1
0
forked from pool/libqt5-qtbase

6 Commits

Author SHA256 Message Date
1fddbbe345 Accepting request 1283610 from KDE:Qt:5.15
- Add patch (CVE-2025-5455, boo#1243958)
  * CVE-2025-5455.patch

OBS-URL: https://build.opensuse.org/request/show/1283610
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libqt5-qtbase?expand=0&rev=159
2025-06-10 06:59:26 +00:00
Christophe Marin
5fcca798a5 Add CVE-2025-5455 fix
OBS-URL: https://build.opensuse.org/package/show/KDE:Qt:5.15/libqt5-qtbase?expand=0&rev=71
2025-06-06 10:58:32 +00:00
aaf39688f4 Accepting request 1280901 from KDE:Qt:5.15
Qt 5.15.17, try #2 (forwarded request 1280892 from favogt)

OBS-URL: https://build.opensuse.org/request/show/1280901
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libqt5-qtbase?expand=0&rev=158
2025-05-30 12:20:45 +00:00
Christophe Marin
c3f3801059 Qt 5.15.17, try #2
OBS-URL: https://build.opensuse.org/package/show/KDE:Qt:5.15/libqt5-qtbase?expand=0&rev=70
2025-05-28 13:54:46 +00:00
d64e93faa8 Accepting request 1226593 from KDE:Qt:5.15
Qt 5.15.16, untested. Try #2. (forwarded request 1226586 from favogt)

OBS-URL: https://build.opensuse.org/request/show/1226593
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libqt5-qtbase?expand=0&rev=157
2024-11-27 21:05:25 +00:00
Christophe Marin
c6623b0959 Qt 5.15.16, untested. Try #2.
OBS-URL: https://build.opensuse.org/package/show/KDE:Qt:5.15/libqt5-qtbase?expand=0&rev=69
2024-11-26 16:48:05 +00:00
8 changed files with 158 additions and 12 deletions

26
CVE-2025-5455.patch Normal file
View File

@@ -0,0 +1,26 @@
An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code.
This has been assigned the CVE id CVE-2025-5455.
https://www.qt.io/blog/security-advisory-recently-discovered-issue-in-qdecodedataurl-in-qtcore-impacts-qt
--
diff --git a/src/corelib/io/qdataurl.cpp b/src/corelib/io/qdataurl.cpp
index f14d399301f..83e59e3ac00 100644
--- a/src/corelib/io/qdataurl.cpp
+++ b/src/corelib/io/qdataurl.cpp
@@ -76,10 +76,11 @@ Q_CORE_EXPORT bool qDecodeDataUrl(const QUrl &uri, QString &mimeType, QByteArray
}
if (data.toLower().startsWith("charset")) {
- int i = 7; // strlen("charset")
- while (data.at(i) == ' ')
- ++i;
- if (data.at(i) == '=')
+ int prefixSize = 7; // strlen("charset")
+ QLatin1String copy(data.constData() + prefixSize, data.size() - prefixSize);
+ while (copy.startsWith(QLatin1String(" ")))
+ copy = copy.mid(1);
+ if (copy.startsWith(QLatin1String("=")))
data.prepend("text/plain;");
}

View File

@@ -1,12 +1,12 @@
<services>
<service name="obs_scm" mode="disabled">
<param name="changesgenerate">enable</param>
<param name="versionformat">5.15.15+kde@TAG_OFFSET@</param>
<param name="versionformat">5.15.17+kde@TAG_OFFSET@</param>
<param name="url">https://invent.kde.org/qt/qt/qtbase.git</param>
<param name="scm">git</param>
<param name="filename">qtbase-everywhere-src</param>
<param name="revision">kde/5.15</param>
<param name="parent-tag">v5.15.15-lts-lgpl</param>
<param name="parent-tag">v5.15.17-lts-lgpl</param>
<param name="changesgenerate">enable</param>
</service>
<service name="set_version" mode="disabled"/>

View File

@@ -1,4 +1,4 @@
<servicedata>
<service name="tar_scm">
<param name="url">https://invent.kde.org/qt/qt/qtbase.git</param>
<param name="changesrevision">ab13e81917207959785ad0185a3a9974e552a7f5</param></service></servicedata>
<param name="changesrevision">128a1d2861ca5693e43e8b79fbd4278dcd451fbc</param></service></servicedata>

View File

@@ -1,3 +1,122 @@
-------------------------------------------------------------------
Fri Jun 6 10:57:45 UTC 2025 - Christophe Marin <christophe@krop.fr>
- Add patch (CVE-2025-5455, boo#1243958)
* CVE-2025-5455.patch
-------------------------------------------------------------------
Wed May 28 08:27:35 UTC 2025 - Fabian Vogt <fabian@ritter-vogt.de>
- Update to version 5.15.17+kde122, rebased upstream:
* QFileSystemEngine/Win: Use GetTempPath2 when available
* XML/QDom: speedup encodeText()
* Update Harfbuzz to 8.4.0
* SQLite: Update SQLite to v3.45.3
* Avoid detection of heading in tst_QTextMarkdownImporter::thematicBreaks
* Update md4c to 0.5.2
* xcb: Avoid recreating xcb window in QXcbWindow::requestActivateWindow()
* QMetaMethod: document that fromSignal(nullptr) is ok
* PCRE2: upgrade to 10.43
* SQLite: Update SQLite to v3.45.2
* Update bundled libpng to version 1.6.43
* androiddeployqt: fix QDirIterator::next() usage
* SQLite: Update SQLite to v3.45.1
* QDBusUtil: document the D-Bus signature grammar
* Windows: clean up System Tray Icon message icon
* Windows 7: blacklist tests that fail from low screen resolution
* Update bundled libjpeg-turbo to version 3.0.2
* QXcbWindow::handleLeaveNotifyEvent(): Consume when leaving geometry
* [docs] Fix C'n'P error in QTRY_VERIFY2 example
* tst_bench_QImageReader: add a benchmark for raw QFatoryLoader operations
* Update bundled libpng to version 1.6.42
* Update bundled libpng to version 1.6.41
* Fix license header for update_public_suffix_list.sh
* PSL: add changelog entry to the suggested commit message
* windows: Avoid infinite recursion with certain fonts
* SQLite: Update SQLite to v3.45.0
* Update Zlib to 1.3.1
* [docs] QVersionNumber: fix a typo
* QTextEngine: also round x-offset for non-subpixel text render
* tst_moc: DRY QProcess success verification
* [docs] Remove references to C++11 feature availability
* Doc: Replace 'saveFile' with 'saveFileContent'
* QObject: Make it clear we don't install duplicated event filters
* Rename QImageReader benchmark to tst_bench_
* tst_QString: explain TransientDefaultLocale better
* SQLite: Update SQLite to v3.44.2
* Fix Japan locale not showing japanese fonts correctly
* Bump supported macOS SDK version to version 14
* SQLite: Update SQLite to v3.44.1
* Bump version to 5.15.17
* [doc] QBENCHMARK_ONCE: fix typos
* xcb: update WM_TRANSIENT_FOR on transientParent native window recreation
* xcb: make QXcbWindow inherit QObject
* Upgrade to Harfbuzz 8.3.0
* QStringList: improve benchmark code
* Fix compilation with MSVC 17.8
* SQLite: Update SQLite to v3.44.0
* tst_QMetaEnum: add round-trip testing to valueToKeys()
-------------------------------------------------------------------
Mon Nov 25 15:32:55 UTC 2024 - Fabian Vogt <fabian@ritter-vogt.de>
- Update to version 5.15.16+kde130, rebased upstream:
* xcb: Sync XCB connection after reparenting window
* xcb: check validity of RandR output info before using it
* QDuplicateTracker: fix redundant ;
* qxmlstreamparser_p.h: fix -Wshadow in parse()
* Fix -Wdouble-promotion in FP overload of convertDoubleTo()
* Protect headers against min/max macros
* Add __attribute__((format(printf()))) to q(v)nprintf()
* qsavefile_p.h: fix missing qsavefile.h include
* qendian_p.h: fix -Wshadow warning
* qtextstream_p.h: fix -Wshadow in QDeviceClosedNotifier
* QFutureInterface: fix build with GCC14/C++20: template-id not allowed
* qfuturewatcher_p.h: fix missing qfuturewatcher.h include
* qhttpmultipart_p.h: add missing qiodevice.h include
* Fix crash in font distancefield computation
* Avoid crash in font distancefield computation
* Revert "Update Harfbuzz to 7.2.0"
* Revert "Update Harfbuzz to 7.2.0"
* Fix WinRT/ARM build
* Update Harfbuzz to version 8.2.2
* Upgrade Harfbuzz to version 8.2.0
* Update bundled libjpeg-turbo to version 3.0.1
* SQLite: Update SQLite to v3.43.2
* Add a script for updating from publicsuffix/list.git
* Fix undefined symbol qt_version_tag with lld(16.0) for non core lib
* QInputMethod: check if focusobject supports the "new" IM function before calling it
* Un-deprecate qSwap()
* Doc: state that models are not thread-safe
* Fix android build error
* xcb: replace a warning with debug info
* qurl-generateTLDs: filter empty and comment lines
* qurltlds_p.h: support easier automatic updates
* SQLite: Update SQLite to v3.43.1
* Upgrade to Freetype 2.13.2
* Fix crash when reading corrupt font data (CVE-2023-43114)
* qmake: Don't error out if QMAKE_DEFAULT_LIBDIRS is empty on macOS
* qxkbcommon: Keep lower case as Qt key when upper case is not in Latin1
* Doc: Fix documented default for QCalendarWidget maximumDate, minimumDate
* QDataStream: clarify QDataStream::operator>>(char *&s) API docs
* doc: Remove QSettings' paths for embedded linux
* Update bundled zlib to version 1.3
* tst_QDtls: use DTLS v 1.0 test data conditionally
* Bump version to 5.15.16
* Android: fix handling of tree content uri with sub-document
* QTextFormat: documentation fix
* SQLite: Update SQLite to v3.43.0
* tst_QSslSocket: skip tests requiring TLS v 1.0 downgrade
* Update to Harfbuzz 8.1.1
* Update version of FreeType attribution
* tst_QHashFunctions: use actual seed in consistent() test function
* Android: fix content URI handling for non-ascii file names
* Upgrade Harfbuzz to 7.3.0
* Update download location for Harfbuzz as well
- Commits dropped by the rebase:
* Add missing line continuations for memory_resource opt-out on Apple systems
* Fix CVE-2023-43114
-------------------------------------------------------------------
Wed Sep 4 20:01:55 UTC 2024 - Fabian Vogt <fabian@ritter-vogt.de>

View File

@@ -29,15 +29,15 @@
%bcond_without harfbuzz
Name: libqt5-qtbase
Version: 5.15.15+kde127
Version: 5.15.17+kde122
Release: 0
Summary: C++ Program Library, Core Components
License: LGPL-3.0-only or GPL-3.0-with-Qt-Company-Qt-exception-1.1
Group: System/Libraries
Url: https://www.qt.io
%define base_name libqt5
%define real_version 5.15.15
%define so_version 5.15.15
%define real_version 5.15.17
%define so_version 5.15.17
%define tar_version qtbase-everywhere-src-%{version}
Source: %{tar_version}.tar.xz
# to get mtime of file:
@@ -63,6 +63,7 @@ Patch12: 0001-Add-remote-print-queue-support.patch
Patch21: 0001-Don-t-white-list-recent-Mesa-versions-for-multithrea.patch
Patch24: fix-fixqt4headers.patch
# patches 1000-2000 and above from upstream 5.15 branch #
Patch1000: CVE-2025-5455.patch
# patches 2000-3000 and above from upstream qt6/dev branch #
# Not accepted yet, https://codereview.qt-project.org/c/qt/qtbase/+/255384
Patch2001: 0002-Synthesize-Enter-LeaveEvent-for-accepted-QTabletEven.patch

View File

@@ -1,3 +0,0 @@
version https://git-lfs.github.com/spec/v1
oid sha256:f2f1be44243c80d87012e0c788c80746238b9ffe7d91b0169ef38e9c1ec7aa9d
size 297472014

BIN
qtbase-everywhere-src-5.15.17+kde122.obscpio (Stored with Git LFS) Normal file

Binary file not shown.

View File

@@ -1,4 +1,4 @@
name: qtbase-everywhere-src
version: 5.15.15+kde127
mtime: 1725029112
commit: ab13e81917207959785ad0185a3a9974e552a7f5
version: 5.15.17+kde122
mtime: 1747901492
commit: 128a1d2861ca5693e43e8b79fbd4278dcd451fbc