gentoo auto-resync : 02:06:2023 - 21:29:38

3 files changed, 104 insertions, 1 deletions

diff --git a/dev-qt/qtbase/Manifest b/dev-qt/qtbase/Manifest
index 53e539b066e2..29e80d7ee5e6 100644
--- a/dev-qt/qtbase/Manifest
+++ b/dev-qt/qtbase/Manifest
@@ -1,5 +1,6 @@
 AUX qtbase-6.5.0-CVE-2023-32762.patch 2425 BLAKE2B 3a69063ebf4e94debe19eb97747e7fcbae626177ae265d44a4cca5576584192b6d878d65241dbc2c6e791ae8e7163835d274bc3387fe4035901a8d7c9e14470a SHA512 6631f772416fdd1d870fc98377617003d892e100357995b540d9e6abb5fedc9620a69042d8ba64fa72f3c03728a084e04cf8bf6256ba02dde8236060de9bfa79
+AUX qtbase-6.5.0-CVE-2023-33285.patch 4119 BLAKE2B cb1cb7e9a5feebc56e9e6c0707bef0eba45574d2e4a41f46a7735ffcf94c5c3db6c6a9531cb50074466888582e02eb353f48f79e82ed3e60b167f14d63cf059a SHA512 a2e4e75a1cefc83ac3deeac9e55d20bc9dfe79b7fc738863b88320f49d0de4362a8f3e05269e61b3e675b77d7a728254903fdda2ebd19a2b7b93a43e4674cfe4
 AUX qtbase-6.5.0-setActiveWindow-deprecated-version.patch 1237 BLAKE2B 5a0dee47bded6460d4643964b54bcccde2a286b6d8ffe6201781814fe6a19f2ec5d07c91bdda68004cc5a516e74a7437fba4959326d150d93ece9e834756d2ba SHA512 019d88b27295a62087f27c655afced7f59576bcb2faa8c791a303f8254d359fa006f6a2aafd665812c646c535665783cc2b1a0dfa26043407122ef462b260d06
 DIST qtbase-everywhere-src-6.5.0.tar.xz 48020636 BLAKE2B 234000eeb6e1b57a1c7561613bf437453fc2db0d23d5ddd61c38961311a7de5263c086864554aff7a0bc1e5a406af78ef8342eed3c8a5f48b9237912614f380b SHA512 29f70b9a9650afdd8e34703a7a8191feab4c3a25d0bc3a41010ea842389335b24e2685721fdb4a03653475ebd9bf8a8e4f4a77bf5d64b1289590b5ca0e4623f3
-EBUILD qtbase-6.5.0-r2.ebuild 5093 BLAKE2B 236c60ab4f4bf61adfc6f40ce1886f97d81cd498e663f3d7027fb2562e6fbb52e5035b436090ac91577a307647c43728a8910bd21b7cc1138338f862d67f6121 SHA512 5c946ad6284c87ff8546717e9782e1a7436e1009f72069a448284f29ed54009987cc0e7d65cd8f8f8d3beb3472a2c925d2158820fac5da9b425b45d3aa846493
+EBUILD qtbase-6.5.0-r3.ebuild 5141 BLAKE2B f854b8898d8badde636833732fb1e4a5497d7be6f539b17296d62e3a5de6f76d935f8cce1cbdf530eaae217a974857f8ca22969975368627955975f69530a4ab SHA512 6e59666648f738ded48583135a299773c13a5fe8106f613b3ceac526e43cdcca641b7118edd25348d1341e8ec582ec565e1fba96522269ac22e3c80f05a7c38b
 MISC metadata.xml 1762 BLAKE2B fd53799e4a3668fb8d32798f1d128df86aaa7181563655ffb71d6c15a7bab33e5fb08f3c5b41695e8fee4a46f5a5216030d0aeb0927eaeec387136ec66964a8f SHA512 6e05599e981d07f7a6d79eda9e1ef9e41383e05aec5442fed8a46be87245b6e9a77fb9b469fe656f9fdd29ffb69767136c0922baed3c5448ca8c58ee70ad713d
diff --git a/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-33285.patch b/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-33285.patch
new file mode 100644
index 000000000000..c982cce36e9e
--- /dev/null
+++ b/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-33285.patch
@@ -0,0 +1,101 @@
+From a2dc11b37fd71f785c342c40549f54edfdd1a6f8 Mon Sep 17 00:00:00 2001
+From: Thiago Macieira <thiago.macieira@intel.com>
+Date: Thu, 11 May 2023 21:40:15 -0700
+Subject: [PATCH] QDnsLookup/Unix: make sure we don't overflow the buffer
+MIME-Version: 1.0
+Content-Type: text/plain; charset=utf8
+Content-Transfer-Encoding: 8bit
+
+The DNS Records are variable length and encode their size in 16 bits
+before the Record Data (RDATA). Ensure that both the RDATA and the
+Record header fields before it fall inside the buffer we have.
+
+Additionally reject any replies containing more than one query records.
+
+[ChangeLog][QtNetwork][QDnsLookup] Fixed a bug that could cause a buffer
+overflow in Unix systems while parsing corrupt, malicious, or truncated
+replies.
+
+Pick-to: 5.15 6.2 6.5.1
+Change-Id: I3e3bfef633af4130a03afffd175e4b9547654b95
+Reviewed-by: MÃ¥rten Nordheim <marten.nordheim@qt.io>
+Reviewed-by: Jani Heikkinen <jani.heikkinen@qt.io>
+(cherry picked from commit 7dba2c87619d558a61a30eb30cc1d9c3fe6df94c)
+Reviewed-by: Daniel Smith <Daniel.Smith@qt.io>
+---
+ src/network/kernel/qdnslookup_unix.cpp | 31 +++++++++++++++++++++++++------
+ 1 file changed, 25 insertions(+), 6 deletions(-)
+
+diff --git a/src/network/kernel/qdnslookup_unix.cpp b/src/network/kernel/qdnslookup_unix.cpp
+index 8db79028f775..ad7bb51f67a5 100644
+--- a/src/network/kernel/qdnslookup_unix.cpp
++++ b/src/network/kernel/qdnslookup_unix.cpp
+@@ -193,7 +193,6 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+     // responseLength in case of error, we still can extract the
+     // exact error code from the response.
+     HEADER *header = (HEADER*)response;
+-    const int answerCount = ntohs(header->ancount);
+     switch (header->rcode) {
+     case NOERROR:
+         break;
+@@ -227,18 +226,31 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+         return;
+     }
+ 
+-    // Skip the query host, type (2 bytes) and class (2 bytes).
+     char host[PACKETSZ], answer[PACKETSZ];
+     unsigned char *p = response + sizeof(HEADER);
+-    int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
+-    if (status < 0) {
++    int status;
++
++    if (ntohs(header->qdcount) == 1) {
++        // Skip the query host, type (2 bytes) and class (2 bytes).
++        status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
++        if (status < 0) {
++            reply->error = QDnsLookup::InvalidReplyError;
++            reply->errorString = tr("Could not expand domain name");
++            return;
++        }
++        if ((p - response) + status + 4 >= responseLength)
++            header->qdcount = 0xffff;   // invalid reply below
++        else
++            p += status + 4;
++    }
++    if (ntohs(header->qdcount) > 1) {
+         reply->error = QDnsLookup::InvalidReplyError;
+-        reply->errorString = tr("Could not expand domain name");
++        reply->errorString = tr("Invalid reply received");
+         return;
+     }
+-    p += status + 4;
+ 
+     // Extract results.
++    const int answerCount = ntohs(header->ancount);
+     int answerIndex = 0;
+     while ((p < response + responseLength) && (answerIndex < answerCount)) {
+         status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
+@@ -250,6 +262,11 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+         const QString name = QUrl::fromAce(host);
+ 
+         p += status;
++
++        if ((p - response) + 10 > responseLength) {
++            // probably just a truncated reply, return what we have
++            return;
++        }
+         const quint16 type = (p[0] << 8) | p[1];
+         p += 2; // RR type
+         p += 2; // RR class
+@@ -257,6 +274,8 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
+         p += 4;
+         const quint16 size = (p[0] << 8) | p[1];
+         p += 2;
++        if ((p - response) + size > responseLength)
++            return;             // truncated
+ 
+         if (type == QDnsLookup::A) {
+             if (size != 4) {
+-- 
+2.16.3
+
diff --git a/dev-qt/qtbase/qtbase-6.5.0-r2.ebuild b/dev-qt/qtbase/qtbase-6.5.0-r3.ebuild
index afcd30dfe9f6..c0afe61d6725 100644
--- a/dev-qt/qtbase/qtbase-6.5.0-r2.ebuild
+++ b/dev-qt/qtbase/qtbase-6.5.0-r3.ebuild
@@ -106,6 +106,7 @@ RDEPEND="${DEPEND}"
 PATCHES=(
 	"${FILESDIR}/${PN}-6.5.0-setActiveWindow-deprecated-version.patch"
 	"${FILESDIR}/${PN}-6.5.0-CVE-2023-32762.patch"
+	"${FILESDIR}/${PN}-6.5.0-CVE-2023-33285.patch"
 )
 
 src_configure() {