Accepting request 1136540 from KDE:Qt6

OBS-URL: https://build.opensuse.org/request/show/1136540
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/qt6-base?expand=0&rev=49

0001-HPack-fix-a-Yoda-Condition.patch

@@ -0,0 +1,38 @@
+From 658607a34ead214fbacbc2cca44915655c318ea9 Mon Sep 17 00:00:00 2001
+From: Marc Mutz <marc.mutz@qt.io>
+Date: Tue, 12 Dec 2023 20:51:56 +0100
+Subject: [PATCH] HPack: fix a Yoda Condition
+
+Putting the variable on the LHS of a relational operation makes the
+expression easier to read. In this case, we find that the whole
+expression is nonsensical as an overflow protection, because if
+name.size() + value.size() overflows, the result will exactly _not_
+be > max() - 32, because UB will have happened.
+
+To be fixed in a follow-up commit.
+
+As a drive-by, add parentheses around the RHS.
+
+Pick-to: 6.7 6.6 6.5 6.2 5.15
+Change-Id: I35ce598884c37c51b74756b3bd2734b9aad63c09
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+---
+ src/network/access/http2/hpacktable.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/network/access/http2/hpacktable.cpp b/src/network/access/http2/hpacktable.cpp
+index 74a09a207ffb..c8c5d098c80a 100644
+--- a/src/network/access/http2/hpacktable.cpp
++++ b/src/network/access/http2/hpacktable.cpp
+@@ -27,7 +27,7 @@ HeaderSize entry_size(QByteArrayView name, QByteArrayView value)
+     // 32 octets of overhead."
+ 
+     const unsigned sum = unsigned(name.size() + value.size());
+-    if (std::numeric_limits<unsigned>::max() - 32 < sum)
++    if (sum > (std::numeric_limits<unsigned>::max() - 32))
+         return HeaderSize();
+     return HeaderSize(true, quint32(sum + 32));
+ }
+-- 
+2.16.3
+

0001-Http2-fix-potential-overflow-in-assemble_hpack_block.patch

@@ -0,0 +1,64 @@
+From 8907dedc858cc344d770a2e826d6acc516429540 Mon Sep 17 00:00:00 2001
+From: Marc Mutz <marc.mutz@qt.io>
+Date: Tue, 19 Dec 2023 14:22:37 +0100
+Subject: [PATCH] Http2: fix potential overflow in assemble_hpack_block()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The function is given a vector of Http2::Frame's and flattens it into
+a vector<uchar>. While each Frame can contain a maximum of 16GiB of
+data (24-bit size field), one "only" needs 257 of them to overflow the
+quint32 variable's range.
+
+So make sure any overflow does not go undetected.
+
+Keep the limited uint32_t range for now, as we don't know whether all
+consumers of the result can deal with more than 4GiB of data.
+
+Since all these frames must be in memory, this cannot overflow in
+practice on 32-bit machines.
+
+Pick-to: 6.7 6.6 6.5 6.2 5.15
+Change-Id: Iafaa7d1c870cba9100e75065db11d95934f86213
+Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
+(cherry picked from commit 1e6bb61af3ae29755f93b92f157df026f934ae61)
+
+* asturmlechner 2024-01-02: Use correct include for 5.15
+---
+ src/network/access/qhttp2protocolhandler.cpp | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/network/access/qhttp2protocolhandler.cpp b/src/network/access/qhttp2protocolhandler.cpp
+index 39dd460881a..ead88d781ae 100644
+--- a/src/network/access/qhttp2protocolhandler.cpp
++++ b/src/network/access/qhttp2protocolhandler.cpp
+@@ -10,10 +10,12 @@
+ #include <private/qnoncontiguousbytedevice_p.h>
+ 
+ #include <QtNetwork/qabstractsocket.h>
++
+ #include <QtCore/qloggingcategory.h>
+ #include <QtCore/qendian.h>
+ #include <QtCore/qdebug.h>
+ #include <QtCore/qlist.h>
++#include <QtCore/private/qnumeric_p.h>
+ #include <QtCore/qurl.h>
+ 
+ #include <qhttp2configuration.h>
+@@ -90,8 +92,10 @@ std::vector<uchar> assemble_hpack_block(const std::vector<Http2::Frame> &frames)
+     std::vector<uchar> hpackBlock;
+ 
+     quint32 total = 0;
+-    for (const auto &frame : frames)
+-        total += frame.hpackBlockSize();
++    for (const auto &frame : frames) {
++        if (add_overflow(total, frame.hpackBlockSize(), &total))
++            return hpackBlock;
++    }
+ 
+     if (!total)
+         return hpackBlock;
+-- 
+GitLab
+

0002-HPack-fix-incorrect-integer-overflow-check.patch

@@ -0,0 +1,44 @@
+From ee5da1f2eaf8932aeca02ffea6e4c618585e29e3 Mon Sep 17 00:00:00 2001
+From: Marc Mutz <marc.mutz@qt.io>
+Date: Tue, 12 Dec 2023 22:08:07 +0100
+Subject: [PATCH] HPack: fix incorrect integer overflow check
+
+This code never worked:
+
+For the comparison with max() - 32 to trigger, on 32-bit platforms (or
+Qt 5) signed interger overflow would have had to happen in the
+addition of the two sizes. The compiler can therefore remove the
+overflow check as dead code.
+
+On Qt 6 and 64-bit platforms, the signed integer addition would be
+very unlikely to overflow, but the following truncation to uint32
+would yield the correct result only in a narrow 32-value window just
+below UINT_MAX, if even that.
+
+Fix by using the proper tool, qAddOverflow.
+
+Pick-to: 6.7 6.6 6.5 6.2 5.15
+Change-Id: I7599f2e75ff7f488077b0c60b81022591005661c
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+---
+ src/network/access/http2/hpacktable.cpp | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/network/access/http2/hpacktable.cpp b/src/network/access/http2/hpacktable.cpp
+index c8c5d098c80a..2c728b37e3b5 100644
+--- a/src/network/access/http2/hpacktable.cpp
++++ b/src/network/access/http2/hpacktable.cpp
+@@ -26,7 +26,9 @@ HeaderSize entry_size(QByteArrayView name, QByteArrayView value)
+     // for counting the number of references to the name and value would have
+     // 32 octets of overhead."
+ 
+-    const unsigned sum = unsigned(name.size() + value.size());
++    size_t sum;
++    if (qAddOverflow(size_t(name.size()), size_t(value.size()), &sum))
++        return HeaderSize();
+     if (sum > (std::numeric_limits<unsigned>::max() - 32))
+         return HeaderSize();
+     return HeaderSize(true, quint32(sum + 32));
+-- 
+2.16.3
+

qt6-base.changes

@@ -1,3 +1,14 @@
+-------------------------------------------------------------------
+Wed Jan  3 08:52:06 UTC 2024 - Antonio Larrosa <alarrosa@suse.com>
+
+- Add upstream patches to fix an incorrect integer overflow check
+  (boo#1218413, CVE-2023-51714):
+  * 0001-HPack-fix-a-Yoda-Condition.patch
+  * 0002-HPack-fix-incorrect-integer-overflow-check.patch
+- Add upstream patch to fix a potential overflow in
+  assemble_hpack_block():
+  * 0001-Http2-fix-potential-overflow-in-assemble_hpack_block.patch
+
 -------------------------------------------------------------------
 Sat Dec 30 14:51:31 UTC 2023 - Luca Beltrame <lbeltrame@kde.org>
 

qt6-base.spec

@@ -1,7 +1,7 @@
 #
 # spec file
 #
-# Copyright (c) 2023 SUSE LLC
+# Copyright (c) 2024 SUSE LLC
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -41,6 +41,9 @@ Source99:       qt6-base-rpmlintrc
 # Patches 0-100 are upstream patches #
 Patch0:         0001-QMimeDatabase-handle-buggy-type-definitions.patch
 Patch1:         0001-QMimeDatabase-collect-glob-patterns-from.patch
+Patch2:         0001-HPack-fix-a-Yoda-Condition.patch
+Patch3:         0002-HPack-fix-incorrect-integer-overflow-check.patch
+Patch4:         0001-Http2-fix-potential-overflow-in-assemble_hpack_block.patch
 # Patches 100-200 are openSUSE and/or non-upstream(able) patches #
 Patch100:       0001-Tell-the-truth-about-private-API.patch
 # No need to pollute the library dir with object files, install them in the qt6 subfolder