From d3ff7de51826fd8ea73021efdb9c3f7a98173014 Mon Sep 17 00:00:00 2001 From: hua_yadong Date: Sat, 25 Nov 2023 13:07:12 +0800 Subject: [PATCH] qt-CVE-2023-37369 (cherry picked from commit d249b33a6d5aa2ce2cf835114e086169f64d6142) --- qt-CVE-2023-37369.patch | 206 ++++++++++++++++++++++++++++++++++++++++ qt.spec | 9 +- 2 files changed, 214 insertions(+), 1 deletion(-) create mode 100644 qt-CVE-2023-37369.patch diff --git a/qt-CVE-2023-37369.patch b/qt-CVE-2023-37369.patch new file mode 100644 index 0000000..c42b063 --- /dev/null +++ b/qt-CVE-2023-37369.patch @@ -0,0 +1,206 @@ +From 15000da32ac2c10a2bd81232df7708cdf40db7bc Mon Sep 17 00:00:00 2001 +From: hua_yadong +Date: Sat, 25 Nov 2023 12:16:28 +0800 +Subject: [PATCH] qt-CVE-2023-37369 + +--- + src/corelib/xml/qxmlstream.cpp | 34 ++++++++++++++++++++++------------ + src/corelib/xml/qxmlstream.g | 25 ++++++++++++++++++++++--- + src/corelib/xml/qxmlstream_p.h | 25 ++++++++++++++++++++++--- + 3 files changed, 66 insertions(+), 18 deletions(-) + +diff --git a/src/corelib/xml/qxmlstream.cpp b/src/corelib/xml/qxmlstream.cpp +index 5ade4cf2..1621aea9 100644 +--- a/src/corelib/xml/qxmlstream.cpp ++++ b/src/corelib/xml/qxmlstream.cpp +@@ -1329,7 +1329,9 @@ inline int QXmlStreamReaderPrivate::fastScanContentCharList() + return n; + } + +-inline int QXmlStreamReaderPrivate::fastScanName(int *prefix) ++// Fast scan an XML attribute name (e.g. "xml:lang"). ++inline QXmlStreamReaderPrivate::FastScanNameResult ++QXmlStreamReaderPrivate::fastScanName(Value *val) + { + int n = 0; + ushort c; +@@ -1361,23 +1363,23 @@ inline int QXmlStreamReaderPrivate::fastScanName(int *prefix) + case '+': + case '*': + putChar(c); +- if (prefix && *prefix == n+1) { +- *prefix = 0; ++ if (val && val->prefix == n + 1) { ++ val->prefix = 0; + putChar(':'); + --n; + } +- return n; ++ return FastScanNameResult(n); + case ':': +- if (prefix) { +- if (*prefix == 0) { +- *prefix = n+2; ++ if (val) { ++ if (val->prefix == 0) { ++ val->prefix = n + 2; + } else { // only one colon allowed according to the namespace spec. + putChar(c); +- return n; ++ return FastScanNameResult(n); + } + } else { + putChar(c); +- return n; ++ return FastScanNameResult(n); + } + // fall through + default: +@@ -1386,12 +1388,12 @@ inline int QXmlStreamReaderPrivate::fastScanName(int *prefix) + } + } + +- if (prefix) +- *prefix = 0; ++ if (val) ++ val->prefix = 0; + int pos = textBuffer.size() - n; + putString(textBuffer, pos); + textBuffer.resize(pos); +- return 0; ++ return FastScanNameResult(0); + } + + enum NameChar { NameBeginning, NameNotBeginning, NotName }; +@@ -1898,6 +1900,14 @@ void QXmlStreamReaderPrivate::raiseWellFormedError(const QString &message) + raiseError(QXmlStreamReader::NotWellFormedError, message); + } + ++void QXmlStreamReaderPrivate::raiseNamePrefixTooLongError() ++{ ++ // TODO: add a ImplementationLimitsExceededError and use it instead ++ raiseError(QXmlStreamReader::NotWellFormedError, ++ QXmlStream::tr("Length of XML attribute name exceeds implemnetation limits (4KiB " ++ "characters).")); ++} ++ + void QXmlStreamReaderPrivate::parseError() + { + +diff --git a/src/corelib/xml/qxmlstream.g b/src/corelib/xml/qxmlstream.g +index 094183b8..9de293f4 100644 +--- a/src/corelib/xml/qxmlstream.g ++++ b/src/corelib/xml/qxmlstream.g +@@ -492,7 +492,16 @@ public: + int fastScanLiteralContent(); + int fastScanSpace(); + int fastScanContentCharList(); +- int fastScanName(int *prefix = 0); ++ ++ struct FastScanNameResult { ++ FastScanNameResult() : ok(false) {} ++ explicit FastScanNameResult(int len) : addToLen(len), ok(true) { } ++ operator bool() { return ok; } ++ int operator*() { Q_ASSERT(ok); return addToLen; } ++ int addToLen; ++ bool ok; ++ }; ++ FastScanNameResult fastScanName(Value *val = NULL); + inline int fastScanNMTOKEN(); + + +@@ -501,6 +510,7 @@ public: + + void raiseError(QXmlStreamReader::Error error, const QString& message = QString()); + void raiseWellFormedError(const QString &message); ++ void raiseNamePrefixTooLongError(); + + QXmlStreamEntityResolver *entityResolver; + +@@ -1784,7 +1794,12 @@ space_opt ::= space; + qname ::= LETTER; + /. + case $rule_number: { +- sym(1).len += fastScanName(&sym(1).prefix); ++ Value &val = sym(1); ++ if (FastScanNameResult res = fastScanName(&val)) ++ val.len += *res; ++ else ++ return false; ++ + if (atEnd) { + resume($rule_number); + return false; +@@ -1795,7 +1810,11 @@ qname ::= LETTER; + name ::= LETTER; + /. + case $rule_number: +- sym(1).len += fastScanName(); ++ if (FastScanNameResult res = fastScanName(&val)) ++ sym(1).len += *res; ++ else ++ return false; ++ + if (atEnd) { + resume($rule_number); + return false; +diff --git a/src/corelib/xml/qxmlstream_p.h b/src/corelib/xml/qxmlstream_p.h +index 055902a1..dcf2a7d9 100644 +--- a/src/corelib/xml/qxmlstream_p.h ++++ b/src/corelib/xml/qxmlstream_p.h +@@ -997,7 +997,16 @@ public: + int fastScanLiteralContent(); + int fastScanSpace(); + int fastScanContentCharList(); +- int fastScanName(int *prefix = 0); ++ ++ struct FastScanNameResult { ++ FastScanNameResult() : ok(false) {} ++ explicit FastScanNameResult(int len) : addToLen(len), ok(true) { } ++ operator bool() { return ok; } ++ int operator*() { Q_ASSERT(ok); return addToLen; } ++ int addToLen; ++ bool ok; ++ }; ++ FastScanNameResult fastScanName(Value *val = NULL); + inline int fastScanNMTOKEN(); + + +@@ -1006,6 +1015,7 @@ public: + + void raiseError(QXmlStreamReader::Error error, const QString& message = QString()); + void raiseWellFormedError(const QString &message); ++ void raiseNamePrefixTooLongError(); + + QXmlStreamEntityResolver *entityResolver; + +@@ -1928,7 +1938,12 @@ bool QXmlStreamReaderPrivate::parse() + break; + + case 262: { +- sym(1).len += fastScanName(&sym(1).prefix); ++ Value &val = sym(1); ++ if (FastScanNameResult res = fastScanName(&val)) ++ val.len += *res; ++ else ++ return false; ++ + if (atEnd) { + resume(262); + return false; +@@ -1936,7 +1951,11 @@ bool QXmlStreamReaderPrivate::parse() + } break; + + case 263: +- sym(1).len += fastScanName(); ++ if (FastScanNameResult res = fastScanName()) ++ sym(1).len += *res; ++ else ++ return false; ++ + if (atEnd) { + resume(263); + return false; +-- +2.41.0 + diff --git a/qt.spec b/qt.spec index 9c2f3d0..29a2ce6 100644 --- a/qt.spec +++ b/qt.spec @@ -13,7 +13,7 @@ Name: qt Epoch: 1 Version: 4.8.7 -Release: 56 +Release: 57 Summary: A software toolkit for developing applications License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT URL: http://qt-project.org/ @@ -86,6 +86,7 @@ Patch6006: CVE-2020-0570.patch Patch6007: CVE-2023-32573.patch Patch6008: qt-CVE-2023-34410.patch Patch6009: qt-CVE-2023-38197.patch +Patch6010: qt-CVE-2023-37369.patch BuildRequires: cups-devel desktop-file-utils gcc-c++ libjpeg-devel findutils libmng-devel libtiff-devel pkgconfig pkgconfig(alsa) BuildRequires: pkgconfig(dbus-1) pkgconfig(fontconfig) pkgconfig(glib-2.0) pkgconfig(icu-i18n) openssl-devel pkgconfig(libpng) @@ -466,6 +467,12 @@ fi %{_qt4_prefix}/examples/ %changelog +* Sat Nov 25 2023 hua_yadong - 1:4.8.7-57 +- Type:cves +- ID:CVE-2023-37369 +- SUG:NA +- DESC:fix CVE-2023-37369 + * Fri Nov 24 2023 hua_yadong - 1:4.8.7-56 - Type:cves - ID:CVE-2023-38197 -- Gitee