Lubuntu
/
qt6-base
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Add patch to fix CVE-2023-33285 (Closes: #1036848).

Browse Source
ci/unstable
Patrick Franz 2 years ago
parent 6e1f7e9484
commit b0ba82c543
No known key found for this signature in database
GPG Key ID: 9E9F7A603077FE56
3 changed files with 75 additions and 1 deletions
Show Stats Download Patch File Download Diff File

3
debian/changelog vendored
Unescape View File

@ -1,5 +1,8 @@
qt6-base (6.4.2+dfsg-10) UNRELEASED; urgency=medium qt6-base (6.4.2+dfsg-10) UNRELEASED; urgency=medium
[ Patrick Franz ]
* Add patch to fix CVE-2023-33285 (Closes: #1036848).
-- Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> Sun, 28 May 2023 10:04:09 +0200 -- Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> Sun, 28 May 2023 10:04:09 +0200
qt6-base (6.4.2+dfsg-9) unstable; urgency=medium qt6-base (6.4.2+dfsg-9) unstable; urgency=medium

70
debian/patches/cve-2023-33285.diff vendored
Unescape View File

@ -0,0 +1,70 @@
diff --git a/src/network/kernel/qdnslookup_unix.cpp b/src/network/kernel/qdnslookup_unix.cpp
index 75f7c6c440..de0113494f 100644
--- a/src/network/kernel/qdnslookup_unix.cpp
+++ b/src/network/kernel/qdnslookup_unix.cpp
@@ -193,7 +193,6 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
// responseLength in case of error, we still can extract the
// exact error code from the response.
HEADER *header = (HEADER*)response;
- const int answerCount = ntohs(header->ancount);
switch (header->rcode) {
case NOERROR:
break;
@@ -226,18 +225,31 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
return;
}
- // Skip the query host, type (2 bytes) and class (2 bytes).
char host[PACKETSZ], answer[PACKETSZ];
unsigned char *p = response + sizeof(HEADER);
- int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
- if (status < 0) {
+ int status;
+
+ if (ntohs(header->qdcount) == 1) {
+ // Skip the query host, type (2 bytes) and class (2 bytes).
+ status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
+ if (status < 0) {
+ reply->error = QDnsLookup::InvalidReplyError;
+ reply->errorString = tr("Could not expand domain name");
+ return;
+ }
+ if ((p - response) + status + 4 >= responseLength)
+ header->qdcount = 0xffff; // invalid reply below
+ else
+ p += status + 4;
+ }
+ if (ntohs(header->qdcount) > 1) {
reply->error = QDnsLookup::InvalidReplyError;
- reply->errorString = tr("Could not expand domain name");
+ reply->errorString = tr("Invalid reply received");
return;
}
- p += status + 4;
// Extract results.
+ const int answerCount = ntohs(header->ancount);
int answerIndex = 0;
while ((p < response + responseLength) && (answerIndex < answerCount)) {
status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
@@ -249,6 +261,11 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
const QString name = QUrl::fromAce(host);
p += status;
+
+ if ((p - response) + 10 > responseLength) {
+ // probably just a truncated reply, return what we have
+ return;
+ }
const quint16 type = (p[0] << 8) | p[1];
p += 2; // RR type
p += 2; // RR class
@@ -256,6 +273,8 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
p += 4;
const quint16 size = (p[0] << 8) | p[1];
p += 2;
+ if ((p - response) + size > responseLength)
+ return; // truncated
if (type == QDnsLookup::A) {
if (size != 4) {

3
debian/patches/series vendored
Unescape View File

@ -1,6 +1,7 @@
# fixed in 6.5 # fixed in 6.5.1
cve-2023-32762.diff cve-2023-32762.diff
cve-2023-32763.diff cve-2023-32763.diff
cve-2023-33285.diff
upstream_Add-HPPA-detection.patch upstream_Add-HPPA-detection.patch
upstream_Add-M68k-detection.patch upstream_Add-M68k-detection.patch

Write Preview
Loading…
Cancel
Save