From owner-svn-ports-branches@FreeBSD.ORG Wed Apr 15 18:17:20 2015 Return-Path: Delivered-To: svn-ports-branches@freebsd.org Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2001:1900:2254:206a::19:1]) (using TLSv1.2 with cipher AECDH-AES256-SHA (256/256 bits)) (No client certificate requested) by hub.freebsd.org (Postfix) with ESMTPS id 1B600CFC; Wed, 15 Apr 2015 18:17:20 +0000 (UTC) Received: from svn.freebsd.org (svn.freebsd.org [IPv6:2001:1900:2254:2068::e6a:0]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (Client did not present a certificate) by mx1.freebsd.org (Postfix) with ESMTPS id 02F33941; Wed, 15 Apr 2015 18:17:20 +0000 (UTC) Received: from svn.freebsd.org ([127.0.1.70]) by svn.freebsd.org (8.14.9/8.14.9) with ESMTP id t3FIHJlZ011466; Wed, 15 Apr 2015 18:17:19 GMT (envelope-from rakuco@FreeBSD.org) Received: (from rakuco@localhost) by svn.freebsd.org (8.14.9/8.14.9/Submit) id t3FIHHqe011448; Wed, 15 Apr 2015 18:17:17 GMT (envelope-from rakuco@FreeBSD.org) Message-Id: <201504151817.t3FIHHqe011448@svn.freebsd.org> X-Authentication-Warning: svn.freebsd.org: rakuco set sender to rakuco@FreeBSD.org using -f From: Raphael Kubo da Costa Date: Wed, 15 Apr 2015 18:17:17 +0000 (UTC) To: ports-committers@freebsd.org, svn-ports-all@freebsd.org, svn-ports-branches@freebsd.org Subject: svn commit: r384065 - in branches/2015Q2: graphics/qt4-imageformats graphics/qt4-imageformats/files x11-toolkits/qt4-gui x11-toolkits/qt4-gui/files x11-toolkits/qt5-gui x11-toolkits/qt5-gui/files X-SVN-Group: ports-branches MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit X-BeenThere: svn-ports-branches@freebsd.org X-Mailman-Version: 2.1.20 Precedence: list List-Id: SVN commit messages for all the branches of the ports tree List-Unsubscribe: , List-Archive: List-Post: List-Help: List-Subscribe: , X-List-Received-Date: Wed, 15 Apr 2015 18:17:20 -0000 Author: rakuco Date: Wed Apr 15 18:17:16 2015 New Revision: 384065 URL: https://svnweb.freebsd.org/changeset/ports/384065 Log: MFH: r383986 Add patches for CVE-2015-1858, CVE-2015-1859 and CVE-2015-1860. Multiple vulnerabilities in Qt image format handling. Security: 5713bfda-e27d-11e4-b2ce-5453ed2e2b49 Approved by: ports-secteam (delphij) Added: branches/2015Q2/graphics/qt4-imageformats/files/patch-CVE-2015-1858 - copied unchanged from r383986, head/graphics/qt4-imageformats/files/patch-CVE-2015-1858 branches/2015Q2/graphics/qt4-imageformats/files/patch-CVE-2015-1859 - copied unchanged from r383986, head/graphics/qt4-imageformats/files/patch-CVE-2015-1859 branches/2015Q2/x11-toolkits/qt4-gui/files/patch-CVE-2015-1859 - copied unchanged from r383986, head/x11-toolkits/qt4-gui/files/patch-CVE-2015-1859 branches/2015Q2/x11-toolkits/qt5-gui/files/patch-CVE-2015-1858 - copied unchanged from r383986, head/x11-toolkits/qt5-gui/files/patch-CVE-2015-1858 branches/2015Q2/x11-toolkits/qt5-gui/files/patch-CVE-2015-1859 - copied unchanged from r383986, head/x11-toolkits/qt5-gui/files/patch-CVE-2015-1859 Modified: branches/2015Q2/graphics/qt4-imageformats/Makefile branches/2015Q2/x11-toolkits/qt4-gui/Makefile branches/2015Q2/x11-toolkits/qt5-gui/Makefile Directory Properties: branches/2015Q2/ (props changed) Modified: branches/2015Q2/graphics/qt4-imageformats/Makefile ============================================================================== --- branches/2015Q2/graphics/qt4-imageformats/Makefile Wed Apr 15 17:09:42 2015 (r384064) +++ branches/2015Q2/graphics/qt4-imageformats/Makefile Wed Apr 15 18:17:16 2015 (r384065) @@ -3,7 +3,7 @@ PORTNAME= imageformats DISTVERSION= ${QT4_VERSION} -PORTREVISION= 2 +PORTREVISION= 3 CATEGORIES= graphics PKGNAMEPREFIX= qt4- Copied: branches/2015Q2/graphics/qt4-imageformats/files/patch-CVE-2015-1858 (from r383986, head/graphics/qt4-imageformats/files/patch-CVE-2015-1858) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2015Q2/graphics/qt4-imageformats/files/patch-CVE-2015-1858 Wed Apr 15 18:17:16 2015 (r384065, copy of r383986, head/graphics/qt4-imageformats/files/patch-CVE-2015-1858) @@ -0,0 +1,24 @@ +commit a1cf194c54be57d6ab55dfd26b9562a60532208e +Author: Eirik Aavitsland +Date: Wed Mar 11 09:00:41 2015 +0100 + + Fixes crash in gif image decoder + + Fuzzing test revealed that for certain malformed gif files, + qgifhandler would segfault. + + Change-Id: I5bb6f60e1c61849e0d8c735edc3869945e5331c1 + (cherry picked from qtbase/ea2c5417fcd374302f5019e67f72af5facbd29f6) + Reviewed-by: Richard J. Moore + +--- src/gui/image/qgifhandler.cpp ++++ src/gui/image/qgifhandler.cpp +@@ -944,6 +944,8 @@ void QGIFFormat::fillRect(QImage *image, int col, int row, int w, int h, QRgb co + + void QGIFFormat::nextY(unsigned char *bits, int bpl) + { ++ if (out_of_bounds) ++ return; + int my; + switch (interlace) { + case 0: // Non-interlaced Copied: branches/2015Q2/graphics/qt4-imageformats/files/patch-CVE-2015-1859 (from r383986, head/graphics/qt4-imageformats/files/patch-CVE-2015-1859) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2015Q2/graphics/qt4-imageformats/files/patch-CVE-2015-1859 Wed Apr 15 18:17:16 2015 (r384065, copy of r383986, head/graphics/qt4-imageformats/files/patch-CVE-2015-1859) @@ -0,0 +1,53 @@ +commit 3e55cd6dc467303a3c35312e9fcb255c2c048b32 +Author: Eirik Aavitsland +Date: Wed Mar 11 13:34:01 2015 +0100 + + Fixes crash in bmp and ico image decoding + + Fuzzing test revealed that for certain malformed bmp and ico files, + the handler would segfault. + + Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe + (cherry picked from qtbase/2adbbae5432aa9d8cc41c6fcf55c2e310d2d4078) + Reviewed-by: Richard J. Moore + +--- src/gui/image/qbmphandler.cpp ++++ src/gui/image/qbmphandler.cpp +@@ -478,12 +478,6 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int + p = data + (h-y-1)*bpl; + break; + case 2: // delta (jump) +- // Protection +- if ((uint)x >= (uint)w) +- x = w-1; +- if ((uint)y >= (uint)h) +- y = h-1; +- + { + quint8 tmp; + d->getChar((char *)&tmp); +@@ -491,6 +485,13 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int + d->getChar((char *)&tmp); + y += tmp; + } ++ ++ // Protection ++ if ((uint)x >= (uint)w) ++ x = w-1; ++ if ((uint)y >= (uint)h) ++ y = h-1; ++ + p = data + (h-y-1)*bpl + x; + break; + default: // absolute mode +--- src/plugins/imageformats/ico/qicohandler.cpp ++++ src/plugins/imageformats/ico/qicohandler.cpp +@@ -571,7 +571,7 @@ QImage ICOReader::iconAt(int index) + QImage::Format format = QImage::Format_ARGB32; + if (icoAttrib.nbits == 24) + format = QImage::Format_RGB32; +- else if (icoAttrib.ncolors == 2) ++ else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1) + format = QImage::Format_Mono; + else if (icoAttrib.ncolors > 0) + format = QImage::Format_Indexed8; Modified: branches/2015Q2/x11-toolkits/qt4-gui/Makefile ============================================================================== --- branches/2015Q2/x11-toolkits/qt4-gui/Makefile Wed Apr 15 17:09:42 2015 (r384064) +++ branches/2015Q2/x11-toolkits/qt4-gui/Makefile Wed Apr 15 18:17:16 2015 (r384065) @@ -3,7 +3,7 @@ PORTNAME= gui DISTVERSION= ${QT4_VERSION} -PORTREVISION= 4 +PORTREVISION= 5 CATEGORIES= x11-toolkits PKGNAMEPREFIX= qt4- Copied: branches/2015Q2/x11-toolkits/qt4-gui/files/patch-CVE-2015-1859 (from r383986, head/x11-toolkits/qt4-gui/files/patch-CVE-2015-1859) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2015Q2/x11-toolkits/qt4-gui/files/patch-CVE-2015-1859 Wed Apr 15 18:17:16 2015 (r384065, copy of r383986, head/x11-toolkits/qt4-gui/files/patch-CVE-2015-1859) @@ -0,0 +1,53 @@ +commit 3e55cd6dc467303a3c35312e9fcb255c2c048b32 +Author: Eirik Aavitsland +Date: Wed Mar 11 13:34:01 2015 +0100 + + Fixes crash in bmp and ico image decoding + + Fuzzing test revealed that for certain malformed bmp and ico files, + the handler would segfault. + + Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe + (cherry picked from qtbase/2adbbae5432aa9d8cc41c6fcf55c2e310d2d4078) + Reviewed-by: Richard J. Moore + +--- src/gui/image/qbmphandler.cpp ++++ src/gui/image/qbmphandler.cpp +@@ -478,12 +478,6 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int + p = data + (h-y-1)*bpl; + break; + case 2: // delta (jump) +- // Protection +- if ((uint)x >= (uint)w) +- x = w-1; +- if ((uint)y >= (uint)h) +- y = h-1; +- + { + quint8 tmp; + d->getChar((char *)&tmp); +@@ -491,6 +485,13 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int + d->getChar((char *)&tmp); + y += tmp; + } ++ ++ // Protection ++ if ((uint)x >= (uint)w) ++ x = w-1; ++ if ((uint)y >= (uint)h) ++ y = h-1; ++ + p = data + (h-y-1)*bpl + x; + break; + default: // absolute mode +--- src/plugins/imageformats/ico/qicohandler.cpp ++++ src/plugins/imageformats/ico/qicohandler.cpp +@@ -571,7 +571,7 @@ QImage ICOReader::iconAt(int index) + QImage::Format format = QImage::Format_ARGB32; + if (icoAttrib.nbits == 24) + format = QImage::Format_RGB32; +- else if (icoAttrib.ncolors == 2) ++ else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1) + format = QImage::Format_Mono; + else if (icoAttrib.ncolors > 0) + format = QImage::Format_Indexed8; Modified: branches/2015Q2/x11-toolkits/qt5-gui/Makefile ============================================================================== --- branches/2015Q2/x11-toolkits/qt5-gui/Makefile Wed Apr 15 17:09:42 2015 (r384064) +++ branches/2015Q2/x11-toolkits/qt5-gui/Makefile Wed Apr 15 18:17:16 2015 (r384065) @@ -2,6 +2,7 @@ PORTNAME= gui DISTVERSION= ${QT5_VERSION} +PORTREVISION= 1 CATEGORIES= x11-toolkits graphics PKGNAMEPREFIX= qt5- Copied: branches/2015Q2/x11-toolkits/qt5-gui/files/patch-CVE-2015-1858 (from r383986, head/x11-toolkits/qt5-gui/files/patch-CVE-2015-1858) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2015Q2/x11-toolkits/qt5-gui/files/patch-CVE-2015-1858 Wed Apr 15 18:17:16 2015 (r384065, copy of r383986, head/x11-toolkits/qt5-gui/files/patch-CVE-2015-1858) @@ -0,0 +1,23 @@ +commit d3048a29797ee2d80d84bbda26bb3c954584f332 +Author: Eirik Aavitsland +Date: Wed Mar 11 09:00:41 2015 +0100 + + Fixes crash in gif image decoder + + Fuzzing test revealed that for certain malformed gif files, + qgifhandler would segfault. + + Change-Id: I5bb6f60e1c61849e0d8c735edc3869945e5331c1 + Reviewed-by: Richard J. Moore + +--- src/gui/image/qgifhandler.cpp ++++ src/gui/image/qgifhandler.cpp +@@ -936,6 +936,8 @@ void QGIFFormat::fillRect(QImage *image, int col, int row, int w, int h, QRgb co + + void QGIFFormat::nextY(unsigned char *bits, int bpl) + { ++ if (out_of_bounds) ++ return; + int my; + switch (interlace) { + case 0: // Non-interlaced Copied: branches/2015Q2/x11-toolkits/qt5-gui/files/patch-CVE-2015-1859 (from r383986, head/x11-toolkits/qt5-gui/files/patch-CVE-2015-1859) ============================================================================== --- /dev/null 00:00:00 1970 (empty, because file is newly added) +++ branches/2015Q2/x11-toolkits/qt5-gui/files/patch-CVE-2015-1859 Wed Apr 15 18:17:16 2015 (r384065, copy of r383986, head/x11-toolkits/qt5-gui/files/patch-CVE-2015-1859) @@ -0,0 +1,52 @@ +commit 51ec7ebfe5f45d1c0a03d992e97053cac66e25fe +Author: Eirik Aavitsland +Date: Wed Mar 11 13:34:01 2015 +0100 + + Fixes crash in bmp and ico image decoding + + Fuzzing test revealed that for certain malformed bmp and ico files, + the handler would segfault. + + Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe + Reviewed-by: Lars Knoll + +--- src/gui/image/qbmphandler.cpp ++++ src/gui/image/qbmphandler.cpp +@@ -484,12 +484,6 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int + p = data + (h-y-1)*bpl; + break; + case 2: // delta (jump) +- // Protection +- if ((uint)x >= (uint)w) +- x = w-1; +- if ((uint)y >= (uint)h) +- y = h-1; +- + { + quint8 tmp; + d->getChar((char *)&tmp); +@@ -497,6 +491,13 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int + d->getChar((char *)&tmp); + y += tmp; + } ++ ++ // Protection ++ if ((uint)x >= (uint)w) ++ x = w-1; ++ if ((uint)y >= (uint)h) ++ y = h-1; ++ + p = data + (h-y-1)*bpl + x; + break; + default: // absolute mode +--- src/plugins/imageformats/ico/qicohandler.cpp ++++ src/plugins/imageformats/ico/qicohandler.cpp +@@ -567,7 +567,7 @@ QImage ICOReader::iconAt(int index) + QImage::Format format = QImage::Format_ARGB32; + if (icoAttrib.nbits == 24) + format = QImage::Format_RGB32; +- else if (icoAttrib.ncolors == 2) ++ else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1) + format = QImage::Format_Mono; + else if (icoAttrib.ncolors > 0) + format = QImage::Format_Indexed8;