packages/qt5-qtbase
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

fix CVE-2023-33285

Browse Source
This commit is contained in:
peijiankang 2023-11-01 15:43:11 +08:00
parent 39750b65a9
commit 3c33b1fc33
2 changed files with 79 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

73
CVE-2023-33285.patch Normal file
View File

@ -0,0 +1,73 @@
diff --git a/src/network/kernel/qdnslookup_unix.cpp b/src/network/kernel/qdnslookup_unix.cpp
index 12b40fc3..99e999d4 100644
--- a/src/network/kernel/qdnslookup_unix.cpp
+++ b/src/network/kernel/qdnslookup_unix.cpp
@@ -227,7 +227,6 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
// responseLength in case of error, we still can extract the
// exact error code from the response.
HEADER *header = (HEADER*)response;
- const int answerCount = ntohs(header->ancount);
switch (header->rcode) {
case NOERROR:
break;
@@ -260,18 +259,31 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
return;
}
- // Skip the query host, type (2 bytes) and class (2 bytes).
char host[PACKETSZ], answer[PACKETSZ];
unsigned char *p = response + sizeof(HEADER);
- int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
- if (status < 0) {
+ int status;
+
+ if (ntohs(header->qdcount) == 1) {
+ // Skip the query host, type (2 bytes) and class (2 bytes).
+ status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
+ if (status < 0) {
+ reply->error = QDnsLookup::InvalidReplyError;
+ reply->errorString = tr("Could not expand domain name");
+ return;
+ }
+ if ((p - response) + status + 4 >= responseLength)
+ header->qdcount = 0xffff; // invalid reply below
+ else
+ p += status + 4;
+ }
+ if (ntohs(header->qdcount) > 1) {
reply->error = QDnsLookup::InvalidReplyError;
- reply->errorString = tr("Could not expand domain name");
+ reply->errorString = tr("Invalid reply received");
return;
}
- p += status + 4;
// Extract results.
+ const int answerCount = ntohs(header->ancount);
int answerIndex = 0;
while ((p < response + responseLength) && (answerIndex < answerCount)) {
status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
@@ -283,6 +295,11 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
const QString name = QUrl::fromAce(host);
p += status;
+
+ if ((p - response) + 10 > responseLength) {
+ // probably just a truncated reply, return what we have
+ return;
+ }
const quint16 type = (p[0] << 8) | p[1];
p += 2; // RR type
p += 2; // RR class
@@ -290,6 +307,8 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
p += 4;
const quint16 size = (p[0] << 8) | p[1];
p += 2;
+ if ((p - response) + size > responseLength)
+ return; // truncated
if (type == QDnsLookup::A) {
if (size != 4) {
--
2.27.0

7
qt5-qtbase.spec
View File

@ -34,7 +34,7 @@ BuildRequires: pkgconfig(libsystemd)
Name: qt5-qtbase
Summary: Qt5 - QtBase components
Version: 5.15.2
Release: 9
Release: 10
# See LGPL_EXCEPTIONS.txt, for exception details
@ -122,6 +122,7 @@ Patch0025: CVE-2023-32763.patch
# https://download.qt.io/official_releases/qt/5.15/CVE-2023-37369-qtbase-5.15.diff
Patch0026: CVE-2023-37369-pre.patch
Patch0027: CVE-2023-37369.patch
Patch0028: CVE-2023-33285.patch
Patch1000: 1000-add-loongarch64-support-for-syscall_fork.patch
Patch1001: 1001-add-sw_64-support-for-syscall_fork.patch
@ -388,6 +389,7 @@ Qt5 libraries used for drawing widgets and OpenGL items.
%patch0025 -p1
%patch0026 -p1
%patch0027 -p1
%patch0028 -p1
%patch1000 -p1
%patch1001 -p1
@ -1032,6 +1034,9 @@ fi
%changelog
* Wed Nov 01 2023 peijiankang <peijiankang@kylinos.cn> - 5.15.2-10
- fix CVE-2023-33285
* Wed Sep 06 2023 panchenbo <panchenbo@kylinsec.com.cn> - 5.15.2-9
- add loongarch64 and sw_64 syscall_fork support