Apply upstream patches for bug #546174. Fixes CVE-2015-1858, CVE-2015-1859, CVE-2015-1860.

(Portage version: 2.2.18/cvs/Linux x86_64, signed Manifest commit with key 0x4FDF9CFD2FAC514E!)

4 files changed, 279 insertions, 1 deletions

diff --git a/dev-qt/qtgui/ChangeLog b/dev-qt/qtgui/ChangeLog
index f1e0dabd8108..81b12991c088 100644
--- a/dev-qt/qtgui/ChangeLog
+++ b/dev-qt/qtgui/ChangeLog
@@ -1,6 +1,14 @@
 # ChangeLog for dev-qt/qtgui
 # Copyright 1999-2015 Gentoo Foundation; Distributed under the GPL v2
-# $Header: /var/cvsroot/gentoo-x86/dev-qt/qtgui/ChangeLog,v 1.78 2015/05/07 07:48:24 yngwin Exp $
+# $Header: /var/cvsroot/gentoo-x86/dev-qt/qtgui/ChangeLog,v 1.79 2015/05/07 08:31:30 yngwin Exp $
+
+*qtgui-4.8.6-r4 (07 May 2015)
+
+  07 May 2015; Ben de Groot <yngwin@gentoo.org>
+  +files/qtgui-4.8.6-CVE-2015-1858.patch,
+  +files/qtgui-4.8.6-CVE-2015-1860.patch, +qtgui-4.8.6-r4.ebuild:
+  Apply upstream patches for bug #546174. Fixes CVE-2015-1858, CVE-2015-1859,
+  CVE-2015-1860.
 
 *qtgui-4.8.6-r3 (07 May 2015)
 
diff --git a/dev-qt/qtgui/files/qtgui-4.8.6-CVE-2015-1858.patch b/dev-qt/qtgui/files/qtgui-4.8.6-CVE-2015-1858.patch
new file mode 100644
index 000000000000..c1aac444a644
--- /dev/null
+++ b/dev-qt/qtgui/files/qtgui-4.8.6-CVE-2015-1858.patch
@@ -0,0 +1,63 @@
+From 3e55cd6dc467303a3c35312e9fcb255c2c048b32 Mon Sep 17 00:00:00 2001
+From: Eirik Aavitsland <eirik.aavitsland@theqtcompany.com>
+Date: Wed, 11 Mar 2015 13:34:01 +0100
+Subject: Fixes crash in bmp and ico image decoding
+
+Fuzzing test revealed that for certain malformed bmp and ico files,
+the handler would segfault.
+
+Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe
+(cherry picked from qtbase/2adbbae5432aa9d8cc41c6fcf55c2e310d2d4078)
+Reviewed-by: Richard J. Moore <rich@kde.org>
+---
+ src/gui/image/qbmphandler.cpp                | 13 +++++++------
+ src/plugins/imageformats/ico/qicohandler.cpp |  2 +-
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
+index 30fa9e0..17a880b 100644
+--- a/src/gui/image/qbmphandler.cpp
++++ b/src/gui/image/qbmphandler.cpp
+@@ -478,12 +478,6 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
+                             p = data + (h-y-1)*bpl;
+                             break;
+                         case 2:                        // delta (jump)
+-                            // Protection
+-                            if ((uint)x >= (uint)w)
+-                                x = w-1;
+-                            if ((uint)y >= (uint)h)
+-                                y = h-1;
+-
+                             {
+                                 quint8 tmp;
+                                 d->getChar((char *)&tmp);
+@@ -491,6 +485,13 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
+                                 d->getChar((char *)&tmp);
+                                 y += tmp;
+                             }
++
++                            // Protection
++                            if ((uint)x >= (uint)w)
++                                x = w-1;
++                            if ((uint)y >= (uint)h)
++                                y = h-1;
++
+                             p = data + (h-y-1)*bpl + x;
+                             break;
+                         default:                // absolute mode
+diff --git a/src/plugins/imageformats/ico/qicohandler.cpp b/src/plugins/imageformats/ico/qicohandler.cpp
+index 1a88605..3c34765 100644
+--- a/src/plugins/imageformats/ico/qicohandler.cpp
++++ b/src/plugins/imageformats/ico/qicohandler.cpp
+@@ -571,7 +571,7 @@ QImage ICOReader::iconAt(int index)
+                 QImage::Format format = QImage::Format_ARGB32;
+                 if (icoAttrib.nbits == 24)
+                     format = QImage::Format_RGB32;
+-                else if (icoAttrib.ncolors == 2)
++                else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1)
+                     format = QImage::Format_Mono;
+                 else if (icoAttrib.ncolors > 0)
+                     format = QImage::Format_Indexed8;
+-- 
+cgit v0.11.0
+
diff --git a/dev-qt/qtgui/files/qtgui-4.8.6-CVE-2015-1860.patch b/dev-qt/qtgui/files/qtgui-4.8.6-CVE-2015-1860.patch
new file mode 100644
index 000000000000..d881db8d5b86
--- /dev/null
+++ b/dev-qt/qtgui/files/qtgui-4.8.6-CVE-2015-1860.patch
@@ -0,0 +1,31 @@
+From a1cf194c54be57d6ab55dfd26b9562a60532208e Mon Sep 17 00:00:00 2001
+From: Eirik Aavitsland <eirik.aavitsland@theqtcompany.com>
+Date: Wed, 11 Mar 2015 09:00:41 +0100
+Subject: Fixes crash in gif image decoder
+
+Fuzzing test revealed that for certain malformed gif files,
+qgifhandler would segfault.
+
+Change-Id: I5bb6f60e1c61849e0d8c735edc3869945e5331c1
+(cherry picked from qtbase/ea2c5417fcd374302f5019e67f72af5facbd29f6)
+Reviewed-by: Richard J. Moore <rich@kde.org>
+---
+ src/gui/image/qgifhandler.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/gui/image/qgifhandler.cpp b/src/gui/image/qgifhandler.cpp
+index 5199dd3..49aa2a6 100644
+--- a/src/gui/image/qgifhandler.cpp
++++ b/src/gui/image/qgifhandler.cpp
+@@ -944,6 +944,8 @@ void QGIFFormat::fillRect(QImage *image, int col, int row, int w, int h, QRgb co
+ 
+ void QGIFFormat::nextY(unsigned char *bits, int bpl)
+ {
++    if (out_of_bounds)
++        return;
+     int my;
+     switch (interlace) {
+     case 0: // Non-interlaced
+-- 
+cgit v0.11.0
+
diff --git a/dev-qt/qtgui/qtgui-4.8.6-r4.ebuild b/dev-qt/qtgui/qtgui-4.8.6-r4.ebuild
new file mode 100644
index 000000000000..e6b31f3074f6
--- /dev/null
+++ b/dev-qt/qtgui/qtgui-4.8.6-r4.ebuild
@@ -0,0 +1,176 @@
+# Copyright 1999-2015 Gentoo Foundation
+# Distributed under the terms of the GNU General Public License v2
+# $Header: /var/cvsroot/gentoo-x86/dev-qt/qtgui/qtgui-4.8.6-r4.ebuild,v 1.1 2015/05/07 08:31:30 yngwin Exp $
+
+EAPI=5
+
+inherit eutils qt4-build-multilib
+
+DESCRIPTION="The GUI module for the Qt toolkit"
+SRC_URI+=" http://dev.gentoo.org/~pesa/patches/${PN}-systemtrayicon-plugin-system.patch"
+
+if [[ ${QT4_BUILD_TYPE} == live ]]; then
+	KEYWORDS=""
+else
+	KEYWORDS="~alpha ~amd64 ~arm ~arm64 ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~x64-solaris ~x86-solaris"
+fi
+
+IUSE="+accessibility cups egl +glib gtkstyle mng nas nis qt3support tiff trace xinerama +xv"
+
+REQUIRED_USE="
+	gtkstyle? ( glib )
+"
+
+# cairo[-qt4] is needed because of bug 454066
+RDEPEND="
+	app-eselect/eselect-qtgraphicssystem
+	~dev-qt/qtcore-${PV}[aqua=,debug=,glib=,qt3support=,${MULTILIB_USEDEP}]
+	~dev-qt/qtscript-${PV}[aqua=,debug=,${MULTILIB_USEDEP}]
+	>=media-libs/fontconfig-2.10.2-r1[${MULTILIB_USEDEP}]
+	>=media-libs/freetype-2.4.11-r1:2[${MULTILIB_USEDEP}]
+	media-libs/libpng:0=[${MULTILIB_USEDEP}]
+	>=sys-libs/zlib-1.2.8-r1[${MULTILIB_USEDEP}]
+	virtual/jpeg:0[${MULTILIB_USEDEP}]
+	!aqua? (
+		>=x11-libs/libICE-1.0.8-r1[${MULTILIB_USEDEP}]
+		>=x11-libs/libSM-1.2.1-r1[${MULTILIB_USEDEP}]
+		>=x11-libs/libX11-1.5.0-r1[${MULTILIB_USEDEP}]
+		>=x11-libs/libXcursor-1.1.13-r1[${MULTILIB_USEDEP}]
+		>=x11-libs/libXext-1.3.1-r1[${MULTILIB_USEDEP}]
+		>=x11-libs/libXfixes-5.0-r1[${MULTILIB_USEDEP}]
+		>=x11-libs/libXi-1.6.2-r1[${MULTILIB_USEDEP}]
+		>=x11-libs/libXrandr-1.4.0-r1[${MULTILIB_USEDEP}]
+		>=x11-libs/libXrender-0.9.7-r1[${MULTILIB_USEDEP}]
+		xinerama? ( >=x11-libs/libXinerama-1.1.2-r1[${MULTILIB_USEDEP}] )
+		xv? ( >=x11-libs/libXv-1.0.7-r1[${MULTILIB_USEDEP}] )
+	)
+	cups? ( net-print/cups[${MULTILIB_USEDEP}] )
+	egl? ( media-libs/mesa[egl,${MULTILIB_USEDEP}] )
+	glib? ( dev-libs/glib:2[${MULTILIB_USEDEP}] )
+	gtkstyle? (
+		>=x11-libs/cairo-1.12[-qt4(-),${MULTILIB_USEDEP}]
+		>=x11-libs/gtk+-2.24.23-r1:2[aqua=,${MULTILIB_USEDEP}]
+	)
+	mng? ( >=media-libs/libmng-1.0.10-r2:=[${MULTILIB_USEDEP}] )
+	nas? ( >=media-libs/nas-1.9.3-r1[${MULTILIB_USEDEP}] )
+	tiff? ( >=media-libs/tiff-4.0.3-r2:0[${MULTILIB_USEDEP}] )
+	!<dev-qt/qthelp-4.8.5:4
+"
+DEPEND="${RDEPEND}
+	!aqua? (
+		>=x11-proto/inputproto-2.2-r1[${MULTILIB_USEDEP}]
+		>=x11-proto/xextproto-7.2.1-r1[${MULTILIB_USEDEP}]
+		xinerama? ( >=x11-proto/xineramaproto-1.2.1-r1[${MULTILIB_USEDEP}] )
+		xv? ( >=x11-proto/videoproto-2.3.1-r1[${MULTILIB_USEDEP}] )
+	)
+"
+PDEPEND="
+	qt3support? ( ~dev-qt/qt3support-${PV}[aqua=,debug=,${MULTILIB_USEDEP}] )
+"
+
+PATCHES=(
+	"${DISTDIR}/${PN}-systemtrayicon-plugin-system.patch" # bug 503880
+	"${FILESDIR}/${PN}-4.7.3-cups.patch" # bug 323257
+	"${FILESDIR}/${PN}-4.8.5-cleanlooks-floating-point-exception.patch" # bug 507124
+	"${FILESDIR}/${PN}-4.8.5-disable-gtk-theme-check.patch" # bug 491226
+	"${FILESDIR}/${PN}-4.8.5-dont-crash-on-broken-GIF-images.patch" # bug 508984
+	"${FILESDIR}/${PN}-4.8.5-qclipboard-delay.patch" # bug 514968
+	"${FILESDIR}/${PN}-4.8.5-CVE-2015-0295.patch" # bug 541972
+	"${FILESDIR}/${PN}-4.8.6-CVE-2015-1858.patch" # bug 546174 - also covers CVE-2015-1859
+	"${FILESDIR}/${PN}-4.8.6-CVE-2015-1860.patch" # bug 546174
+)
+
+QT4_TARGET_DIRECTORIES="
+	src/gui
+	src/scripttools
+	src/plugins/imageformats/gif
+	src/plugins/imageformats/ico
+	src/plugins/imageformats/jpeg
+	src/plugins/imageformats/tga
+	src/plugins/inputmethods"
+
+pkg_setup() {
+	use accessibility && QT4_TARGET_DIRECTORIES+=" src/plugins/accessible/widgets"
+	use mng && QT4_TARGET_DIRECTORIES+=" src/plugins/imageformats/mng"
+	use tiff && QT4_TARGET_DIRECTORIES+=" src/plugins/imageformats/tiff"
+	use trace && QT4_TARGET_DIRECTORIES+=" src/plugins/graphicssystems/trace tools/qttracereplay"
+
+	[[ ${CHOST} != *-darwin* ]] && QT4_TARGET_DIRECTORIES+=" tools/qtconfig"
+
+	QCONFIG_ADD="
+		mitshm tablet x11sm xcursor xfixes xinput xkb xrandr xrender xshape xsync
+		fontconfig system-freetype gif png system-png jpeg system-jpeg
+		$(usev accessibility)
+		$(usev cups)
+		$(use mng && echo system-mng)
+		$(usev nas)
+		$(usev nis)
+		$(use tiff && echo system-tiff)
+		$(usev xinerama)
+		$(use xv && echo xvideo)"
+	QCONFIG_REMOVE="no-freetype no-gif no-jpeg no-png no-gui"
+	QCONFIG_DEFINE="$(use accessibility && echo QT_ACCESSIBILITY)
+			$(use cups && echo QT_CUPS)
+			$(use egl && echo QT_EGL)
+			QT_FONTCONFIG QT_FREETYPE
+			$(use gtkstyle && echo QT_STYLE_GTK)
+			QT_IMAGEFORMAT_JPEG QT_IMAGEFORMAT_PNG
+			$(use mng && echo QT_IMAGEFORMAT_MNG)
+			$(use nas && echo QT_NAS)
+			$(use nis && echo QT_NIS)
+			$(use tiff && echo QT_IMAGEFORMAT_TIFF)
+			QT_SESSIONMANAGER QT_SHAPE QT_TABLET QT_XCURSOR QT_XFIXES
+			$(use xinerama && echo QT_XINERAMA)
+			QT_XINPUT QT_XKB QT_XRANDR QT_XRENDER QT_XSYNC
+			$(use xv && echo QT_XVIDEO)"
+}
+
+src_prepare() {
+	qt4-build-multilib_src_prepare
+
+	# Add -xvideo to the list of accepted configure options
+	sed -i -e 's:|-xinerama|:&-xvideo|:' configure || die
+}
+
+multilib_src_configure() {
+	local myconf=(
+		$(qt_use accessibility)
+		$(qt_use cups)
+		$(qt_use glib)
+		$(qt_use mng libmng system)
+		$(qt_use nas nas-sound system)
+		$(qt_use nis)
+		$(qt_use tiff libtiff system)
+		$(qt_use egl)
+		$(qt_use qt3support)
+		$(qt_use gtkstyle)
+		$(qt_use xinerama)
+		$(qt_use xv xvideo)
+		-system-libpng -system-libjpeg -system-zlib
+		-no-sql-mysql -no-sql-psql -no-sql-ibase -no-sql-sqlite -no-sql-sqlite2 -no-sql-odbc
+		-sm -xshape -xsync -xcursor -xfixes -xrandr -xrender -mitshm -xinput -xkb
+		-fontconfig -no-svg -no-webkit -no-phonon -no-opengl
+		$([[ ${CHOST} == *86*-apple-darwin* ]] && echo -no-ssse3) # bug 367045
+	)
+	qt4_multilib_src_configure
+}
+
+multilib_src_install_all() {
+	qt4_multilib_src_install_all
+
+	dodir /usr/share/qt4/graphicssystems
+	echo "default" > "${ED}"/usr/share/qt4/graphicssystems/raster || die
+	echo "" > "${ED}"/usr/share/qt4/graphicssystems/native || die
+
+	if has tools/qtconfig ${QT4_TARGET_DIRECTORIES}; then
+		newicon tools/qtconfig/images/appicon.png qtconfig.png
+		make_desktop_entry qtconfig 'Qt Configuration Tool' qtconfig 'Qt;Settings;DesktopSettings'
+	fi
+}
+
+pkg_postinst() {
+	qt4-build-multilib_pkg_postinst
+
+	# raster is the default graphicssystem, set it on first install
+	eselect qtgraphicssystem set raster --use-old
+}