[OE-core] [PATCH 2/2] qt4-4.8.6: fix CVE-2014-0190
Paul Eggleton
paul.eggleton at linux.intel.com
Wed Jun 18 10:06:24 UTC 2014
Hi Jackie,
On Wednesday 18 June 2014 05:41:31 jackie.huang at windriver.com wrote:
> From: yzhu1 <yanjun.zhu at windriver.com>
>
> The GIF decoder in QtGui in Qt before 5.3 allows remote attackers
> to cause a denial of service (NULL pointer dereference) via
> invalid width and height values in a GIF image.
> Per: http://cwe.mitre.org/data/definitions/476.html
>
> CWE-476: NULL Pointer Dereference
>
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0190
> Signed-off-by: yzhu1 <yanjun.zhu at windriver.com>
> Signed-off-by: Jackie Huang <jackie.huang at windriver.com>
> ---
> meta/recipes-qt/qt4/qt4-4.8.6.inc | 1 +
> .../qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch | 31
> ++++++++++++++++++++++ 2 files changed, 32 insertions(+)
> create mode 100644
> meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch
>
> diff --git a/meta/recipes-qt/qt4/qt4-4.8.6.inc
> b/meta/recipes-qt/qt4/qt4-4.8.6.inc index ae6692b..9db77c9 100644
> --- a/meta/recipes-qt/qt4/qt4-4.8.6.inc
> +++ b/meta/recipes-qt/qt4/qt4-4.8.6.inc
> @@ -24,6 +24,7 @@ SRC_URI =
> "http://download.qt-project.org/official_releases/qt/4.8/${PV}/qt-ever
> file://0028-Don-t-crash-on-broken-GIF-images.patch \
> file://g++.conf \
> file://linux.conf \
> + file://qt4-4.8.6-fix-CVE-2014-0190.patch \
> "
>
> SRC_URI[md5sum] = "2edbe4d6c2eff33ef91732602f3518eb"
> diff --git a/meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch
> b/meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch new file
> mode 100644
> index 0000000..b8baea8
> --- /dev/null
> +++ b/meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch
> @@ -0,0 +1,31 @@
> +Upstream-status: Pending
> +Don't crash on broken GIF images
> +
> +Broken GIF images could set invalid width and height
> +values inside the image, leading to Qt creating a null
> +QImage for it. In that case we need to abort decoding
> +the image and return an error.
> +
> +Initial patch by Rich Moore.
> +
> +Task-number: QTBUG-38367
> +Change-Id: Id82a4036f478bd6e49c402d6598f57e7e5bb5e1e
> +Security-advisory: CVE-2014-0190
> +Reviewed-by: Richard J. Moore <rich at kde.org>
> +
> +--- a/src/gui/image/qgifhandler.cpp
> ++++ b/src/gui/image/qgifhandler.cpp
> +@@ -359,6 +359,13 @@ int QGIFFormat::decode(QImage *image, co
> + memset(bits, 0, image->byteCount());
> + }
> +
> ++ // Check if the previous attempt to create the image
> failed. If it ++ // did then the image is broken and we
> should give up. ++ if (image->isNull()) {
> ++ state = Error;
> ++ return -1;
> ++ }
> ++
> + disposePrevious(image);
> + disposed = false;
> +
This upstream patch is already being applied within the recipe - see
0028-Don-t-crash-on-broken-GIF-images.patch.
Cheers,
Paul
--
Paul Eggleton
Intel Open Source Technology Centre
More information about the Openembedded-core
mailing list