Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

[18.09] qt511: 5.11.1 -> 5.11.3, qt56 & qt59 security fixes #55089

Merged
merged 7 commits into from Feb 16, 2019
Merged

[18.09] qt511: 5.11.1 -> 5.11.3, qt56 & qt59 security fixes #55089

merged 7 commits into from Feb 16, 2019

Conversation

andir
Copy link
Member

@andir andir commented Feb 2, 2019

Motivation for this change

Backport of #54986

I recently became aware of a few things in various Qt versions that we ship that we should address:

CVE-2018-15518, Qt Base: “double free or corruption” in QXmlStreamReader
CVE-2018-19873, Qt Base: QBmpHandler segfault on malformed BMP file
CVE-2018-19870, Qt Base: Check for QImage allocation failure in qgifhandler
CVE-2018-19871, Qt Imageformats: QImage: QTgaFile CPU exhaustion
CVE-2018-19865, Qt Virtual Keyboard: Qt Virtual Keyboard logs all key presses
CVE-2018-19869, Qt Svg: Fix crash when parsing malformed url reference

More details can be obtained from the Qt annoucement [1].

[1] blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates

cc maintainers @qknight @ttuegel @periklis @bkchr

Things done
  • Tested using sandboxing (nix.useSandbox on NixOS, or option sandbox in nix.conf on non-NixOS)
  • Built on platform(s)
    • NixOS
    • macOS
    • other Linux distributions
  • Tested via one or more NixOS test(s) if existing and applicable for the change (look inside nixos/tests)
  • Tested compilation of all pkgs that depend on this change using nix-shell -p nox --run "nox-review wip"
  • Tested execution of all binary files (usually in ./result/bin/)
  • Determined the impact on package closure size (by running nix path-info -S before and after)
  • Assured whether relevant documentation is up to date
  • Fits CONTRIBUTING.md.

FlorianFranzen and others added 5 commits January 30, 2019 23:46
@FlorianFranzen @andir
qt59: 5.9.3 -> 5.9.7
fc0c9a2 
(cherry picked from commit 776c962)
@andir
qt59.qtvirtualkeyboard: fix CVE-2018-19865
0d6c4a8 
CVE-2018-19865 tracks the issue of qtvirtualkeyboard where it logs all
user input. With this commit we are applying the recommended patches
form the upstream project.

More details can be obtained from the Qt annoucement [1].

[1] https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/

(cherry picked from commit 6660128)
@andir
qt56.qtvirtualkeyboard: init at 5.6.3
a3c82b9 
This adds the "missing" qtvirtualkeyboard module of qt56. I just add
this so I can apply (& test) the patches for a CVE in the next commit.
This might seem strange but in case anyone decided to add / use this in
the future we are on the safe(r) side.

(cherry picked from commit 295a210)
@andir
qt56: fix CVE-2018-{15518,19873,19870,19871,19865,19869}
0948f87 
 * CVE-2018-15518, Qt Base: “double free or corruption” in QXmlStreamReader
 * CVE-2018-19873, Qt Base: QBmpHandler segfault on malformed BMP file
 * CVE-2018-19870, Qt Base: Check for QImage allocation failure in qgifhandler
 * CVE-2018-19871, Qt Imageformats: QImage: QTgaFile CPU exhaustion
 * CVE-2018-19865, Qt Virtual Keyboard: Qt Virtual Keyboard logs all key presses
 * CVE-2018-19869, Qt Svg: Fix crash when parsing malformed url reference

More details can be obtained from the Qt annoucement [1].

[1] https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/

(cherry picked from commit 066be85)
@andir
qt511: 5.11.1 -> 5.11.3
89049f3 
This fixes

 * CVE-2018-15518, Qt Base: “double free or corruption” in QXmlStreamReader
 * CVE-2018-19873, Qt Base: QBmpHandler segfault on malformed BMP file
 * CVE-2018-19870, Qt Base: Check for QImage allocation failure in qgifhandler
 * CVE-2018-19871, Qt Imageformats: QImage: QTgaFile CPU exhaustion
 * CVE-2018-19865, Qt Virtual Keyboard: Qt Virtual Keyboard logs all key presses
 * CVE-2018-19869, Qt Svg: Fix crash when parsing malformed url reference

More details can be obtained from the Qt annoucement [1].

[1] https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/

(cherry picked from commit 2f5d37b)
@andir andir requested a review from ttuegel as a code owner February 2, 2019 17:08
@veprbl
Copy link
Member

veprbl commented Feb 2, 2019

Need to pick up fd75bbc as well

@veprbl @andir
Revert "qt59-qtbase: fix darwin build with clang-5"
1e2c3be 
The fix is already included in Qt 5.9.7

This reverts commit 0bf153f.

(cherry picked from commit fd75bbc)
@andir
Copy link
Member Author

andir commented Feb 2, 2019

@veprbl I picked the additional patch, will re-run my recompilation now.

@andir
Copy link
Member Author

andir commented Feb 3, 2019

@GrahamcOfBorg test plasma5
@GrahamcOfBorg build qt59.full qt56.full qt511.full

@veprbl veprbl mentioned this pull request Feb 4, 2019
Merged
10 tasks
@veprbl

This comment has been minimized.

Sign in to view
@veprbl
Copy link
Member

veprbl commented Feb 5, 2019
edited

This breaks qt511.qtbase on darwin, also the original PR had broken qt5 on master: https://hydra.nixos.org/job/nixpkgs/trunk/qt5.qtbase.x86_64-darwin

@andir
Copy link
Member Author

andir commented Feb 5, 2019

@NixOS/darwin-maintainers could any of you have a look at this? I do not own a darwin marchine.

@matthewbauer
Copy link
Member

Yeah I can look at it tonight. Most likely a patch just needs to be bumped.

@andir
Copy link
Member Author

andir commented Feb 14, 2019

@matthewbauer any news? Did you have time to check why it is failing on darwin?

@matthewbauer
Copy link
Member

Yeah you should just need to backport 8153104 as well.

@matthewbauer @vcunat
qt511: add patch for macOS sdk
82434e7 
Unfortunately we don’t have access to NSWindowStyleMask. These patches
should go away once we switch to a newer SDK.

(cherry picked from commit 8153104)
@vcunat
Copy link
Member

vcunat commented Feb 16, 2019

@GrahamcOfBorg build qt511.qtbase

@vcunat vcunat changed the base branch from release-18.09 to staging-18.09 February 16, 2019 12:50
@vcunat vcunat merged commit 82434e7 into NixOS:staging-18.09 Feb 16, 2019
vcunat added a commit that referenced this pull request Feb 16, 2019
@vcunat
Merge #55089: qt5*: bugfixes + security
af6b20c 
... into staging-18.09.
@vcunat
Copy link
Member

vcunat commented Feb 25, 2019

Cross-link: #55994

@andir andir deleted the 18.09/qt branch February 25, 2019 20:31
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Reviewers

@vcunat vcunat vcunat approved these changes

@ttuegel ttuegel Awaiting requested review from ttuegel ttuegel is a code owner

Assignees
No one assigned
Labels
6.topic: qt/kde 8.has: package (new) 10.rebuild-darwin: 101-500 10.rebuild-linux: 501+ 10.rebuild-linux: 1001-2500
Projects
None yet
Milestone
No milestone
Development

Successfully merging this pull request may close these issues.

None yet
6 participants
@andir @veprbl @matthewbauer @vcunat @GrahamcOfBorg @FlorianFranzen