Message ID | 20220317163823.2913753-2-foss+buildroot@0leil.net |
---|---|
State | Accepted |
Headers | show |
Series | [1/3] package/qt5/qt5base: security bump | expand |
On 17/03/2022 17:38, Quentin Schulz wrote: > From: Quentin Schulz <quentin.schulz@theobroma-systems.com> > > CVE-2021-38593 fixes originally missed a usecase that was covered by the > to-be-removed patch. However, this patch was incorrect and added some > issues on its own, which was then fixed by now-removed > 0012-Refix-for-avoiding-huge-number-of-tiny-dashes.patch. > > Unfortunately for us, the to-be-removed patch (fixed by > 0012-Refix-for-avoiding-huge-number-of-tiny-dashes.patch) can actually > be applied (with fuzz; by `patch` only) on top of the now-removed patch. > When the move to KDE Qt fork was made, some patches were removed as they > were already part of the new git fork. However, the to-be-removed patch > was not. This means the > 0012-Refix-for-avoiding-huge-number-of-tiny-dashes.patch was actually > undone when Buildroot patched qt5base. > > Let's remove this patch to fix this oversight. > > As a reference: > e7ea2ed27c Improve fix for avoiding huge number of tiny dashes > fixed by > 65b3aa6a1c Refix for avoiding huge number of tiny dashes > in the git repo. > > Fixes: 5770a645a3a49 "package/qt5: bump packages to latest kde submodule versions" > Cc: Quentin Schulz <foss+buildroot@0leil.net> > Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> Applied to master, thanks. I've also renumbered patches 7 and 8. Regards, Arnout > --- > ...-avoiding-huge-number-of-tiny-dashes.patch | 37 ------------------- > 1 file changed, 37 deletions(-) > delete mode 100644 package/qt5/qt5base/0006-Improve-fix-for-avoiding-huge-number-of-tiny-dashes.patch > > diff --git a/package/qt5/qt5base/0006-Improve-fix-for-avoiding-huge-number-of-tiny-dashes.patch b/package/qt5/qt5base/0006-Improve-fix-for-avoiding-huge-number-of-tiny-dashes.patch > deleted file mode 100644 > index 16e0f20200..0000000000 > --- a/package/qt5/qt5base/0006-Improve-fix-for-avoiding-huge-number-of-tiny-dashes.patch > +++ /dev/null > @@ -1,37 +0,0 @@ > -From 856d11f695fb6effe26a359f9ad0efdf24067085 Mon Sep 17 00:00:00 2001 > -From: Eirik Aavitsland <eirik.aavitsland@qt.io> > -Date: Fri, 23 Jul 2021 15:53:56 +0200 > -Subject: [PATCH] Improve fix for avoiding huge number of tiny dashes > -MIME-Version: 1.0 > -Content-Type: text/plain; charset=UTF-8 > -Content-Transfer-Encoding: 8bit > - > -Some pathological cases were not caught by the previous fix. > - > -Fixes: QTBUG-95239 > -Pick-to: 6.2 6.1 5.15 > -Change-Id: I0337ee3923ff93ccb36c4d7b810a9c0667354cc5 > -Reviewed-by: Robert Löhning <robert.loehning@qt.io> > -(cherry picked from commit 6b400e3147dcfd8cc3a393ace1bd118c93762e0c) > -[Retrieved from: https://invent.kde.org/qt/qt/qtbase/-/commit/fed5713eeba5bf8e0ee413cb4e77109bfa7c2bce] > -Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> > ---- > - src/gui/painting/qpaintengineex.cpp | 2 +- > - 1 file changed, 1 insertion(+), 1 deletion(-) > - > -diff --git a/src/gui/painting/qpaintengineex.cpp b/src/gui/painting/qpaintengineex.cpp > -index 55fdb0c2a0..19e4b23423 100644 > ---- a/src/gui/painting/qpaintengineex.cpp > -+++ b/src/gui/painting/qpaintengineex.cpp > -@@ -426,7 +426,7 @@ void QPaintEngineEx::stroke(const QVectorPath &path, const QPen &inPen) > - patternLength *= pen.widthF(); > - if (qFuzzyIsNull(patternLength)) { > - pen.setStyle(Qt::NoPen); > -- } else if (extent / patternLength > 10000) { > -+ } else if (qFuzzyIsNull(extent) || extent / patternLength > 10000) { > - // approximate stream of tiny dashes with semi-transparent solid line > - pen.setStyle(Qt::SolidLine); > - QColor color(pen.color()); > --- > -2.34.1 > -
>>>>> "Quentin" == Quentin Schulz <foss+buildroot@0leil.net> writes: > From: Quentin Schulz <quentin.schulz@theobroma-systems.com> > CVE-2021-38593 fixes originally missed a usecase that was covered by the > to-be-removed patch. However, this patch was incorrect and added some > issues on its own, which was then fixed by now-removed > 0012-Refix-for-avoiding-huge-number-of-tiny-dashes.patch. > Unfortunately for us, the to-be-removed patch (fixed by > 0012-Refix-for-avoiding-huge-number-of-tiny-dashes.patch) can actually > be applied (with fuzz; by `patch` only) on top of the now-removed patch. > When the move to KDE Qt fork was made, some patches were removed as they > were already part of the new git fork. However, the to-be-removed patch > was not. This means the > 0012-Refix-for-avoiding-huge-number-of-tiny-dashes.patch was actually > undone when Buildroot patched qt5base. > Let's remove this patch to fix this oversight. > As a reference: > e7ea2ed27c Improve fix for avoiding huge number of tiny dashes > fixed by > 65b3aa6a1c Refix for avoiding huge number of tiny dashes > in the git repo. > Fixes: 5770a645a3a49 "package/qt5: bump packages to latest kde submodule versions" > Cc: Quentin Schulz <foss+buildroot@0leil.net> > Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> Committed to 2022.02.x, thanks.
diff --git a/package/qt5/qt5base/0006-Improve-fix-for-avoiding-huge-number-of-tiny-dashes.patch b/package/qt5/qt5base/0006-Improve-fix-for-avoiding-huge-number-of-tiny-dashes.patch deleted file mode 100644 index 16e0f20200..0000000000 --- a/package/qt5/qt5base/0006-Improve-fix-for-avoiding-huge-number-of-tiny-dashes.patch +++ /dev/null @@ -1,37 +0,0 @@ -From 856d11f695fb6effe26a359f9ad0efdf24067085 Mon Sep 17 00:00:00 2001 -From: Eirik Aavitsland <eirik.aavitsland@qt.io> -Date: Fri, 23 Jul 2021 15:53:56 +0200 -Subject: [PATCH] Improve fix for avoiding huge number of tiny dashes -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -Some pathological cases were not caught by the previous fix. - -Fixes: QTBUG-95239 -Pick-to: 6.2 6.1 5.15 -Change-Id: I0337ee3923ff93ccb36c4d7b810a9c0667354cc5 -Reviewed-by: Robert Löhning <robert.loehning@qt.io> -(cherry picked from commit 6b400e3147dcfd8cc3a393ace1bd118c93762e0c) -[Retrieved from: https://invent.kde.org/qt/qt/qtbase/-/commit/fed5713eeba5bf8e0ee413cb4e77109bfa7c2bce] -Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> ---- - src/gui/painting/qpaintengineex.cpp | 2 +- - 1 file changed, 1 insertion(+), 1 deletion(-) - -diff --git a/src/gui/painting/qpaintengineex.cpp b/src/gui/painting/qpaintengineex.cpp -index 55fdb0c2a0..19e4b23423 100644 ---- a/src/gui/painting/qpaintengineex.cpp -+++ b/src/gui/painting/qpaintengineex.cpp -@@ -426,7 +426,7 @@ void QPaintEngineEx::stroke(const QVectorPath &path, const QPen &inPen) - patternLength *= pen.widthF(); - if (qFuzzyIsNull(patternLength)) { - pen.setStyle(Qt::NoPen); -- } else if (extent / patternLength > 10000) { -+ } else if (qFuzzyIsNull(extent) || extent / patternLength > 10000) { - // approximate stream of tiny dashes with semi-transparent solid line - pen.setStyle(Qt::SolidLine); - QColor color(pen.color()); --- -2.34.1 -