diff --git a/CVE-2023-33285.patch b/CVE-2023-33285.patch new file mode 100644 index 0000000..8346573 --- /dev/null +++ b/CVE-2023-33285.patch @@ -0,0 +1,73 @@ +diff --git a/src/network/kernel/qdnslookup_unix.cpp b/src/network/kernel/qdnslookup_unix.cpp +index 12b40fc3..99e999d4 100644 +--- a/src/network/kernel/qdnslookup_unix.cpp ++++ b/src/network/kernel/qdnslookup_unix.cpp +@@ -227,7 +227,6 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN + // responseLength in case of error, we still can extract the + // exact error code from the response. + HEADER *header = (HEADER*)response; +- const int answerCount = ntohs(header->ancount); + switch (header->rcode) { + case NOERROR: + break; +@@ -260,18 +259,31 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN + return; + } + +- // Skip the query host, type (2 bytes) and class (2 bytes). + char host[PACKETSZ], answer[PACKETSZ]; + unsigned char *p = response + sizeof(HEADER); +- int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); +- if (status < 0) { ++ int status; ++ ++ if (ntohs(header->qdcount) == 1) { ++ // Skip the query host, type (2 bytes) and class (2 bytes). ++ status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); ++ if (status < 0) { ++ reply->error = QDnsLookup::InvalidReplyError; ++ reply->errorString = tr("Could not expand domain name"); ++ return; ++ } ++ if ((p - response) + status + 4 >= responseLength) ++ header->qdcount = 0xffff; // invalid reply below ++ else ++ p += status + 4; ++ } ++ if (ntohs(header->qdcount) > 1) { + reply->error = QDnsLookup::InvalidReplyError; +- reply->errorString = tr("Could not expand domain name"); ++ reply->errorString = tr("Invalid reply received"); + return; + } +- p += status + 4; + + // Extract results. ++ const int answerCount = ntohs(header->ancount); + int answerIndex = 0; + while ((p < response + responseLength) && (answerIndex < answerCount)) { + status = local_dn_expand(response, response + responseLength, p, host, sizeof(host)); +@@ -283,6 +295,11 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN + const QString name = QUrl::fromAce(host); + + p += status; ++ ++ if ((p - response) + 10 > responseLength) { ++ // probably just a truncated reply, return what we have ++ return; ++ } + const quint16 type = (p[0] << 8) | p[1]; + p += 2; // RR type + p += 2; // RR class +@@ -290,6 +307,8 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN + p += 4; + const quint16 size = (p[0] << 8) | p[1]; + p += 2; ++ if ((p - response) + size > responseLength) ++ return; // truncated + + if (type == QDnsLookup::A) { + if (size != 4) { +-- +2.27.0 + diff --git a/qt5-qtbase.spec b/qt5-qtbase.spec index 9f81096..7094016 100644 --- a/qt5-qtbase.spec +++ b/qt5-qtbase.spec @@ -34,7 +34,7 @@ BuildRequires: pkgconfig(libsystemd) Name: qt5-qtbase Summary: Qt5 - QtBase components Version: 5.15.2 -Release: 9 +Release: 10 # See LGPL_EXCEPTIONS.txt, for exception details @@ -122,6 +122,7 @@ Patch0025: CVE-2023-32763.patch # https://download.qt.io/official_releases/qt/5.15/CVE-2023-37369-qtbase-5.15.diff Patch0026: CVE-2023-37369-pre.patch Patch0027: CVE-2023-37369.patch +Patch0028: CVE-2023-33285.patch Patch1000: 1000-add-loongarch64-support-for-syscall_fork.patch Patch1001: 1001-add-sw_64-support-for-syscall_fork.patch @@ -388,6 +389,7 @@ Qt5 libraries used for drawing widgets and OpenGL items. %patch0025 -p1 %patch0026 -p1 %patch0027 -p1 +%patch0028 -p1 %patch1000 -p1 %patch1001 -p1 @@ -1032,6 +1034,9 @@ fi %changelog +* Wed Nov 01 2023 peijiankang - 5.15.2-10 +- fix CVE-2023-33285 + * Wed Sep 06 2023 panchenbo - 5.15.2-9 - add loongarch64 and sw_64 syscall_fork support