From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id AC01015810F for ; Thu, 8 Jun 2023 18:29:36 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 88B1BE0848; Thu, 8 Jun 2023 18:29:35 +0000 (UTC) Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 66D35E0844 for ; Thu, 8 Jun 2023 18:29:35 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 654723407E6 for ; Thu, 8 Jun 2023 18:29:34 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id 1373CA90 for ; Thu, 8 Jun 2023 18:29:31 +0000 (UTC) From: "orbea" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "orbea" Message-ID: <1686248926.7ec6da79c2bf3f753580a6b311fc1d22fae8fa9e.orbea@gentoo> Subject: [gentoo-commits] repo/proj/libressl:master commit in: dev-qt/qtbase/, dev-qt/qtbase/files/ X-VCS-Repository: repo/proj/libressl X-VCS-Files: dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-33285.patch dev-qt/qtbase/qtbase-6.5.0-r2.ebuild dev-qt/qtbase/qtbase-6.5.0-r3.ebuild X-VCS-Directories: dev-qt/qtbase/ dev-qt/qtbase/files/ X-VCS-Committer: orbea X-VCS-Committer-Name: orbea X-VCS-Revision: 7ec6da79c2bf3f753580a6b311fc1d22fae8fa9e X-VCS-Branch: master Date: Thu, 8 Jun 2023 18:29:31 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: 6ab6d2f6-7f74-4418-993a-7b412f60f919 X-Archives-Hash: 0007408298a95324303bb1a60282bc95 commit: 7ec6da79c2bf3f753580a6b311fc1d22fae8fa9e Author: orbea riseup net> AuthorDate: Thu Jun 8 18:21:07 2023 +0000 Commit: orbea riseup net> CommitDate: Thu Jun 8 18:28:46 2023 +0000 URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=7ec6da79 dev-qt/qtbase: add 6.5.0-r3 Signed-off-by: orbea riseup.net> .../qtbase/files/qtbase-6.5.0-CVE-2023-33285.patch | 101 +++++++++++++++++++++ ...base-6.5.0-r2.ebuild => qtbase-6.5.0-r3.ebuild} | 1 + 2 files changed, 102 insertions(+) diff --git a/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-33285.patch b/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-33285.patch new file mode 100644 index 0000000..c982cce --- /dev/null +++ b/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-33285.patch @@ -0,0 +1,101 @@ +From a2dc11b37fd71f785c342c40549f54edfdd1a6f8 Mon Sep 17 00:00:00 2001 +From: Thiago Macieira +Date: Thu, 11 May 2023 21:40:15 -0700 +Subject: [PATCH] QDnsLookup/Unix: make sure we don't overflow the buffer +MIME-Version: 1.0 +Content-Type: text/plain; charset=utf8 +Content-Transfer-Encoding: 8bit + +The DNS Records are variable length and encode their size in 16 bits +before the Record Data (RDATA). Ensure that both the RDATA and the +Record header fields before it fall inside the buffer we have. + +Additionally reject any replies containing more than one query records. + +[ChangeLog][QtNetwork][QDnsLookup] Fixed a bug that could cause a buffer +overflow in Unix systems while parsing corrupt, malicious, or truncated +replies. + +Pick-to: 5.15 6.2 6.5.1 +Change-Id: I3e3bfef633af4130a03afffd175e4b9547654b95 +Reviewed-by: MÃ¥rten Nordheim +Reviewed-by: Jani Heikkinen +(cherry picked from commit 7dba2c87619d558a61a30eb30cc1d9c3fe6df94c) +Reviewed-by: Daniel Smith +--- + src/network/kernel/qdnslookup_unix.cpp | 31 +++++++++++++++++++++++++------ + 1 file changed, 25 insertions(+), 6 deletions(-) + +diff --git a/src/network/kernel/qdnslookup_unix.cpp b/src/network/kernel/qdnslookup_unix.cpp +index 8db79028f775..ad7bb51f67a5 100644 +--- a/src/network/kernel/qdnslookup_unix.cpp ++++ b/src/network/kernel/qdnslookup_unix.cpp +@@ -193,7 +193,6 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN + // responseLength in case of error, we still can extract the + // exact error code from the response. + HEADER *header = (HEADER*)response; +- const int answerCount = ntohs(header->ancount); + switch (header->rcode) { + case NOERROR: + break; +@@ -227,18 +226,31 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN + return; + } + +- // Skip the query host, type (2 bytes) and class (2 bytes). + char host[PACKETSZ], answer[PACKETSZ]; + unsigned char *p = response + sizeof(HEADER); +- int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); +- if (status < 0) { ++ int status; ++ ++ if (ntohs(header->qdcount) == 1) { ++ // Skip the query host, type (2 bytes) and class (2 bytes). ++ status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); ++ if (status < 0) { ++ reply->error = QDnsLookup::InvalidReplyError; ++ reply->errorString = tr("Could not expand domain name"); ++ return; ++ } ++ if ((p - response) + status + 4 >= responseLength) ++ header->qdcount = 0xffff; // invalid reply below ++ else ++ p += status + 4; ++ } ++ if (ntohs(header->qdcount) > 1) { + reply->error = QDnsLookup::InvalidReplyError; +- reply->errorString = tr("Could not expand domain name"); ++ reply->errorString = tr("Invalid reply received"); + return; + } +- p += status + 4; + + // Extract results. ++ const int answerCount = ntohs(header->ancount); + int answerIndex = 0; + while ((p < response + responseLength) && (answerIndex < answerCount)) { + status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); +@@ -250,6 +262,11 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN + const QString name = QUrl::fromAce(host); + + p += status; ++ ++ if ((p - response) + 10 > responseLength) { ++ // probably just a truncated reply, return what we have ++ return; ++ } + const quint16 type = (p[0] << 8) | p[1]; + p += 2; // RR type + p += 2; // RR class +@@ -257,6 +274,8 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN + p += 4; + const quint16 size = (p[0] << 8) | p[1]; + p += 2; ++ if ((p - response) + size > responseLength) ++ return; // truncated + + if (type == QDnsLookup::A) { + if (size != 4) { +-- +2.16.3 + diff --git a/dev-qt/qtbase/qtbase-6.5.0-r2.ebuild b/dev-qt/qtbase/qtbase-6.5.0-r3.ebuild similarity index 99% rename from dev-qt/qtbase/qtbase-6.5.0-r2.ebuild rename to dev-qt/qtbase/qtbase-6.5.0-r3.ebuild index 08f45a6..8f12328 100644 --- a/dev-qt/qtbase/qtbase-6.5.0-r2.ebuild +++ b/dev-qt/qtbase/qtbase-6.5.0-r3.ebuild @@ -107,6 +107,7 @@ PATCHES=( "${FILESDIR}/${PN}-6.5.0-libressl.patch" "${FILESDIR}/${PN}-6.5.0-setActiveWindow-deprecated-version.patch" "${FILESDIR}/${PN}-6.5.0-CVE-2023-32762.patch" + "${FILESDIR}/${PN}-6.5.0-CVE-2023-33285.patch" ) src_configure() {