bz#1210677, CVE-2015-1860 CVE-2015-1859 CVE-2015-1858
This commit is contained in:
parent
74e790ecfb
commit
63cda2bb9f
54
qt-4.8.6-CVE-2015-1860_CVE-2015-1859_CVE-2015-1858.patch
Normal file
54
qt-4.8.6-CVE-2015-1860_CVE-2015-1859_CVE-2015-1858.patch
Normal file
@ -0,0 +1,54 @@
|
|||||||
|
diff -up qt-everywhere-opensource-src-4.8.6/src/gui/image/qbmphandler.cpp.than qt-everywhere-opensource-src-4.8.6/src/gui/image/qbmphandler.cpp
|
||||||
|
--- qt-everywhere-opensource-src-4.8.6/src/gui/image/qbmphandler.cpp.than 2015-04-13 16:03:24.347475762 +0200
|
||||||
|
+++ qt-everywhere-opensource-src-4.8.6/src/gui/image/qbmphandler.cpp 2015-04-13 16:04:42.781923479 +0200
|
||||||
|
@@ -478,12 +478,6 @@ static bool read_dib_body(QDataStream &s
|
||||||
|
p = data + (h-y-1)*bpl;
|
||||||
|
break;
|
||||||
|
case 2: // delta (jump)
|
||||||
|
- // Protection
|
||||||
|
- if ((uint)x >= (uint)w)
|
||||||
|
- x = w-1;
|
||||||
|
- if ((uint)y >= (uint)h)
|
||||||
|
- y = h-1;
|
||||||
|
-
|
||||||
|
{
|
||||||
|
quint8 tmp;
|
||||||
|
d->getChar((char *)&tmp);
|
||||||
|
@@ -491,6 +485,13 @@ static bool read_dib_body(QDataStream &s
|
||||||
|
d->getChar((char *)&tmp);
|
||||||
|
y += tmp;
|
||||||
|
}
|
||||||
|
+
|
||||||
|
+ // Protection
|
||||||
|
+ if ((uint)x >= (uint)w)
|
||||||
|
+ x = w-1;
|
||||||
|
+ if ((uint)y >= (uint)h)
|
||||||
|
+ y = h-1;
|
||||||
|
+
|
||||||
|
p = data + (h-y-1)*bpl + x;
|
||||||
|
break;
|
||||||
|
default: // absolute mode
|
||||||
|
diff -up qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp.than qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp
|
||||||
|
--- qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp.than 2015-04-13 16:10:38.284420268 +0200
|
||||||
|
+++ qt-everywhere-opensource-src-4.8.6/src/gui/image/qgifhandler.cpp 2015-04-13 16:11:17.406144797 +0200
|
||||||
|
@@ -944,6 +944,8 @@ void QGIFFormat::fillRect(QImage *image,
|
||||||
|
|
||||||
|
void QGIFFormat::nextY(unsigned char *bits, int bpl)
|
||||||
|
{
|
||||||
|
+ if (out_of_bounds)
|
||||||
|
+ return;
|
||||||
|
int my;
|
||||||
|
switch (interlace) {
|
||||||
|
case 0: // Non-interlaced
|
||||||
|
diff -up qt-everywhere-opensource-src-4.8.6/src/plugins/imageformats/ico/qicohandler.cpp.than qt-everywhere-opensource-src-4.8.6/src/plugins/imageformats/ico/qicohandler.cpp
|
||||||
|
--- qt-everywhere-opensource-src-4.8.6/src/plugins/imageformats/ico/qicohandler.cpp.than 2015-04-13 16:05:02.059787728 +0200
|
||||||
|
+++ qt-everywhere-opensource-src-4.8.6/src/plugins/imageformats/ico/qicohandler.cpp 2015-04-13 16:05:41.141512553 +0200
|
||||||
|
@@ -571,7 +571,7 @@ QImage ICOReader::iconAt(int index)
|
||||||
|
QImage::Format format = QImage::Format_ARGB32;
|
||||||
|
if (icoAttrib.nbits == 24)
|
||||||
|
format = QImage::Format_RGB32;
|
||||||
|
- else if (icoAttrib.ncolors == 2)
|
||||||
|
+ else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1)
|
||||||
|
format = QImage::Format_Mono;
|
||||||
|
else if (icoAttrib.ncolors > 0)
|
||||||
|
format = QImage::Format_Indexed8;
|
8
qt.spec
8
qt.spec
@ -35,7 +35,7 @@ Summary: Qt toolkit
|
|||||||
Name: qt
|
Name: qt
|
||||||
Epoch: 1
|
Epoch: 1
|
||||||
Version: 4.8.6
|
Version: 4.8.6
|
||||||
Release: 27%{?dist}
|
Release: 28%{?dist}
|
||||||
|
|
||||||
# See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
|
# See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
|
||||||
License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
|
License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
|
||||||
@ -199,6 +199,8 @@ Patch272: 0072-Fix-font-cache-check-in-QFontEngineFT-recalcAdvances.patch
|
|||||||
# CVE-2015-0295
|
# CVE-2015-0295
|
||||||
# http://lists.qt-project.org/pipermail/announce/2015-February/000059.html
|
# http://lists.qt-project.org/pipermail/announce/2015-February/000059.html
|
||||||
Patch337: 0137-Fix-a-division-by-zero-when-processing-malformed-BMP.patch
|
Patch337: 0137-Fix-a-division-by-zero-when-processing-malformed-BMP.patch
|
||||||
|
# CVE-2015-1860 CVE-2015-1859 CVE-2015-1858
|
||||||
|
Patch338: qt-4.8.6-CVE-2015-1860_CVE-2015-1859_CVE-2015-1858.patch
|
||||||
|
|
||||||
# desktop files
|
# desktop files
|
||||||
Source20: assistant.desktop
|
Source20: assistant.desktop
|
||||||
@ -597,6 +599,7 @@ rm -rf src/3rdparty/clucene
|
|||||||
%patch267 -p1 -b .0067
|
%patch267 -p1 -b .0067
|
||||||
%patch272 -p1 -b .0072
|
%patch272 -p1 -b .0072
|
||||||
%patch337 -p1 -b .0137
|
%patch337 -p1 -b .0137
|
||||||
|
%patch338 -p1 -b .CVE-2015-1860_CVE-2015-1859_CVE-2015-1858
|
||||||
|
|
||||||
# security fixes
|
# security fixes
|
||||||
# regression fixes for the security fixes
|
# regression fixes for the security fixes
|
||||||
@ -1332,6 +1335,9 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Mon Apr 13 2015 Than Ngo <than@redhat.com> - 1:4.8.6-28
|
||||||
|
- bz#1210677, CVE-2015-1860 CVE-2015-1859 CVE-2015-1858
|
||||||
|
|
||||||
* Thu Mar 26 2015 Richard Hughes <rhughes@redhat.com> - 1:4.8.6-27
|
* Thu Mar 26 2015 Richard Hughes <rhughes@redhat.com> - 1:4.8.6-27
|
||||||
- Add an AppData file for the software center
|
- Add an AppData file for the software center
|
||||||
|
|
||||||
|
Loading…
Reference in New Issue
Block a user