dev-qt/qtbase: add patch for CVE-2023-33285

https://lists.qt-project.org/pipermail/development/2023-June/043989.html

Signed-off-by: Jimi Huotari <chiitoo@gentoo.org>

2 files changed, 294 insertions, 0 deletions

diff --git a/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-33285.patch b/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-33285.patch
new file mode 100644
index 000000000000..c982cce36e9e
--- /dev/null
+++ b/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-33285.patch
@@ -0,0 +1,101 @@
+From a2dc11b37fd71f785c342c40549f54edfdd1a6f8 Mon Sep 17 00:00:00 2001
+From: Thiago Macieira <thiago.macieira@intel.com>
+Date: Thu, 11 May 2023 21:40:15 -0700
+Subject: [PATCH] QDnsLookup/Unix: make sure we don't overflow the buffer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+The DNS Records are variable length and encode their size in 16 bits
+before the Record Data (RDATA). Ensure that both the RDATA and the
+Record header fields before it fall inside the buffer we have.
+
+Additionally reject any replies containing more than one query records.
+
+[ChangeLog][QtNetwork][QDnsLookup] Fixed a bug that could cause a buffer
+overflow in Unix systems while parsing corrupt, malicious, or truncated
+replies.
+
+Pick-to: 5.15 6.2 6.5.1
+Change-Id: I3e3bfef633af4130a03afffd175e4b9547654b95
+Reviewed-by: MÃ¥rten Nordheim <marten.nordheim@qt.io>
+Reviewed-by: Jani Heikkinen <jani.heikkinen@qt.io>
+(cherry picked from commit 7dba2c87619d558a61a30eb30cc1d9c3fe6df94c)
+Reviewed-by: Daniel Smith <Daniel.Smith@qt.io>
+---
+ src/network/kernel/qdnslookup_unix.cpp | 31 +++++++++++++++++++++++++------
+ 1 file changed, 25 insertions(+), 6 deletions(-)
+
+diff --git a/src/network/kernel/qdnslookup_unix.cpp b/src/network/kernel/qdnslookup_unix.cpp
+index 8db79028f775..ad7bb51f67a5 100644
+--- a/src/network/kernel/qdnslookup_unix.cpp
++++ b/src/network/kernel/qdnslookup_unix.cpp
+@@ -193,7 +193,6 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+     // responseLength in case of error, we still can extract the
+     // exact error code from the response.
+     HEADER *header = (HEADER*)response;
+-    const int answerCount = ntohs(header->ancount);
+     switch (header->rcode) {
+     case NOERROR:
+         break;
+@@ -227,18 +226,31 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+         return;
+     }
+ 
+-    // Skip the query host, type (2 bytes) and class (2 bytes).
+     char host[PACKETSZ], answer[PACKETSZ];
+     unsigned char *p = response + sizeof(HEADER);
+-    int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
+-    if (status < 0) {
++    int status;
++
++    if (ntohs(header->qdcount) == 1) {
++        // Skip the query host, type (2 bytes) and class (2 bytes).
++        status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
++        if (status < 0) {
++            reply->error = QDnsLookup::InvalidReplyError;
++            reply->errorString = tr("Could not expand domain name");
++            return;
++        }
++        if ((p - response) + status + 4 >= responseLength)
++            header->qdcount = 0xffff;   // invalid reply below
++        else
++            p += status + 4;
++    }
++    if (ntohs(header->qdcount) > 1) {
+         reply->error = QDnsLookup::InvalidReplyError;
+-        reply->errorString = tr("Could not expand domain name");
++        reply->errorString = tr("Invalid reply received");
+         return;
+     }
+-    p += status + 4;
+ 
+     // Extract results.
++    const int answerCount = ntohs(header->ancount);
+     int answerIndex = 0;
+     while ((p < response + responseLength) && (answerIndex < answerCount)) {
+         status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
+@@ -250,6 +262,11 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+         const QString name = QUrl::fromAce(host);
+ 
+         p += status;
++
++        if ((p - response) + 10 > responseLength) {
++            // probably just a truncated reply, return what we have
++            return;
++        }
+         const quint16 type = (p[0] << 8) | p[1];
+         p += 2; // RR type
+         p += 2; // RR class
+@@ -257,6 +274,8 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+         p += 4;
+         const quint16 size = (p[0] << 8) | p[1];
+         p += 2;
++        if ((p - response) + size > responseLength)
++            return;             // truncated
+ 
+         if (type == QDnsLookup::A) {
+             if (size != 4) {
+-- 
+2.16.3
+
diff --git a/dev-qt/qtbase/qtbase-6.5.0-r3.ebuild b/dev-qt/qtbase/qtbase-6.5.0-r3.ebuild
new file mode 100644
index 000000000000..c0afe61d6725
--- /dev/null
+++ b/dev-qt/qtbase/qtbase-6.5.0-r3.ebuild
@@ -0,0 +1,193 @@
+# Copyright 2021-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit qt6-build
+
+DESCRIPTION="Cross-platform application development framework"
+
+if [[ ${QT6_BUILD_TYPE} == release ]]; then
+	KEYWORDS="~amd64"
+fi
+
+# Qt Modules
+IUSE="+concurrent +dbus +gui +network +sql opengl +widgets +xml zstd"
+REQUIRED_USE="
+	opengl? ( gui )
+	widgets? ( gui )
+	X? ( || ( evdev libinput ) )
+"
+
+QTGUI_IUSE="accessibility egl eglfs evdev gles2-only +jpeg +libinput tslib tuio vulkan +X"
+QTNETWORK_IUSE="brotli gssapi libproxy sctp +ssl vnc"
+QTSQL_IUSE="freetds mysql oci8 odbc postgres +sqlite"
+IUSE+=" ${QTGUI_IUSE} ${QTNETWORK_IUSE} ${QTSQL_IUSE} cups gtk icu systemd +udev"
+# QtPrintSupport = QtGui + QtWidgets enabled.
+# ibus = xkbcommon + dbus, and xkbcommon needs either libinput or X
+REQUIRED_USE+="
+	$(printf '%s? ( gui ) ' ${QTGUI_IUSE//+/})
+	$(printf '%s? ( network ) ' ${QTNETWORK_IUSE//+/})
+	$(printf '%s? ( sql ) ' ${QTSQL_IUSE//+/})
+	accessibility? ( dbus X )
+	cups? ( gui widgets )
+	eglfs? ( egl )
+	gtk? ( widgets )
+	gui? ( || ( eglfs X ) || ( libinput X ) )
+	libinput? ( udev )
+	sql? ( || ( freetds mysql oci8 odbc postgres sqlite ) )
+	vnc? ( gui )
+	X? ( gles2-only? ( egl ) )
+"
+
+# TODO:
+# qtimageformats: mng not done yet, qtimageformats.git upstream commit 9443239c
+# qtnetwork: connman, networkmanager
+DEPEND="
+	app-crypt/libb2
+	dev-libs/double-conversion:=
+	dev-libs/glib:2
+	dev-libs/libpcre2:=[pcre16,unicode]
+	dev-util/gtk-update-icon-cache
+	media-libs/fontconfig
+	>=media-libs/freetype-2.6.1:2
+	>=media-libs/harfbuzz-1.6.0:=
+	media-libs/tiff:=
+	>=sys-apps/dbus-1.4.20
+	sys-libs/zlib:=
+	brotli? ( app-arch/brotli:= )
+	evdev? ( sys-libs/mtdev )
+	freetds? ( dev-db/freetds )
+	gles2-only? ( media-libs/libglvnd )
+	!gles2-only? ( media-libs/libglvnd[X] )
+	gssapi? ( virtual/krb5 )
+	gtk? (
+		x11-libs/gtk+:3
+		x11-libs/libX11
+		x11-libs/pango
+	)
+	gui? ( media-libs/libpng:= )
+	icu? ( dev-libs/icu:= )
+	!icu? ( virtual/libiconv )
+	jpeg? ( media-libs/libjpeg-turbo:= )
+	libinput? (
+		dev-libs/libinput:=
+		>=x11-libs/libxkbcommon-0.5.0
+	)
+	libproxy? ( net-libs/libproxy )
+	mysql? ( dev-db/mysql-connector-c:= )
+	oci8? ( dev-db/oracle-instantclient:=[sdk] )
+	odbc? ( dev-db/unixODBC )
+	postgres? ( dev-db/postgresql:* )
+	sctp? ( kernel_linux? ( net-misc/lksctp-tools ) )
+	sqlite? ( dev-db/sqlite:3 )
+	ssl? ( dev-libs/openssl:= )
+	systemd? ( sys-apps/systemd:= )
+	tslib? ( >=x11-libs/tslib-1.21 )
+	udev? ( virtual/libudev:= )
+	vulkan? ( dev-util/vulkan-headers )
+	X? (
+		x11-libs/libdrm
+		x11-libs/libICE
+		x11-libs/libSM
+		x11-libs/libX11
+		>=x11-libs/libxcb-1.12:=
+		>=x11-libs/libxkbcommon-0.5.0[X]
+		x11-libs/xcb-util-cursor
+		x11-libs/xcb-util-image
+		x11-libs/xcb-util-keysyms
+		x11-libs/xcb-util-renderutil
+		x11-libs/xcb-util-wm
+	)
+	zstd? ( app-arch/zstd:= )
+"
+RDEPEND="${DEPEND}"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-6.5.0-setActiveWindow-deprecated-version.patch"
+	"${FILESDIR}/${PN}-6.5.0-CVE-2023-32762.patch"
+	"${FILESDIR}/${PN}-6.5.0-CVE-2023-33285.patch"
+)
+
+src_configure() {
+	local mycmakeargs=(
+		-DINSTALL_ARCHDATADIR=${QT6_ARCHDATADIR}
+		-DINSTALL_BINDIR=${QT6_BINDIR}
+		-DINSTALL_DATADIR=${QT6_DATADIR}
+		-DINSTALL_DOCDIR=${QT6_DOCDIR}
+		-DINSTALL_EXAMPLESDIR=${QT6_EXAMPLESDIR}
+		-DINSTALL_INCLUDEDIR=${QT6_HEADERDIR}
+		-DINSTALL_LIBDIR=${QT6_LIBDIR}
+		-DINSTALL_LIBEXECDIR=${QT6_LIBEXECDIR}
+		-DINSTALL_MKSPECSDIR=${QT6_ARCHDATADIR}/mkspecs
+		-DINSTALL_PLUGINSDIR=${QT6_PLUGINDIR}
+		-DINSTALL_QMLDIR=${QT6_QMLDIR}
+		-DINSTALL_SYSCONFDIR=${QT6_SYSCONFDIR}
+		-DINSTALL_TRANSLATIONSDIR=${QT6_TRANSLATIONDIR}
+		-DQT_FEATURE_androiddeployqt=OFF
+		$(qt_feature concurrent)
+		$(qt_feature dbus)
+		$(qt_feature gui)
+		$(qt_feature gui testlib)
+		$(qt_feature icu)
+		$(qt_feature network)
+		$(qt_feature sql)
+		$(qt_feature systemd journald)
+		$(qt_feature udev libudev)
+		$(qt_feature xml)
+		$(qt_feature zstd)
+	)
+	use gui && mycmakeargs+=(
+		$(qt_feature accessibility accessibility_atspi_bridge)
+		$(qt_feature egl)
+		$(qt_feature egl xcb_egl_plugin)
+		$(qt_feature eglfs eglfs_egldevice)
+		$(qt_feature eglfs eglfs_gbm)
+		$(qt_feature evdev)
+		$(qt_feature evdev mtdev)
+		-DQT_FEATURE_gif=ON
+		$(qt_feature jpeg)
+		$(qt_feature opengl)
+		$(qt_feature gles2-only opengles2)
+		$(qt_feature libinput)
+		$(qt_feature tslib)
+		$(qt_feature tuio tuiotouch)
+		$(qt_feature vulkan)
+		$(qt_feature widgets)
+		$(qt_feature X xcb)
+		$(qt_feature X xcb_xlib)
+	)
+	use widgets && mycmakeargs+=(
+		$(qt_feature cups)
+		$(qt_feature gtk gtk3)
+	)
+	if use libinput || use X; then
+		mycmakeargs+=( -DQT_FEATURE_xkbcommon=ON )
+	fi
+	use network && mycmakeargs+=(
+		$(qt_feature brotli)
+		$(qt_feature gssapi)
+		$(qt_feature libproxy)
+		$(qt_feature sctp)
+		$(qt_feature ssl openssl)
+		$(qt_feature vnc)
+	)
+	use sql && mycmakeargs+=(
+		$(qt_feature freetds sql_tds)
+		$(qt_feature mysql sql_mysql)
+		$(qt_feature oci8 sql_oci)
+		$(qt_feature odbc sql_odbc)
+		$(qt_feature postgres sql_psql)
+		$(qt_feature sqlite sql_sqlite)
+		$(qt_feature sqlite system_sqlite)
+	)
+
+	qt6-build_src_configure
+}
+
+src_install() {
+	qt6-build_src_install
+
+	# https://bugs.gentoo.org/863395
+	qt6_symlink_binary_to_path qmake 6
+}