Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

qt511: 5.11.1 -> 5.11.3, qt56 & qt59 security fixes #54986

Merged
merged 4 commits into from
Feb 3, 2019
Merged

Conversation

andir
Copy link
Member

@andir andir commented Jan 31, 2019

Motivation for this change

I recently became aware of a few things in various Qt versions that we ship that we should address:

  • CVE-2018-15518, Qt Base: “double free or corruption” in QXmlStreamReader
  • CVE-2018-19873, Qt Base: QBmpHandler segfault on malformed BMP file
  • CVE-2018-19870, Qt Base: Check for QImage allocation failure in qgifhandler
  • CVE-2018-19871, Qt Imageformats: QImage: QTgaFile CPU exhaustion
  • CVE-2018-19865, Qt Virtual Keyboard: Qt Virtual Keyboard logs all key presses
  • CVE-2018-19869, Qt Svg: Fix crash when parsing malformed url reference

More details can be obtained from the Qt annoucement [1].

[1] https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates

cc maintainers @qknight @ttuegel @periklis @bkchr

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

CVE-2018-19865 tracks the issue of qtvirtualkeyboard where it logs all
user input. With this commit we are applying the recommended patches
form the upstream project.

More details can be obtained from the Qt annoucement [1].

[1] https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/
This adds the "missing" qtvirtualkeyboard module of qt56. I just add
this so I can apply (& test) the patches for a CVE in the next commit.
This might seem strange but in case anyone decided to add / use this in
the future we are on the safe(r) side.
 * CVE-2018-15518, Qt Base: “double free or corruption” in QXmlStreamReader
 * CVE-2018-19873, Qt Base: QBmpHandler segfault on malformed BMP file
 * CVE-2018-19870, Qt Base: Check for QImage allocation failure in qgifhandler
 * CVE-2018-19871, Qt Imageformats: QImage: QTgaFile CPU exhaustion
 * CVE-2018-19865, Qt Virtual Keyboard: Qt Virtual Keyboard logs all key presses
 * CVE-2018-19869, Qt Svg: Fix crash when parsing malformed url reference

More details can be obtained from the Qt annoucement [1].

[1] https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/
This fixes

 * CVE-2018-15518, Qt Base: “double free or corruption” in QXmlStreamReader
 * CVE-2018-19873, Qt Base: QBmpHandler segfault on malformed BMP file
 * CVE-2018-19870, Qt Base: Check for QImage allocation failure in qgifhandler
 * CVE-2018-19871, Qt Imageformats: QImage: QTgaFile CPU exhaustion
 * CVE-2018-19865, Qt Virtual Keyboard: Qt Virtual Keyboard logs all key presses
 * CVE-2018-19869, Qt Svg: Fix crash when parsing malformed url reference

More details can be obtained from the Qt annoucement [1].

[1] https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/
@bkchr
Copy link
Contributor

bkchr commented Jan 31, 2019

@andir probably also needs backporting.

@andir
Copy link
Member Author

andir commented Jan 31, 2019 via email

@andir
Copy link
Member Author

andir commented Jan 31, 2019

When rebuilding all the changes only the following two are failing:

Both of them seem to be failing for some time now.

@veprbl veprbl mentioned this pull request Feb 2, 2019
10 tasks
@andir andir merged commit 25a0974 into NixOS:master Feb 3, 2019
@andir andir deleted the qt branch February 3, 2019 15:09
@veprbl veprbl added 8.has: port to stable A PR already has a backport to the stable release. and removed 9.needs: port to stable A PR needs a backport to the stable release. labels Apr 17, 2019
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

4 participants