Accepting request 1283610 from KDE:Qt:5.15

- Add patch (CVE-2025-5455, boo#1243958)
  * CVE-2025-5455.patch

OBS-URL: https://build.opensuse.org/request/show/1283610
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libqt5-qtbase?expand=0&rev=159

CVE-2025-5455.patch

@@ -0,0 +1,26 @@
+An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code.
+
+This has been assigned the CVE id CVE-2025-5455.
+
+https://www.qt.io/blog/security-advisory-recently-discovered-issue-in-qdecodedataurl-in-qtcore-impacts-qt
+--
+diff --git a/src/corelib/io/qdataurl.cpp b/src/corelib/io/qdataurl.cpp
+index f14d399301f..83e59e3ac00 100644
+--- a/src/corelib/io/qdataurl.cpp
++++ b/src/corelib/io/qdataurl.cpp
+@@ -76,10 +76,11 @@ Q_CORE_EXPORT bool qDecodeDataUrl(const QUrl &uri, QString &mimeType, QByteArray
+         }
+ 
+         if (data.toLower().startsWith("charset")) {
+-            int i = 7;      // strlen("charset")
+-            while (data.at(i) == ' ')
+-                ++i;
+-            if (data.at(i) == '=')
++            int prefixSize = 7; // strlen("charset")
++            QLatin1String copy(data.constData() + prefixSize, data.size() - prefixSize);
++            while (copy.startsWith(QLatin1String(" ")))
++                copy = copy.mid(1);
++            if (copy.startsWith(QLatin1String("=")))
+                 data.prepend("text/plain;");
+         }
+ 

_service

@@ -1,12 +1,12 @@
 <services>
   <service name="obs_scm" mode="disabled">
    <param name="changesgenerate">enable</param>
-   <param name="versionformat">5.15.15+kde@TAG_OFFSET@</param>
+   <param name="versionformat">5.15.17+kde@TAG_OFFSET@</param>
    <param name="url">https://invent.kde.org/qt/qt/qtbase.git</param>
    <param name="scm">git</param>
    <param name="filename">qtbase-everywhere-src</param>
    <param name="revision">kde/5.15</param>
-   <param name="parent-tag">v5.15.15-lts-lgpl</param>
+   <param name="parent-tag">v5.15.17-lts-lgpl</param>
    <param name="changesgenerate">enable</param>
   </service>
   <service name="set_version" mode="disabled"/>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">https://invent.kde.org/qt/qt/qtbase.git</param>
-              <param name="changesrevision">ab13e81917207959785ad0185a3a9974e552a7f5</param></service></servicedata>
+              <param name="changesrevision">128a1d2861ca5693e43e8b79fbd4278dcd451fbc</param></service></servicedata>

libqt5-qtbase.changes

@@ -1,3 +1,122 @@
+-------------------------------------------------------------------
+Fri Jun  6 10:57:45 UTC 2025 - Christophe Marin <christophe@krop.fr>
+
+- Add patch (CVE-2025-5455, boo#1243958)
+  * CVE-2025-5455.patch
+
+-------------------------------------------------------------------
+Wed May 28 08:27:35 UTC 2025 - Fabian Vogt <fabian@ritter-vogt.de>
+
+- Update to version 5.15.17+kde122, rebased upstream:
+  * QFileSystemEngine/Win: Use GetTempPath2 when available
+  * XML/QDom: speedup encodeText()
+  * Update Harfbuzz to 8.4.0
+  * SQLite: Update SQLite to v3.45.3
+  * Avoid detection of heading in tst_QTextMarkdownImporter::thematicBreaks
+  * Update md4c to 0.5.2
+  * xcb: Avoid recreating xcb window in QXcbWindow::requestActivateWindow()
+  * QMetaMethod: document that fromSignal(nullptr) is ok
+  * PCRE2: upgrade to 10.43
+  * SQLite: Update SQLite to v3.45.2
+  * Update bundled libpng to version 1.6.43
+  * androiddeployqt: fix QDirIterator::next() usage
+  * SQLite: Update SQLite to v3.45.1
+  * QDBusUtil: document the D-Bus signature grammar
+  * Windows: clean up System Tray Icon message icon
+  * Windows 7: blacklist tests that fail from low screen resolution
+  * Update bundled libjpeg-turbo to version 3.0.2
+  * QXcbWindow::handleLeaveNotifyEvent(): Consume when leaving geometry
+  * [docs] Fix C'n'P error in QTRY_VERIFY2 example
+  * tst_bench_QImageReader: add a benchmark for raw QFatoryLoader operations
+  * Update bundled libpng to version 1.6.42
+  * Update bundled libpng to version 1.6.41
+  * Fix license header for update_public_suffix_list.sh
+  * PSL: add changelog entry to the suggested commit message
+  * windows: Avoid infinite recursion with certain fonts
+  * SQLite: Update SQLite to v3.45.0
+  * Update Zlib to 1.3.1
+  * [docs] QVersionNumber: fix a typo
+  * QTextEngine: also round x-offset for non-subpixel text render
+  * tst_moc: DRY QProcess success verification
+  * [docs] Remove references to C++11 feature availability
+  * Doc: Replace 'saveFile' with 'saveFileContent'
+  * QObject: Make it clear we don't install duplicated event filters
+  * Rename QImageReader benchmark to tst_bench_
+  * tst_QString: explain TransientDefaultLocale better
+  * SQLite: Update SQLite to v3.44.2
+  * Fix Japan locale not showing japanese fonts correctly
+  * Bump supported macOS SDK version to version 14
+  * SQLite: Update SQLite to v3.44.1
+  * Bump version to 5.15.17
+  * [doc] QBENCHMARK_ONCE: fix typos
+  * xcb: update WM_TRANSIENT_FOR on transientParent native window recreation
+  * xcb: make QXcbWindow inherit QObject
+  * Upgrade to Harfbuzz 8.3.0
+  * QStringList: improve benchmark code
+  * Fix compilation with MSVC 17.8
+  * SQLite: Update SQLite to v3.44.0
+  * tst_QMetaEnum: add round-trip testing to valueToKeys()
+
+-------------------------------------------------------------------
+Mon Nov 25 15:32:55 UTC 2024 - Fabian Vogt <fabian@ritter-vogt.de>
+
+- Update to version 5.15.16+kde130, rebased upstream:
+  * xcb: Sync XCB connection after reparenting window
+  * xcb: check validity of RandR output info before using it
+  * QDuplicateTracker: fix redundant ;
+  * qxmlstreamparser_p.h: fix -Wshadow in parse()
+  * Fix -Wdouble-promotion in FP overload of convertDoubleTo()
+  * Protect headers against min/max macros
+  * Add __attribute__((format(printf()))) to q(v)nprintf()
+  * qsavefile_p.h: fix missing qsavefile.h include
+  * qendian_p.h: fix -Wshadow warning
+  * qtextstream_p.h: fix -Wshadow in QDeviceClosedNotifier
+  * QFutureInterface: fix build with GCC14/C++20: template-id not allowed
+  * qfuturewatcher_p.h: fix missing qfuturewatcher.h include
+  * qhttpmultipart_p.h: add missing qiodevice.h include
+  * Fix crash in font distancefield computation
+  * Avoid crash in font distancefield computation
+  * Revert "Update Harfbuzz to 7.2.0"
+  * Revert "Update Harfbuzz to 7.2.0"
+  * Fix WinRT/ARM build
+  * Update Harfbuzz to version 8.2.2
+  * Upgrade Harfbuzz to version 8.2.0
+  * Update bundled libjpeg-turbo to version 3.0.1
+  * SQLite: Update SQLite to v3.43.2
+  * Add a script for updating from publicsuffix/list.git
+  * Fix undefined symbol qt_version_tag with lld(16.0) for non core lib
+  * QInputMethod: check if focusobject supports the "new" IM function before calling it
+  * Un-deprecate qSwap()
+  * Doc: state that models are not thread-safe
+  * Fix android build error
+  * xcb: replace a warning with debug info
+  * qurl-generateTLDs: filter empty and comment lines
+  * qurltlds_p.h: support easier automatic updates
+  * SQLite: Update SQLite to v3.43.1
+  * Upgrade to Freetype 2.13.2
+  * Fix crash when reading corrupt font data (CVE-2023-43114)
+  * qmake: Don't error out if QMAKE_DEFAULT_LIBDIRS is empty on macOS
+  * qxkbcommon: Keep lower case as Qt key when upper case is not in Latin1
+  * Doc: Fix documented default for QCalendarWidget maximumDate, minimumDate
+  * QDataStream: clarify QDataStream::operator>>(char *&s) API docs
+  * doc: Remove QSettings' paths for embedded linux
+  * Update bundled zlib to version 1.3
+  * tst_QDtls: use DTLS v 1.0 test data conditionally
+  * Bump version to 5.15.16
+  * Android: fix handling of tree content uri with sub-document
+  * QTextFormat: documentation fix
+  * SQLite: Update SQLite to v3.43.0
+  * tst_QSslSocket: skip tests requiring TLS v 1.0 downgrade
+  * Update to Harfbuzz 8.1.1
+  * Update version of FreeType attribution
+  * tst_QHashFunctions: use actual seed in consistent() test function
+  * Android: fix content URI handling for non-ascii file names
+  * Upgrade Harfbuzz to 7.3.0
+  * Update download location for Harfbuzz as well
+- Commits dropped by the rebase:
+  * Add missing line continuations for memory_resource opt-out on Apple systems
+  * Fix CVE-2023-43114
+
 -------------------------------------------------------------------
 Wed Sep  4 20:01:55 UTC 2024 - Fabian Vogt <fabian@ritter-vogt.de>
 

libqt5-qtbase.spec

@@ -29,15 +29,15 @@
 %bcond_without harfbuzz
 
 Name:           libqt5-qtbase
-Version:        5.15.15+kde127
+Version:        5.15.17+kde122
 Release:        0
 Summary:        C++ Program Library, Core Components
 License:        LGPL-3.0-only or GPL-3.0-with-Qt-Company-Qt-exception-1.1
 Group:          System/Libraries
 Url:            https://www.qt.io
 %define base_name libqt5
-%define real_version 5.15.15
-%define so_version 5.15.15
+%define real_version 5.15.17
+%define so_version 5.15.17
 %define tar_version qtbase-everywhere-src-%{version}
 Source:         %{tar_version}.tar.xz
 # to get mtime of file:
@@ -63,6 +63,7 @@ Patch12:        0001-Add-remote-print-queue-support.patch
 Patch21:        0001-Don-t-white-list-recent-Mesa-versions-for-multithrea.patch
 Patch24:        fix-fixqt4headers.patch
 # patches 1000-2000 and above from upstream 5.15 branch #
+Patch1000:      CVE-2025-5455.patch
 # patches 2000-3000 and above from upstream qt6/dev branch #
 # Not accepted yet, https://codereview.qt-project.org/c/qt/qtbase/+/255384
 Patch2001:      0002-Synthesize-Enter-LeaveEvent-for-accepted-QTabletEven.patch

qtbase-everywhere-src-5.15.15+kde127.obscpio

@@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:f2f1be44243c80d87012e0c788c80746238b9ffe7d91b0169ef38e9c1ec7aa9d
-size 297472014

qtbase-everywhere-src.obsinfo

@@ -1,4 +1,4 @@
 name: qtbase-everywhere-src
-version: 5.15.15+kde127
-mtime: 1725029112
-commit: ab13e81917207959785ad0185a3a9974e552a7f5
+version: 5.15.17+kde122
+mtime: 1747901492
+commit: 128a1d2861ca5693e43e8b79fbd4278dcd451fbc