[OE-core] [PATCH 2/2] qt4-4.8.6: fix CVE-2014-0190
Huang, Jie (Jackie)
Jackie.Huang at windriver.com
Thu Jun 19 02:31:37 UTC 2014
> -----Original Message-----
> From: Paul Eggleton [mailto:paul.eggleton at linux.intel.com]
> Sent: Wednesday, June 18, 2014 6:06 PM
> To: Huang, Jie (Jackie)
> Cc: Zhu, Yanjun; openembedded-core at lists.openembedded.org
> Subject: Re: [OE-core] [PATCH 2/2] qt4-4.8.6: fix CVE-2014-0190
>
> Hi Jackie,
>
> On Wednesday 18 June 2014 05:41:31 jackie.huang at windriver.com wrote:
> > From: yzhu1 <yanjun.zhu at windriver.com>
> >
> > The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to
> > cause a denial of service (NULL pointer dereference) via invalid width
> > and height values in a GIF image.
> > Per: http://cwe.mitre.org/data/definitions/476.html
> >
> > CWE-476: NULL Pointer Dereference
> >
> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0190
> > Signed-off-by: yzhu1 <yanjun.zhu at windriver.com>
> > Signed-off-by: Jackie Huang <jackie.huang at windriver.com>
> > ---
> > meta/recipes-qt/qt4/qt4-4.8.6.inc | 1 +
> > .../qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch | 31
> > ++++++++++++++++++++++ 2 files changed, 32 insertions(+)
> > create mode 100644
> > meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch
> >
> > diff --git a/meta/recipes-qt/qt4/qt4-4.8.6.inc
> > b/meta/recipes-qt/qt4/qt4-4.8.6.inc index ae6692b..9db77c9 100644
> > --- a/meta/recipes-qt/qt4/qt4-4.8.6.inc
> > +++ b/meta/recipes-qt/qt4/qt4-4.8.6.inc
> > @@ -24,6 +24,7 @@ SRC_URI =
> > "http://download.qt-project.org/official_releases/qt/4.8/${PV}/qt-ever
> > file://0028-Don-t-crash-on-broken-GIF-images.patch \
> > file://g++.conf \
> > file://linux.conf \
> > + file://qt4-4.8.6-fix-CVE-2014-0190.patch \
> > "
> >
> > SRC_URI[md5sum] = "2edbe4d6c2eff33ef91732602f3518eb"
> > diff --git
> > a/meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch
> > b/meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch new
> > file mode 100644 index 0000000..b8baea8
> > --- /dev/null
> > +++ b/meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch
> > @@ -0,0 +1,31 @@
> > +Upstream-status: Pending
> > +Don't crash on broken GIF images
> > +
> > +Broken GIF images could set invalid width and height values inside
> > +the image, leading to Qt creating a null QImage for it. In that case
> > +we need to abort decoding the image and return an error.
> > +
> > +Initial patch by Rich Moore.
> > +
> > +Task-number: QTBUG-38367
> > +Change-Id: Id82a4036f478bd6e49c402d6598f57e7e5bb5e1e
> > +Security-advisory: CVE-2014-0190
> > +Reviewed-by: Richard J. Moore <rich at kde.org>
> > +
> > +--- a/src/gui/image/qgifhandler.cpp
> > ++++ b/src/gui/image/qgifhandler.cpp
> > +@@ -359,6 +359,13 @@ int QGIFFormat::decode(QImage *image, co
> > + memset(bits, 0, image->byteCount());
> > + }
> > +
> > ++ // Check if the previous attempt to create the image
> > failed. If it ++ // did then the image is broken and we
> > should give up. ++ if (image->isNull()) {
> > ++ state = Error;
> > ++ return -1;
> > ++ }
> > ++
> > + disposePrevious(image);
> > + disposed = false;
> > +
>
> This upstream patch is already being applied within the recipe - see 0028-Don-t-crash-on-broken-GIF-
> images.patch.
Sorry I didn't notice it, thanks for pointing out and please ignore this.
Thanks,
Jackie
>
> Cheers,
> Paul
>
> --
>
> Paul Eggleton
> Intel Open Source Technology Centre
More information about the Openembedded-core
mailing list