar.xz"
+          "version": "5.12.11",
+          "downloadUrl": "https://download.qt.io/official_releases/qt/5.12/5.12.11/submodules/qtsvg-everywhere-src-5.12.11.tar.xz"
        }
      }
    },