From 2202296583b7b7ea61f3b4dfb25539d0cd8d3774 Mon Sep 17 00:00:00 2001 From: yujingbo Date: Thu, 16 Oct 2025 09:25:57 +0800 Subject: [PATCH] fix CVE-2025-5683 --- CVE-2025-5683.patch | 43 +++++++++++++++++++++++++++++++++++++++++++ qt5-qtbase.spec | 6 +++++- 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 CVE-2025-5683.patch diff --git a/CVE-2025-5683.patch b/CVE-2025-5683.patch new file mode 100644 index 0000000..c82bfcb --- /dev/null +++ b/CVE-2025-5683.patch @@ -0,0 +1,43 @@ +From efd332516f510144927121fa749ce819b82ec633 Mon Sep 17 00:00:00 2001 +From: Samuel Gaist +Date: Fri, 09 May 2025 17:12:49 +0200 +Subject: [PATCH] Fix validation issue for ICNS image + +The header validation logic could trigger an assert when an invalid ICNS +image was loaded. This patch fixes the validation logic. + +Credit to OSS-Fuzz + +Fixes: QTBUG-136707 +Pick-to: 6.9 6.8 6.5 +Change-Id: I9571b9fd0b53d07ceee9792c9418472e949eff30 +Reviewed-by: Eirik Aavitsland +--- + +diff --git a/src/plugins/imageformats/icns/qicnshandler.cpp b/src/plugins/imageformats/icns/qicnshandler.cpp +index 6cf74b2..501394d 100644 +--- a/src/plugins/imageformats/icns/qicnshandler.cpp ++++ b/src/plugins/imageformats/icns/qicnshandler.cpp +@@ -324,8 +324,11 @@ + + static inline bool isBlockHeaderValid(const ICNSBlockHeader &header, quint64 bound = 0) + { +- return header.ostype != 0 && (bound == 0 +- || qBound(quint64(ICNSBlockHeaderSize), quint64(header.length), bound) == header.length); ++ return header.ostype != 0 && ++ (bound == 0 || ++ // qBound can be used but requires checking the limits first ++ // this requires less operations ++ (ICNSBlockHeaderSize <= header.length && header.length <= bound)); + } + + static inline bool isIconCompressed(const ICNSEntry &icon) +@@ -870,7 +873,7 @@ + return false; + + const qint64 blockDataOffset = device()->pos(); +- if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize + filelength - blockDataOffset)) { ++ if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize - blockDataOffset + filelength)) { + qWarning("QICNSHandler::scanDevice(): Failed, bad header at pos %s. OSType \"%s\", length %u", + QByteArray::number(blockDataOffset).constData(), + nameFromOSType(blockHeader.ostype).constData(), blockHeader.length); diff --git a/qt5-qtbase.spec b/qt5-qtbase.spec index 9da3dd2..b273d21 100644 --- a/qt5-qtbase.spec +++ b/qt5-qtbase.spec @@ -13,7 +13,7 @@ Name: qt5-qtbase Summary: Core component of Qt toolkit Version: 5.11.1 -Release: 23 +Release: 24 License: LGPLv2 with exceptions or GPLv3 with exceptions Url: http://qt-project.org/ Source0: https://download.qt.io/new_archive/qt/5.11/%{version}/submodules/qtbase-everywhere-src-%{version}.tar.xz @@ -59,6 +59,7 @@ Patch6014: qtbase5.11.1-CVE-2023-43114.patch Patch6015: qtbase5.11.1-CVE-2023-51714.patch Patch6016: CVE-2023-45935.patch Patch6017: CVE-2025-5455-qtbase-5.15.patch +Patch6018: CVE-2025-5683.patch BuildRequires: pkgconfig(libsystemd) cups-devel desktop-file-utils findutils BuildRequires: libjpeg-devel libmng-devel libtiff-devel pkgconfig(alsa) @@ -425,6 +426,9 @@ fi %changelog +* Thu Oct 16 2025 yujingbo - 5.11.1-24 +- fix CVE-2025-5683 + * Sat Jun 07 2025 Funda Wang - 5.11.1-23 - fix CVE-2025-5455 -- Gitee