forked from pool/libqt5-qtbase
Compare commits
6 Commits
Author | SHA256 | Date | |
---|---|---|---|
1fddbbe345 | |||
|
5fcca798a5 | ||
aaf39688f4 | |||
|
c3f3801059 | ||
d64e93faa8 | |||
|
c6623b0959 |
26
CVE-2025-5455.patch
Normal file
26
CVE-2025-5455.patch
Normal file
@@ -0,0 +1,26 @@
|
||||
An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code.
|
||||
|
||||
This has been assigned the CVE id CVE-2025-5455.
|
||||
|
||||
https://www.qt.io/blog/security-advisory-recently-discovered-issue-in-qdecodedataurl-in-qtcore-impacts-qt
|
||||
--
|
||||
diff --git a/src/corelib/io/qdataurl.cpp b/src/corelib/io/qdataurl.cpp
|
||||
index f14d399301f..83e59e3ac00 100644
|
||||
--- a/src/corelib/io/qdataurl.cpp
|
||||
+++ b/src/corelib/io/qdataurl.cpp
|
||||
@@ -76,10 +76,11 @@ Q_CORE_EXPORT bool qDecodeDataUrl(const QUrl &uri, QString &mimeType, QByteArray
|
||||
}
|
||||
|
||||
if (data.toLower().startsWith("charset")) {
|
||||
- int i = 7; // strlen("charset")
|
||||
- while (data.at(i) == ' ')
|
||||
- ++i;
|
||||
- if (data.at(i) == '=')
|
||||
+ int prefixSize = 7; // strlen("charset")
|
||||
+ QLatin1String copy(data.constData() + prefixSize, data.size() - prefixSize);
|
||||
+ while (copy.startsWith(QLatin1String(" ")))
|
||||
+ copy = copy.mid(1);
|
||||
+ if (copy.startsWith(QLatin1String("=")))
|
||||
data.prepend("text/plain;");
|
||||
}
|
||||
|
4
_service
4
_service
@@ -1,12 +1,12 @@
|
||||
<services>
|
||||
<service name="obs_scm" mode="disabled">
|
||||
<param name="changesgenerate">enable</param>
|
||||
<param name="versionformat">5.15.15+kde@TAG_OFFSET@</param>
|
||||
<param name="versionformat">5.15.17+kde@TAG_OFFSET@</param>
|
||||
<param name="url">https://invent.kde.org/qt/qt/qtbase.git</param>
|
||||
<param name="scm">git</param>
|
||||
<param name="filename">qtbase-everywhere-src</param>
|
||||
<param name="revision">kde/5.15</param>
|
||||
<param name="parent-tag">v5.15.15-lts-lgpl</param>
|
||||
<param name="parent-tag">v5.15.17-lts-lgpl</param>
|
||||
<param name="changesgenerate">enable</param>
|
||||
</service>
|
||||
<service name="set_version" mode="disabled"/>
|
||||
|
@@ -1,4 +1,4 @@
|
||||
<servicedata>
|
||||
<service name="tar_scm">
|
||||
<param name="url">https://invent.kde.org/qt/qt/qtbase.git</param>
|
||||
<param name="changesrevision">ab13e81917207959785ad0185a3a9974e552a7f5</param></service></servicedata>
|
||||
<param name="changesrevision">128a1d2861ca5693e43e8b79fbd4278dcd451fbc</param></service></servicedata>
|
@@ -1,3 +1,122 @@
|
||||
-------------------------------------------------------------------
|
||||
Fri Jun 6 10:57:45 UTC 2025 - Christophe Marin <christophe@krop.fr>
|
||||
|
||||
- Add patch (CVE-2025-5455, boo#1243958)
|
||||
* CVE-2025-5455.patch
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed May 28 08:27:35 UTC 2025 - Fabian Vogt <fabian@ritter-vogt.de>
|
||||
|
||||
- Update to version 5.15.17+kde122, rebased upstream:
|
||||
* QFileSystemEngine/Win: Use GetTempPath2 when available
|
||||
* XML/QDom: speedup encodeText()
|
||||
* Update Harfbuzz to 8.4.0
|
||||
* SQLite: Update SQLite to v3.45.3
|
||||
* Avoid detection of heading in tst_QTextMarkdownImporter::thematicBreaks
|
||||
* Update md4c to 0.5.2
|
||||
* xcb: Avoid recreating xcb window in QXcbWindow::requestActivateWindow()
|
||||
* QMetaMethod: document that fromSignal(nullptr) is ok
|
||||
* PCRE2: upgrade to 10.43
|
||||
* SQLite: Update SQLite to v3.45.2
|
||||
* Update bundled libpng to version 1.6.43
|
||||
* androiddeployqt: fix QDirIterator::next() usage
|
||||
* SQLite: Update SQLite to v3.45.1
|
||||
* QDBusUtil: document the D-Bus signature grammar
|
||||
* Windows: clean up System Tray Icon message icon
|
||||
* Windows 7: blacklist tests that fail from low screen resolution
|
||||
* Update bundled libjpeg-turbo to version 3.0.2
|
||||
* QXcbWindow::handleLeaveNotifyEvent(): Consume when leaving geometry
|
||||
* [docs] Fix C'n'P error in QTRY_VERIFY2 example
|
||||
* tst_bench_QImageReader: add a benchmark for raw QFatoryLoader operations
|
||||
* Update bundled libpng to version 1.6.42
|
||||
* Update bundled libpng to version 1.6.41
|
||||
* Fix license header for update_public_suffix_list.sh
|
||||
* PSL: add changelog entry to the suggested commit message
|
||||
* windows: Avoid infinite recursion with certain fonts
|
||||
* SQLite: Update SQLite to v3.45.0
|
||||
* Update Zlib to 1.3.1
|
||||
* [docs] QVersionNumber: fix a typo
|
||||
* QTextEngine: also round x-offset for non-subpixel text render
|
||||
* tst_moc: DRY QProcess success verification
|
||||
* [docs] Remove references to C++11 feature availability
|
||||
* Doc: Replace 'saveFile' with 'saveFileContent'
|
||||
* QObject: Make it clear we don't install duplicated event filters
|
||||
* Rename QImageReader benchmark to tst_bench_
|
||||
* tst_QString: explain TransientDefaultLocale better
|
||||
* SQLite: Update SQLite to v3.44.2
|
||||
* Fix Japan locale not showing japanese fonts correctly
|
||||
* Bump supported macOS SDK version to version 14
|
||||
* SQLite: Update SQLite to v3.44.1
|
||||
* Bump version to 5.15.17
|
||||
* [doc] QBENCHMARK_ONCE: fix typos
|
||||
* xcb: update WM_TRANSIENT_FOR on transientParent native window recreation
|
||||
* xcb: make QXcbWindow inherit QObject
|
||||
* Upgrade to Harfbuzz 8.3.0
|
||||
* QStringList: improve benchmark code
|
||||
* Fix compilation with MSVC 17.8
|
||||
* SQLite: Update SQLite to v3.44.0
|
||||
* tst_QMetaEnum: add round-trip testing to valueToKeys()
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Mon Nov 25 15:32:55 UTC 2024 - Fabian Vogt <fabian@ritter-vogt.de>
|
||||
|
||||
- Update to version 5.15.16+kde130, rebased upstream:
|
||||
* xcb: Sync XCB connection after reparenting window
|
||||
* xcb: check validity of RandR output info before using it
|
||||
* QDuplicateTracker: fix redundant ;
|
||||
* qxmlstreamparser_p.h: fix -Wshadow in parse()
|
||||
* Fix -Wdouble-promotion in FP overload of convertDoubleTo()
|
||||
* Protect headers against min/max macros
|
||||
* Add __attribute__((format(printf()))) to q(v)nprintf()
|
||||
* qsavefile_p.h: fix missing qsavefile.h include
|
||||
* qendian_p.h: fix -Wshadow warning
|
||||
* qtextstream_p.h: fix -Wshadow in QDeviceClosedNotifier
|
||||
* QFutureInterface: fix build with GCC14/C++20: template-id not allowed
|
||||
* qfuturewatcher_p.h: fix missing qfuturewatcher.h include
|
||||
* qhttpmultipart_p.h: add missing qiodevice.h include
|
||||
* Fix crash in font distancefield computation
|
||||
* Avoid crash in font distancefield computation
|
||||
* Revert "Update Harfbuzz to 7.2.0"
|
||||
* Revert "Update Harfbuzz to 7.2.0"
|
||||
* Fix WinRT/ARM build
|
||||
* Update Harfbuzz to version 8.2.2
|
||||
* Upgrade Harfbuzz to version 8.2.0
|
||||
* Update bundled libjpeg-turbo to version 3.0.1
|
||||
* SQLite: Update SQLite to v3.43.2
|
||||
* Add a script for updating from publicsuffix/list.git
|
||||
* Fix undefined symbol qt_version_tag with lld(16.0) for non core lib
|
||||
* QInputMethod: check if focusobject supports the "new" IM function before calling it
|
||||
* Un-deprecate qSwap()
|
||||
* Doc: state that models are not thread-safe
|
||||
* Fix android build error
|
||||
* xcb: replace a warning with debug info
|
||||
* qurl-generateTLDs: filter empty and comment lines
|
||||
* qurltlds_p.h: support easier automatic updates
|
||||
* SQLite: Update SQLite to v3.43.1
|
||||
* Upgrade to Freetype 2.13.2
|
||||
* Fix crash when reading corrupt font data (CVE-2023-43114)
|
||||
* qmake: Don't error out if QMAKE_DEFAULT_LIBDIRS is empty on macOS
|
||||
* qxkbcommon: Keep lower case as Qt key when upper case is not in Latin1
|
||||
* Doc: Fix documented default for QCalendarWidget maximumDate, minimumDate
|
||||
* QDataStream: clarify QDataStream::operator>>(char *&s) API docs
|
||||
* doc: Remove QSettings' paths for embedded linux
|
||||
* Update bundled zlib to version 1.3
|
||||
* tst_QDtls: use DTLS v 1.0 test data conditionally
|
||||
* Bump version to 5.15.16
|
||||
* Android: fix handling of tree content uri with sub-document
|
||||
* QTextFormat: documentation fix
|
||||
* SQLite: Update SQLite to v3.43.0
|
||||
* tst_QSslSocket: skip tests requiring TLS v 1.0 downgrade
|
||||
* Update to Harfbuzz 8.1.1
|
||||
* Update version of FreeType attribution
|
||||
* tst_QHashFunctions: use actual seed in consistent() test function
|
||||
* Android: fix content URI handling for non-ascii file names
|
||||
* Upgrade Harfbuzz to 7.3.0
|
||||
* Update download location for Harfbuzz as well
|
||||
- Commits dropped by the rebase:
|
||||
* Add missing line continuations for memory_resource opt-out on Apple systems
|
||||
* Fix CVE-2023-43114
|
||||
|
||||
-------------------------------------------------------------------
|
||||
Wed Sep 4 20:01:55 UTC 2024 - Fabian Vogt <fabian@ritter-vogt.de>
|
||||
|
||||
|
@@ -29,15 +29,15 @@
|
||||
%bcond_without harfbuzz
|
||||
|
||||
Name: libqt5-qtbase
|
||||
Version: 5.15.15+kde127
|
||||
Version: 5.15.17+kde122
|
||||
Release: 0
|
||||
Summary: C++ Program Library, Core Components
|
||||
License: LGPL-3.0-only or GPL-3.0-with-Qt-Company-Qt-exception-1.1
|
||||
Group: System/Libraries
|
||||
Url: https://www.qt.io
|
||||
%define base_name libqt5
|
||||
%define real_version 5.15.15
|
||||
%define so_version 5.15.15
|
||||
%define real_version 5.15.17
|
||||
%define so_version 5.15.17
|
||||
%define tar_version qtbase-everywhere-src-%{version}
|
||||
Source: %{tar_version}.tar.xz
|
||||
# to get mtime of file:
|
||||
@@ -63,6 +63,7 @@ Patch12: 0001-Add-remote-print-queue-support.patch
|
||||
Patch21: 0001-Don-t-white-list-recent-Mesa-versions-for-multithrea.patch
|
||||
Patch24: fix-fixqt4headers.patch
|
||||
# patches 1000-2000 and above from upstream 5.15 branch #
|
||||
Patch1000: CVE-2025-5455.patch
|
||||
# patches 2000-3000 and above from upstream qt6/dev branch #
|
||||
# Not accepted yet, https://codereview.qt-project.org/c/qt/qtbase/+/255384
|
||||
Patch2001: 0002-Synthesize-Enter-LeaveEvent-for-accepted-QTabletEven.patch
|
||||
|
@@ -1,3 +0,0 @@
|
||||
version https://git-lfs.github.com/spec/v1
|
||||
oid sha256:f2f1be44243c80d87012e0c788c80746238b9ffe7d91b0169ef38e9c1ec7aa9d
|
||||
size 297472014
|
BIN
qtbase-everywhere-src-5.15.17+kde122.obscpio
(Stored with Git LFS)
Normal file
BIN
qtbase-everywhere-src-5.15.17+kde122.obscpio
(Stored with Git LFS)
Normal file
Binary file not shown.
@@ -1,4 +1,4 @@
|
||||
name: qtbase-everywhere-src
|
||||
version: 5.15.15+kde127
|
||||
mtime: 1725029112
|
||||
commit: ab13e81917207959785ad0185a3a9974e552a7f5
|
||||
version: 5.15.17+kde122
|
||||
mtime: 1747901492
|
||||
commit: 128a1d2861ca5693e43e8b79fbd4278dcd451fbc
|
||||
|
Reference in New Issue
Block a user