diff options
| author |   Ionen Wolkens <ionen@gentoo.org> | 2024-01-03 10:17:28 -0500 |
|---|---|---|
| committer | Ionen Wolkens <ionen@gentoo.org> | 2024-01-03 10:51:37 -0500 |
| commit | 68e098de62a63945f1549ec7700c0704f759756a (patch) | |
| tree | 464a65a5a3e184be4ca3956fcd17c28d0f098f47 /dev-qt/qtbase/files | |
| parent | sci-mathematics/cgal: add 5.6 (diff) | |
| download | gentoo-68e098de62a63945f1549ec7700c0704f759756a.tar.gz gentoo-68e098de62a63945f1549ec7700c0704f759756a.tar.bz2 gentoo-68e098de62a63945f1549ec7700c0704f759756a.zip | |
dev-qt/qtbase: backport CVE-2023-51714 HTTP2 fix
Still pending stable, which won't need to wait long.
Bug: https://bugs.gentoo.org/921292
Signed-off-by: Ionen Wolkens <ionen@gentoo.org>
Diffstat (limited to 'dev-qt/qtbase/files')
| -rw-r--r-- | dev-qt/qtbase/files/qtbase-6.6.1-CVE-2023-51714.patch | 55 |
1 files changed, 55 insertions, 0 deletions
diff --git a/dev-qt/qtbase/files/qtbase-6.6.1-CVE-2023-51714.patch b/dev-qt/qtbase/files/qtbase-6.6.1-CVE-2023-51714.patch new file mode 100644 index 000000000000..8d2b0e74ad08 --- /dev/null +++ b/dev-qt/qtbase/files/qtbase-6.6.1-CVE-2023-51714.patch @@ -0,0 +1,55 @@ +Combination of the two patches [1][2] for CVE-2023-51714[3], +fixed in upcoming qtbase-6.6.2. + +https://bugs.gentoo.org/921292 + +[1] https://codereview.qt-project.org/c/qt/qtbase/+/525295 +[2] https://codereview.qt-project.org/c/qt/qtbase/+/525297 +[3] https://lists.qt-project.org/pipermail/announce/2024-January/000465.html + +From 13c16b756900fe524f6d9534e8a07aa003c05e0c Mon Sep 17 00:00:00 2001 +From: Marc Mutz <marc.mutz@qt.io> +Date: Tue, 12 Dec 2023 20:51:56 +0100 +Subject: [PATCH] HPack: fix a Yoda Condition + +Putting the variable on the LHS of a relational operation makes the +expression easier to read. In this case, we find that the whole +expression is nonsensical as an overflow protection, because if +name.size() + value.size() overflows, the result will exactly _not_ +be > max() - 32, because UB will have happened. + +To be fixed in a follow-up commit. + +As a drive-by, add parentheses around the RHS. + +From 811b9eef6d08d929af8708adbf2a5effb0eb62d7 Mon Sep 17 00:00:00 2001 +From: Marc Mutz <marc.mutz@qt.io> +Date: Tue, 12 Dec 2023 22:08:07 +0100 +Subject: [PATCH] HPack: fix incorrect integer overflow check + +This code never worked: + +For the comparison with max() - 32 to trigger, on 32-bit platforms (or +Qt 5) signed interger overflow would have had to happen in the +addition of the two sizes. The compiler can therefore remove the +overflow check as dead code. + +On Qt 6 and 64-bit platforms, the signed integer addition would be +very unlikely to overflow, but the following truncation to uint32 +would yield the correct result only in a narrow 32-value window just +below UINT_MAX, if even that. + +Fix by using the proper tool, qAddOverflow. +--- a/src/network/access/http2/hpacktable.cpp ++++ b/src/network/access/http2/hpacktable.cpp +@@ -27,6 +27,8 @@ + // 32 octets of overhead." + +- const unsigned sum = unsigned(name.size() + value.size()); +- if (std::numeric_limits<unsigned>::max() - 32 < sum) ++ size_t sum; ++ if (qAddOverflow(size_t(name.size()), size_t(value.size()), &sum)) ++ return HeaderSize(); ++ if (sum > (std::numeric_limits<unsigned>::max() - 32)) + return HeaderSize(); + return HeaderSize(true, quint32(sum + 32)); |