From 5e6bedd3881de14c8958c584be4cb7fac89d1b9b Mon Sep 17 00:00:00 2001 From: yujingbo Date: Thu, 16 Oct 2025 09:38:59 +0800 Subject: [PATCH] fix CVE-2025-5683 --- CVE-2025-5683.patch | 43 +++++++++++++++++++++++++++++++++++++++++++ qt5-qtbase.spec | 6 +++++- 2 files changed, 48 insertions(+), 1 deletion(-) create mode 100644 CVE-2025-5683.patch diff --git a/CVE-2025-5683.patch b/CVE-2025-5683.patch new file mode 100644 index 0000000..c82bfcb --- /dev/null +++ b/CVE-2025-5683.patch @@ -0,0 +1,43 @@ +From efd332516f510144927121fa749ce819b82ec633 Mon Sep 17 00:00:00 2001 +From: Samuel Gaist +Date: Fri, 09 May 2025 17:12:49 +0200 +Subject: [PATCH] Fix validation issue for ICNS image + +The header validation logic could trigger an assert when an invalid ICNS +image was loaded. This patch fixes the validation logic. + +Credit to OSS-Fuzz + +Fixes: QTBUG-136707 +Pick-to: 6.9 6.8 6.5 +Change-Id: I9571b9fd0b53d07ceee9792c9418472e949eff30 +Reviewed-by: Eirik Aavitsland +--- + +diff --git a/src/plugins/imageformats/icns/qicnshandler.cpp b/src/plugins/imageformats/icns/qicnshandler.cpp +index 6cf74b2..501394d 100644 +--- a/src/plugins/imageformats/icns/qicnshandler.cpp ++++ b/src/plugins/imageformats/icns/qicnshandler.cpp +@@ -324,8 +324,11 @@ + + static inline bool isBlockHeaderValid(const ICNSBlockHeader &header, quint64 bound = 0) + { +- return header.ostype != 0 && (bound == 0 +- || qBound(quint64(ICNSBlockHeaderSize), quint64(header.length), bound) == header.length); ++ return header.ostype != 0 && ++ (bound == 0 || ++ // qBound can be used but requires checking the limits first ++ // this requires less operations ++ (ICNSBlockHeaderSize <= header.length && header.length <= bound)); + } + + static inline bool isIconCompressed(const ICNSEntry &icon) +@@ -870,7 +873,7 @@ + return false; + + const qint64 blockDataOffset = device()->pos(); +- if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize + filelength - blockDataOffset)) { ++ if (!isBlockHeaderValid(blockHeader, ICNSBlockHeaderSize - blockDataOffset + filelength)) { + qWarning("QICNSHandler::scanDevice(): Failed, bad header at pos %s. OSType \"%s\", length %u", + QByteArray::number(blockDataOffset).constData(), + nameFromOSType(blockHeader.ostype).constData(), blockHeader.length); diff --git a/qt5-qtbase.spec b/qt5-qtbase.spec index a08ff7f..a9537aa 100644 --- a/qt5-qtbase.spec +++ b/qt5-qtbase.spec @@ -36,7 +36,7 @@ Name: qt5-qtbase Summary: Qt5 - QtBase components Version: 5.15.10 -Release: 12 +Release: 13 # See LGPL_EXCEPTIONS.txt, for exception details License: LGPL-3.0-only OR GPL-3.0-only WITH Qt-GPL-exception-1.0 @@ -138,6 +138,7 @@ Patch0031: CVE-2023-45935.patch Patch0032: add-sw_64-support-for-syscall_fork.patch Patch0033: CVE-2025-30348.patch Patch0034: CVE-2025-5455-qtbase-5.15.patch +Patch0035: CVE-2025-5683.patch # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires. # Those themes are there for platform integration. If the required libraries are @@ -1032,6 +1033,9 @@ fi %changelog +* Thu Oct 16 2025 yujingbo - 5.15.10-13 +- fix CVE-2025-5683 + * Sat Jun 07 2025 Funda Wang - 5.15.10-12 - fix CVE-2025-5455 -- Gitee