[OE-core] [PATCH 2/2] qt4-4.8.6: fix CVE-2014-0190

Paul Eggleton paul.eggleton at linux.intel.com
Wed Jun 18 10:06:24 UTC 2014 

Hi Jackie,

On Wednesday 18 June 2014 05:41:31 jackie.huang at windriver.com wrote:
> From: yzhu1 <yanjun.zhu at windriver.com>
> 
> The GIF decoder in QtGui in Qt before 5.3 allows remote attackers
> to cause a denial of service (NULL pointer dereference) via
> invalid width and height values in a GIF image.
> Per: http://cwe.mitre.org/data/definitions/476.html
> 
> CWE-476: NULL Pointer Dereference
> 
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0190
> Signed-off-by: yzhu1 <yanjun.zhu at windriver.com>
> Signed-off-by: Jackie Huang <jackie.huang at windriver.com>
> ---
>  meta/recipes-qt/qt4/qt4-4.8.6.inc                  |  1 +
>  .../qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch    | 31
> ++++++++++++++++++++++ 2 files changed, 32 insertions(+)
>  create mode 100644
> meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch
> 
> diff --git a/meta/recipes-qt/qt4/qt4-4.8.6.inc
> b/meta/recipes-qt/qt4/qt4-4.8.6.inc index ae6692b..9db77c9 100644
> --- a/meta/recipes-qt/qt4/qt4-4.8.6.inc
> +++ b/meta/recipes-qt/qt4/qt4-4.8.6.inc
> @@ -24,6 +24,7 @@ SRC_URI =
> "http://download.qt-project.org/official_releases/qt/4.8/${PV}/qt-ever
> file://0028-Don-t-crash-on-broken-GIF-images.patch \
>             file://g++.conf \
>             file://linux.conf \
> +           file://qt4-4.8.6-fix-CVE-2014-0190.patch \
>             "
> 
>  SRC_URI[md5sum] = "2edbe4d6c2eff33ef91732602f3518eb"
> diff --git a/meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch
> b/meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch new file
> mode 100644
> index 0000000..b8baea8
> --- /dev/null
> +++ b/meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch
> @@ -0,0 +1,31 @@
> +Upstream-status: Pending
> +Don't crash on broken GIF images
> +
> +Broken GIF images could set invalid width and height
> +values inside the image, leading to Qt creating a null
> +QImage for it. In that case we need to abort decoding
> +the image and return an error.
> +
> +Initial patch by Rich Moore.
> +
> +Task-number: QTBUG-38367
> +Change-Id: Id82a4036f478bd6e49c402d6598f57e7e5bb5e1e
> +Security-advisory: CVE-2014-0190
> +Reviewed-by: Richard J. Moore <rich at kde.org>
> +
> +--- a/src/gui/image/qgifhandler.cpp
> ++++ b/src/gui/image/qgifhandler.cpp
> +@@ -359,6 +359,13 @@ int QGIFFormat::decode(QImage *image, co
> +                     memset(bits, 0, image->byteCount());
> +                 }
> +
> ++                // Check if the previous attempt to create the image
> failed. If it ++                // did then the image is broken and we
> should give up. ++                if (image->isNull()) {
> ++                    state = Error;
> ++                    return -1;
> ++                }
> ++
> +                 disposePrevious(image);
> +                 disposed = false;
> +

This upstream patch is already being applied within the recipe - see 
0028-Don-t-crash-on-broken-GIF-images.patch.

Cheers,
Paul

-- 

Paul Eggleton
Intel Open Source Technology Centre

More information about the Openembedded-core mailing list