From 8ff5605363911f3433e62acb61b20675b77966d7 Mon Sep 17 00:00:00 2001 From: Trung Date: Fri, 26 May 2023 17:17:25 -0700 Subject: [PATCH] Add patch for CVE-2023-24607 ad CVE-2023-32573 (#5593) --- SPECS/qt5-qtbase/CVE-2023-24607.patch | 151 ++++++++++++++++++++------ SPECS/qt5-qtbase/qt5-qtbase.spec | 5 +- SPECS/qt5-qtsvg/CVE-2023-32573.patch | 36 ++++++ SPECS/qt5-qtsvg/qt5-qtsvg.spec | 6 +- 4 files changed, 164 insertions(+), 34 deletions(-) create mode 100644 SPECS/qt5-qtsvg/CVE-2023-32573.patch diff --git a/SPECS/qt5-qtbase/CVE-2023-24607.patch b/SPECS/qt5-qtbase/CVE-2023-24607.patch index e4bc1e8ff7..10b0e136c5 100644 --- a/SPECS/qt5-qtbase/CVE-2023-24607.patch +++ b/SPECS/qt5-qtbase/CVE-2023-24607.patch @@ -1,11 +1,87 @@ -diff --git a/src/plugins/sqldrivers/odbc/qsql_odbc.cpp b/src/plugins/sqldrivers/odbc/qsql_odbc.cpp -index 1fbbcd0ef1..61815eb962 100644 +Source: https://download.qt.io/archive/qt/5.15/CVE-2023-24607-qtbase-5.15.diff + --- a/src/plugins/sqldrivers/odbc/qsql_odbc.cpp +++ b/src/plugins/sqldrivers/odbc/qsql_odbc.cpp -@@ -771,6 +771,14 @@ QChar QODBCDriverPrivate::quoteChar() +@@ -92,23 +92,39 @@ inline static QString fromSQLTCHAR(const QVarLengthArray& input, int s + return result; + } + ++template ++void toSQLTCHARImpl(QVarLengthArray &result, const QString &input); // primary template undefined ++ ++template ++void do_append(QVarLengthArray &result, const Container &c) ++{ ++ result.append(reinterpret_cast(c.data()), c.size()); ++} ++ ++template <> ++void toSQLTCHARImpl<1>(QVarLengthArray &result, const QString &input) ++{ ++ const auto u8 = input.toUtf8(); ++ do_append(result, u8); ++} ++ ++template <> ++void toSQLTCHARImpl<2>(QVarLengthArray &result, const QString &input) ++{ ++ do_append(result, input); ++} ++ ++template <> ++void toSQLTCHARImpl<4>(QVarLengthArray &result, const QString &input) ++{ ++ const auto u32 = input.toUcs4(); ++ do_append(result, u32); ++} ++ + inline static QVarLengthArray toSQLTCHAR(const QString &input) + { + QVarLengthArray result; +- result.resize(input.size()); +- switch(sizeof(SQLTCHAR)) { +- case 1: +- memcpy(result.data(), input.toUtf8().data(), input.size()); +- break; +- case 2: +- memcpy(result.data(), input.unicode(), input.size() * 2); +- break; +- case 4: +- memcpy(result.data(), input.toUcs4().data(), input.size() * 4); +- break; +- default: +- qCritical("sizeof(SQLTCHAR) is %d. Don't know how to handle this.", int(sizeof(SQLTCHAR))); +- } ++ toSQLTCHARImpl(result, input); + result.append(0); // make sure it's null terminated, doesn't matter if it already is, it does if it isn't. + return result; + } + +--- a/src/plugins/sqldrivers/odbc/qsql_odbc.cpp ++++ b/src/plugins/sqldrivers/odbc/qsql_odbc.cpp +@@ -1732,10 +1732,11 @@ bool QODBCResult::exec() + case QVariant::String: + if (d->unicode) { + if (bindValueType(i) & QSql::Out) { +- const QByteArray &first = tmpStorage.at(i); +- QVarLengthArray array; +- array.append((const SQLTCHAR *)first.constData(), first.size()); +- values[i] = fromSQLTCHAR(array, first.size()/sizeof(SQLTCHAR)); ++ const QByteArray &bytes = tmpStorage.at(i); ++ const auto strSize = bytes.size() / int(sizeof(SQLTCHAR)); ++ QVarLengthArray string(strSize); ++ memcpy(string.data(), bytes.data(), strSize * sizeof(SQLTCHAR)); ++ values[i] = fromSQLTCHAR(string); + } + break; + } + +--- a/src/plugins/sqldrivers/odbc/qsql_odbc.cpp ++++ b/src/plugins/sqldrivers/odbc/qsql_odbc.cpp +@@ -779,6 +779,14 @@ QChar QODBCDriverPrivate::quoteChar() return quote; } - + +static SQLRETURN qt_string_SQLSetConnectAttr(SQLHDBC handle, SQLINTEGER attr, const QString &val) +{ + auto encoded = toSQLTCHAR(val); @@ -14,10 +90,10 @@ index 1fbbcd0ef1..61815eb962 100644 + SQLINTEGER(encoded.size() * sizeof(SQLTCHAR))); // size in bytes +} + - + bool QODBCDriverPrivate::setConnectionOptions(const QString& connOpts) { -@@ -806,10 +814,7 @@ bool QODBCDriverPrivate::setConnectionOptions(const QString& connOpts) +@@ -814,10 +822,7 @@ bool QODBCDriverPrivate::setConnectionOptions(const QString& connOpts) v = val.toUInt(); r = SQLSetConnectAttr(hDbc, SQL_ATTR_LOGIN_TIMEOUT, (SQLPOINTER) size_t(v), 0); } else if (opt.toUpper() == QLatin1String("SQL_ATTR_CURRENT_CATALOG")) { @@ -29,7 +105,7 @@ index 1fbbcd0ef1..61815eb962 100644 } else if (opt.toUpper() == QLatin1String("SQL_ATTR_METADATA_ID")) { if (val.toUpper() == QLatin1String("SQL_TRUE")) { v = SQL_TRUE; -@@ -824,10 +829,7 @@ bool QODBCDriverPrivate::setConnectionOptions(const QString& connOpts) +@@ -832,10 +837,7 @@ bool QODBCDriverPrivate::setConnectionOptions(const QString& connOpts) v = val.toUInt(); r = SQLSetConnectAttr(hDbc, SQL_ATTR_PACKET_SIZE, (SQLPOINTER) size_t(v), 0); } else if (opt.toUpper() == QLatin1String("SQL_ATTR_TRACEFILE")) { @@ -37,14 +113,14 @@ index 1fbbcd0ef1..61815eb962 100644 - r = SQLSetConnectAttr(hDbc, SQL_ATTR_TRACEFILE, - toSQLTCHAR(val).data(), - val.length()*sizeof(SQLTCHAR)); -+ r = qt_string_SQLSetConnectAttr(hDbc, SQL_ATTR_CURRENT_CATALOG, val); ++ r = qt_string_SQLSetConnectAttr(hDbc, SQL_ATTR_TRACEFILE, val); } else if (opt.toUpper() == QLatin1String("SQL_ATTR_TRACE")) { if (val.toUpper() == QLatin1String("SQL_OPT_TRACE_OFF")) { v = SQL_OPT_TRACE_OFF; -@@ -1030,9 +1032,12 @@ bool QODBCResult::reset (const QString& query) +@@ -1038,9 +1040,12 @@ bool QODBCResult::reset (const QString& query) return false; } - + - r = SQLExecDirect(d->hStmt, - toSQLTCHAR(query).data(), - (SQLINTEGER) query.length()); @@ -57,10 +133,10 @@ index 1fbbcd0ef1..61815eb962 100644 if (r != SQL_SUCCESS && r != SQL_SUCCESS_WITH_INFO && r!= SQL_NO_DATA) { setLastError(qMakeError(QCoreApplication::translate("QODBCResult", "Unable to execute statement"), QSqlError::StatementError, d)); -@@ -1378,9 +1383,12 @@ bool QODBCResult::prepare(const QString& query) +@@ -1387,9 +1392,12 @@ bool QODBCResult::prepare(const QString& query) return false; } - + - r = SQLPrepare(d->hStmt, - toSQLTCHAR(query).data(), - (SQLINTEGER) query.length()); @@ -70,10 +146,19 @@ index 1fbbcd0ef1..61815eb962 100644 + encoded.data(), + SQLINTEGER(encoded.size())); + } - + if (r != SQL_SUCCESS) { setLastError(qMakeError(QCoreApplication::translate("QODBCResult", -@@ -1585,35 +1593,36 @@ bool QODBCResult::exec() +@@ -1417,7 +1425,7 @@ bool QODBCResult::exec() + SQLCloseCursor(d->hStmt); + + QVector& values = boundValues(); +- QVector tmpStorage(values.count(), QByteArray()); // holds temporary buffers ++ QVector tmpStorage(values.count(), QByteArray()); // targets for SQLBindParameter() + QVarLengthArray indicators(values.count()); + memset(indicators.data(), 0, indicators.size() * sizeof(SQLLEN)); + +@@ -1596,35 +1604,36 @@ bool QODBCResult::exec() case QVariant::String: if (d->unicode) { QByteArray &ba = tmpStorage[i]; @@ -88,7 +173,7 @@ index 1fbbcd0ef1..61815eb962 100644 - *ind = str.length() * sizeof(SQLTCHAR); - int strSize = str.length() * sizeof(SQLTCHAR); + *ind = ba.size(); - + if (bindValueType(i) & QSql::Out) { - const QVarLengthArray a(toSQLTCHAR(str)); - ba = QByteArray((const char *)a.constData(), a.size() * sizeof(SQLTCHAR)); @@ -121,7 +206,7 @@ index 1fbbcd0ef1..61815eb962 100644 ba.size(), ind); break; -@@ -1971,14 +1980,16 @@ bool QODBCDriver::open(const QString & db, +@@ -1982,14 +1991,16 @@ bool QODBCDriver::open(const QString & db, SQLSMALLINT cb; QVarLengthArray connOut(1024); memset(connOut.data(), 0, connOut.size() * sizeof(SQLTCHAR)); @@ -143,17 +228,18 @@ index 1fbbcd0ef1..61815eb962 100644 + &cb, + /*SQL_DRIVER_NOPROMPT*/0); + } - + if (r != SQL_SUCCESS && r != SQL_SUCCESS_WITH_INFO) { setLastError(qMakeError(tr("Unable to connect"), QSqlError::ConnectionError, d)); -@@ -2357,17 +2368,13 @@ QStringList QODBCDriver::tables(QSql::TableType type) const +@@ -2368,17 +2379,15 @@ QStringList QODBCDriver::tables(QSql::TableType type) const if (tableType.isEmpty()) return tl; - + - QString joinedTableTypeString = tableType.join(QLatin1Char(',')); -+ auto joinedTableTypeString = toSQLTCHAR(tableType.join(u',')); - - r = SQLTables(hStmt, ++ { ++ auto joinedTableTypeString = toSQLTCHAR(tableType.join(u',')); + +- r = SQLTables(hStmt, - NULL, - 0, - NULL, @@ -162,14 +248,16 @@ index 1fbbcd0ef1..61815eb962 100644 - 0, - toSQLTCHAR(joinedTableTypeString).data(), - joinedTableTypeString.length() /* characters, not bytes */); -+ nullptr, 0, -+ nullptr, 0, -+ nullptr, 0 -+ joinedTableTypeString.data(), joinedTableTypeString.length()); - ++ r = SQLTables(hStmt, ++ nullptr, 0, ++ nullptr, 0, ++ nullptr, 0, ++ joinedTableTypeString.data(), joinedTableTypeString.size()); ++ } + if (r != SQL_SUCCESS) qSqlWarning(QLatin1String("QODBCDriver::tables Unable to execute table list"), d); -@@ -2441,28 +2448,30 @@ QSqlIndex QODBCDriver::primaryIndex(const QString& tablename) const +@@ -2452,28 +2461,30 @@ QSqlIndex QODBCDriver::primaryIndex(const QString& tablename) const SQL_ATTR_CURSOR_TYPE, (SQLPOINTER)SQL_CURSOR_FORWARD_ONLY, SQL_IS_UINTEGER); @@ -189,7 +277,7 @@ index 1fbbcd0ef1..61815eb962 100644 + schema.isEmpty() ? nullptr : s.data(), s.size(), + t.data(), t.size()); + } - + // if the SQLPrimaryKeys() call does not succeed (e.g the driver // does not support it) - try an alternative method to get hold of // the primary index (e.g MS Access and FoxPro) @@ -214,10 +302,10 @@ index 1fbbcd0ef1..61815eb962 100644 + t.data(), t.size(), + SQL_SCOPE_CURROW, + SQL_NULLABLE); - + if (r != SQL_SUCCESS) { qSqlWarning(QLatin1String("QODBCDriver::primaryIndex: Unable to execute primary key list"), d); -@@ -2543,15 +2552,17 @@ QSqlRecord QODBCDriver::record(const QString& tablename) const +@@ -2554,15 +2565,17 @@ QSqlRecord QODBCDriver::record(const QString& tablename) const SQL_ATTR_CURSOR_TYPE, (SQLPOINTER)SQL_CURSOR_FORWARD_ONLY, SQL_IS_UINTEGER); @@ -243,4 +331,3 @@ index 1fbbcd0ef1..61815eb962 100644 + } if (r != SQL_SUCCESS) qSqlWarning(QLatin1String("QODBCDriver::record: Unable to execute column list"), d); - diff --git a/SPECS/qt5-qtbase/qt5-qtbase.spec b/SPECS/qt5-qtbase/qt5-qtbase.spec index 3d7dd54b31..bfa3d0b75b 100644 --- a/SPECS/qt5-qtbase/qt5-qtbase.spec +++ b/SPECS/qt5-qtbase/qt5-qtbase.spec @@ -33,7 +33,7 @@ Name: qt5-qtbase Summary: Qt5 - QtBase components Version: 5.12.11 -Release: 5%{?dist} +Release: 6%{?dist} # See LICENSE.GPL3-EXCEPT.txt, for exception details License: GFDL AND LGPLv3 AND GPLv2 AND GPLv3 with exceptions AND QT License Agreement 4.0 Vendor: Microsoft Corporation @@ -740,6 +740,9 @@ fi %{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QXdgDesktopPortalThemePlugin.cmake %changelog +* Fri May 26 2023 Thien Trung Vuong - 5.12.11-5 +- Update ptch for CVE-2023-24607 + * Wed Apr 26 2023 Sean Dougherty - 5.12.11-4 - Added patch to fix CVE-2023-24607 diff --git a/SPECS/qt5-qtsvg/CVE-2023-32573.patch b/SPECS/qt5-qtsvg/CVE-2023-32573.patch new file mode 100644 index 0000000000..6dde54cd6b --- /dev/null +++ b/SPECS/qt5-qtsvg/CVE-2023-32573.patch @@ -0,0 +1,36 @@ +Source: https://download.qt.io/archive/qt/5.15/CVE-2023-32573-qtsvg-5.15.diff + +--- a/src/svg/qsvgfont_p.h ++++ b/src/svg/qsvgfont_p.h +@@ -74,6 +74,7 @@ public: + class Q_SVG_PRIVATE_EXPORT QSvgFont : public QSvgRefCounted + { + public: ++ static constexpr qreal DEFAULT_UNITS_PER_EM = 1000; + QSvgFont(qreal horizAdvX); + + void setFamilyName(const QString &name); +@@ -86,9 +87,7 @@ public: + void draw(QPainter *p, const QPointF &point, const QString &str, qreal pixelSize, Qt::Alignment alignment) const; + public: + QString m_familyName; +- qreal m_unitsPerEm; +- qreal m_ascent; +- qreal m_descent; ++ qreal m_unitsPerEm = DEFAULT_UNITS_PER_EM; + qreal m_horizAdvX; + QHash m_glyphs; + }; + + +--- a/src/svg/qsvghandler.cpp ++++ b/src/svg/qsvghandler.cpp +@@ -2668,7 +2668,7 @@ static bool parseFontFaceNode(QSvgStyleProperty *parent, + + qreal unitsPerEm = toDouble(unitsPerEmStr); + if (!unitsPerEm) +- unitsPerEm = 1000; ++ unitsPerEm = QSvgFont::DEFAULT_UNITS_PER_EM; + + if (!name.isEmpty()) + font->setFamilyName(name); diff --git a/SPECS/qt5-qtsvg/qt5-qtsvg.spec b/SPECS/qt5-qtsvg/qt5-qtsvg.spec index 2fc24f54f6..479b98e89f 100644 --- a/SPECS/qt5-qtsvg/qt5-qtsvg.spec +++ b/SPECS/qt5-qtsvg/qt5-qtsvg.spec @@ -3,7 +3,7 @@ Summary: Qt5 - Support for rendering and displaying SVG Name: qt5-qtsvg Version: 5.12.11 -Release: 4%{?dist} +Release: 5%{?dist} # See LICENSE.GPL3-EXCEPT.txt, for exception details License: GFDL AND GPLv2+ with exceptions AND LGPLv2.1+ Vendor: Microsoft Corporation @@ -15,6 +15,7 @@ Patch100: CVE-2021-38593.nopatch Patch101: CVE-2018-21035.nopatch # Vulnerability is limited to the Windows OS. Patch102: CVE-2022-25634.nopatch +Patch103: CVE-2023-32573.patch BuildRequires: qt5-qtbase-devel >= %{version} BuildRequires: qt5-qtbase-private-devel @@ -85,6 +86,9 @@ popd %{_qt5_examplesdir}/ %changelog +* Fri May 26 2023 Thien Trung Vuong - 5.12.11-5 +- Add patch for CVE-2023-32573 + * Mon Nov 28 2022 Suresh Babu Chalamalasetty - 5.12.11-4 - Update source download path.