Multiple Vulnerabilities in Qt Image Format Handling (CVE-2015-1860 CVE-2015-1859 CVE-2015-1858)

2015-04-13 12:50:19 -05:00 · 2015-04-13 12:50:19 -05:00 · 9a602903fd
parent 240a4ac577
commit 9a602903fd
3 changed files with 101 additions and 1 deletions
--- a/0200-Fixes-crash-in-gif-image-decoder.patch
+++ b/0200-Fixes-crash-in-gif-image-decoder.patch
@ -0,0 +1,30 @@
+From d3048a29797ee2d80d84bbda26bb3c954584f332 Mon Sep 17 00:00:00 2001
+From: Eirik Aavitsland <eirik.aavitsland@theqtcompany.com>
+Date: Wed, 11 Mar 2015 09:00:41 +0100
+Subject: [PATCH 200/238] Fixes crash in gif image decoder
+
+Fuzzing test revealed that for certain malformed gif files,
+qgifhandler would segfault.
+
+Change-Id: I5bb6f60e1c61849e0d8c735edc3869945e5331c1
+Reviewed-by: Richard J. Moore <rich@kde.org>
+---
+ src/gui/image/qgifhandler.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/gui/image/qgifhandler.cpp b/src/gui/image/qgifhandler.cpp
+index 03e46ab..8d8c4ae 100644
+--- a/src/gui/image/qgifhandler.cpp
+++ b/src/gui/image/qgifhandler.cpp
+@@ -936,6 +936,8 @@ void QGIFFormat::fillRect(QImage *image, int col, int row, int w, int h, QRgb co
+ 
+ void QGIFFormat::nextY(unsigned char *bits, int bpl)
+ {
+    if (out_of_bounds)
+        return;
+     int my;
+     switch (interlace) {
+     case 0: // Non-interlaced
+-- 
+1.9.3
+
--- a/0201-Fixes-crash-in-bmp-and-ico-image-decoding.patch
+++ b/0201-Fixes-crash-in-bmp-and-ico-image-decoding.patch
@ -0,0 +1,62 @@
+From 51ec7ebfe5f45d1c0a03d992e97053cac66e25fe Mon Sep 17 00:00:00 2001
+From: Eirik Aavitsland <eirik.aavitsland@theqtcompany.com>
+Date: Wed, 11 Mar 2015 13:34:01 +0100
+Subject: [PATCH 201/238] Fixes crash in bmp and ico image decoding
+
+Fuzzing test revealed that for certain malformed bmp and ico files,
+the handler would segfault.
+
+Change-Id: I19d45145f31e7f808f7f6a1a1610270ea4159cbe
+Reviewed-by: Lars Knoll <lars.knoll@digia.com>
+---
+ src/gui/image/qbmphandler.cpp                | 13 +++++++------
+ src/plugins/imageformats/ico/qicohandler.cpp |  2 +-
+ 2 files changed, 8 insertions(+), 7 deletions(-)
+
+diff --git a/src/gui/image/qbmphandler.cpp b/src/gui/image/qbmphandler.cpp
+index df66499..8acc593 100644
+--- a/src/gui/image/qbmphandler.cpp
+++ b/src/gui/image/qbmphandler.cpp
+@@ -484,12 +484,6 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
+                             p = data + (h-y-1)*bpl;
+                             break;
+                         case 2:                        // delta (jump)
+-                            // Protection
+-                            if ((uint)x >= (uint)w)
+-                                x = w-1;
+-                            if ((uint)y >= (uint)h)
+-                                y = h-1;
+-
+                             {
+                                 quint8 tmp;
+                                 d->getChar((char *)&tmp);
+@@ -497,6 +491,13 @@ static bool read_dib_body(QDataStream &s, const BMP_INFOHDR &bi, int offset, int
+                                 d->getChar((char *)&tmp);
+                                 y += tmp;
+                             }
+
+                            // Protection
+                            if ((uint)x >= (uint)w)
+                                x = w-1;
+                            if ((uint)y >= (uint)h)
+                                y = h-1;
+
+                             p = data + (h-y-1)*bpl + x;
+                             break;
+                         default:                // absolute mode
+diff --git a/src/plugins/imageformats/ico/qicohandler.cpp b/src/plugins/imageformats/ico/qicohandler.cpp
+index 00de0c8..ec1654e 100644
+--- a/src/plugins/imageformats/ico/qicohandler.cpp
+++ b/src/plugins/imageformats/ico/qicohandler.cpp
+@@ -567,7 +567,7 @@ QImage ICOReader::iconAt(int index)
+                 QImage::Format format = QImage::Format_ARGB32;
+                 if (icoAttrib.nbits == 24)
+                     format = QImage::Format_RGB32;
+-                else if (icoAttrib.ncolors == 2)
+                else if (icoAttrib.ncolors == 2 && icoAttrib.depth == 1)
+                     format = QImage::Format_Mono;
+                 else if (icoAttrib.ncolors > 0)
+                     format = QImage::Format_Indexed8;
+-- 
+1.9.3
+
--- a/qt5-qtbase.spec
+++ b/qt5-qtbase.spec
@ -37,7 +37,7 @@
 Summary: Qt5 - QtBase components
 Name:    qt5-qtbase
 Version: 5.4.1
-Release: 8%{?dist}
+Release: 9%{?dist}

 # See LGPL_EXCEPTIONS.txt, for exception details
 License: LGPLv2 with exceptions or GPLv3 with exceptions
@ -103,6 +103,9 @@ Patch336: 0136-Make-sure-there-s-a-scene-before-using-it.patch
 # http://lists.qt-project.org/pipermail/announce/2015-February/000059.html
 # CVE-2015-0295
 Patch349: 0149-Fix-a-division-by-zero-when-processing-malformed-BMP.patch
+# CVE-2015-1858, CVE-2015-1859, CVE-2015-1860
+Patch400: 0200-Fixes-crash-in-gif-image-decoder.patch
+Patch401: 0201-Fixes-crash-in-bmp-and-ico-image-decoding.patch

 # macros, be mindful to keep sync'd with macros.qt5
 Source1: macros.qt5
@ -359,6 +362,8 @@ rm -fv mkspecs/linux-g++*/qmake.conf.multilib-optflags
 %patch332 -p1 -b .0132
 %patch336 -p1 -b .0136
 %patch349 -p1 -b .0149
+%patch400 -p1 -b .0200
+%patch401 -p1 -b .0201

 # drop -fexceptions from $RPM_OPT_FLAGS
 RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed 's|-fexceptions||g'`
@ -870,6 +875,9 @@ fi


 %changelog
+* Mon Apr 13 2015 Rex Dieter <rdieter@fedoraproject.org> 5.4.1-9
+- Multiple Vulnerabilities in Qt Image Format Handling (CVE-2015-1860 CVE-2015-1859 CVE-2015-1858)
+
 * Fri Apr 10 2015 Rex Dieter <rdieter@fedoraproject.org> - 5.4.1-8
 - -dbus=runtime on el6 (#1196359)
 - %%build: -no-directfb