!146 [sync] PR-145: fix qt CVE-2023-45935

From: @openeuler-sync-bot Reviewed-by: @peijiankang Signed-off-by: @peijiankang
2024-04-30 01:11:00 +00:00 · 2024-04-30 01:11:00 +00:00 · ef711c9a38
commit ef711c9a38
parent 7981f583be b909fad45d
2 changed files with 37 additions and 1 deletions
--- a/CVE-2023-45935.patch
+++ b/CVE-2023-45935.patch
@ -0,0 +1,31 @@
+From b349ef7d08deb9d7ee64cf161fdf3a92b0f3f706 Mon Sep 17 00:00:00 2001
+From: Liang Qi <liang.qi@qt.io>
+Date: 2023-07-31 05:35:11 +0200
+Subject: [PATCH] CVE-2023-45935
+
+port invokeMethodImpl() from QScopeGuard to SlotObjUniquePtr
+
+---
+ src/plugins/platforms/xcb/qxcbatom.cpp | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/plugins/platforms/xcb/qxcbatom.cpp b/src/plugins/platforms/xcb/qxcbatom.cpp
+index 78081660..11d356dd 100644
+--- a/src/plugins/platforms/xcb/qxcbatom.cpp
+++ b/src/plugins/platforms/xcb/qxcbatom.cpp
+@@ -268,8 +268,10 @@ void QXcbAtom::initializeAllAtoms(xcb_connection_t *connection) {
+ 
+     for (i = 0; i < QXcbAtom::NAtoms; ++i) {
+         xcb_intern_atom_reply_t *reply = xcb_intern_atom_reply(connection, cookies[i], nullptr);
+-        m_allAtoms[i] = reply->atom;
+-        free(reply);
+        if (reply) {
+            m_allAtoms[i] = reply->atom;
+            free(reply);
+        }        
+     }
+ }
+ 
+-- 
+2.27.0
+
--- a/qt5-qtbase.spec
+++ b/qt5-qtbase.spec
@ -34,7 +34,7 @@ BuildRequires:    pkgconfig(libsystemd)
 Name:             qt5-qtbase
 Summary:          Qt5 - QtBase components
 Version:          5.15.2
-Release:          15
+Release:          16


 # See LGPL_EXCEPTIONS.txt, for exception details
@ -133,6 +133,7 @@ Patch0032:        CVE-2024-25580-qtbase-5.15.diff
 Patch1000:        1000-add-loongarch64-support-for-syscall_fork.patch
 Patch1001:        1001-add-sw_64-support-for-syscall_fork.patch
 Patch1002:        qtbase5.15-CVE-2023-51714.patch
+Patch1003:        CVE-2023-45935.patch

 # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires.
 # Those themes are there for platform integration. If the required libraries are
@ -404,6 +405,7 @@ Qt5 libraries used for drawing widgets and OpenGL items.
 %patch1000 -p1
 %patch1001 -p1
 %patch1002 -p1
+%patch1003 -p1

 # move some bundled libs to ensure they're not accidentally used
 pushd src/3rdparty
@ -1046,6 +1048,9 @@ fi


 %changelog
+* Wed Apr 24 2024 lvfei <lvfei@kylinos.cn> - 5.15.2-16
+- Fix CVE-2023-45935
+
 * Wed Apr 17 2024 peijiankang <peijiankang@kylinos.cn> - 5.15.2-15
 - add CVE-2024-25580-qtbase-5.15.diff