| Message ID | 20240512114617.2564569-2-roykollensvendsen@gmail.com |
|---|---|
| State | Superseded |
| Headers | show |
| Series | [v3,01/14] package/qt6: bump version to 6.7.0 | expand |
Hello Roy, On Sun, 12 May 2024 13:45:49 +0200 Roy Kollen Svendsen <roykollensvendsen@gmail.com> wrote: > From: Roy Kollen Svendsen <roy.kollen.svendsen@akersolutions.com> > > Got patch from: > > https://download.qt.io/archive/qt/6.7/ > Signed-off-by: Roy Kollen Svendsen <roykollensvendsen@gmail.com> Thanks for this v3. However, you're again putting a fix as PATCH 02/14 of the series, after a bump. Is it because this CVE is only applicable to Qt 6.7 (and not the 6.4.3 we already have in Buildroot) ? Could you clarify this point, which is very important? Thanks! Thomas
Hello Thomas, Op ma 13 mei 2024 om 08:40 schreef Thomas Petazzoni <thomas.petazzoni@bootlin.com>: > > Hello Roy, > > On Sun, 12 May 2024 13:45:49 +0200 > Roy Kollen Svendsen <roykollensvendsen@gmail.com> wrote: > > > From: Roy Kollen Svendsen <roy.kollen.svendsen@akersolutions.com> > > > > Got patch from: > > > > https://download.qt.io/archive/qt/6.7/ > > Signed-off-by: Roy Kollen Svendsen <roykollensvendsen@gmail.com> > > Thanks for this v3. However, you're again putting a fix as PATCH 02/14 > of the series, after a bump. Is it because this CVE is only applicable > to Qt 6.7 (and not the 6.4.3 we already have in Buildroot) ? Could you > clarify this point, which is very important? This is not applicable to 6.4.3, the affected versions are detailed in the bugzilla report below and it's only 6.5.0+ So this seems perfectly valid to go along with the version bump. OpenSUSE report: https://www.suse.com/security/cve/CVE-2024-33861.html Bugzilla report clarifying affected versions https://bugzilla.suse.com/show_bug.cgi?id=1223917 > Thanks! > > Thomas > -- > Thomas Petazzoni, co-owner and CEO, Bootlin > Embedded Linux and Kernel engineering and training > https://bootlin.com Best regards, Jesse
Hi Thomas and Jesse, I assume I should add this information to the commit message and make a v4 patch-set? Best regards, Roy man. 13. mai 2024 kl. 09:57 skrev Jesse Van Gavere <jesseevg@gmail.com>: > Hello Thomas, > > Op ma 13 mei 2024 om 08:40 schreef Thomas Petazzoni > <thomas.petazzoni@bootlin.com>: > > > > > Hello Roy, > > > > On Sun, 12 May 2024 13:45:49 +0200 > > Roy Kollen Svendsen <roykollensvendsen@gmail.com> wrote: > > > > > From: Roy Kollen Svendsen <roy.kollen.svendsen@akersolutions.com> > > > > > > Got patch from: > > > > > > https://download.qt.io/archive/qt/6.7/ > > > Signed-off-by: Roy Kollen Svendsen <roykollensvendsen@gmail.com> > > > > Thanks for this v3. However, you're again putting a fix as PATCH 02/14 > > of the series, after a bump. Is it because this CVE is only applicable > > to Qt 6.7 (and not the 6.4.3 we already have in Buildroot) ? Could you > > clarify this point, which is very important? > > This is not applicable to 6.4.3, the affected versions are detailed in > the bugzilla report below and it's only 6.5.0+ > So this seems perfectly valid to go along with the version bump. > > OpenSUSE report: > https://www.suse.com/security/cve/CVE-2024-33861.html > Bugzilla report clarifying affected versions > https://bugzilla.suse.com/show_bug.cgi?id=1223917 > > > Thanks! > > > > Thomas > > -- > > Thomas Petazzoni, co-owner and CEO, Bootlin > > Embedded Linux and Kernel engineering and training > > https://bootlin.com > > Best regards, > Jesse >
Hello Roy, On Mon, 13 May 2024, 12:29 Roy Kollen Svendsen, <roykollensvendsen@gmail.com> wrote: > Hi Thomas and Jesse, > > I assume I should add this information to the commit message and make a v4 > patch-set? > Personally I don't see why that would be necessary, it's applicable to your version bump only and it's a valid CVE identifier (even if reserved for the moment) that can be looked up, putting the exact same CVE info in the commit for the patch seems a bit redundant Best regards, Jesse > Best regards, > Roy > > man. 13. mai 2024 kl. 09:57 skrev Jesse Van Gavere <jesseevg@gmail.com>: > >> Hello Thomas, >> >> Op ma 13 mei 2024 om 08:40 schreef Thomas Petazzoni >> <thomas.petazzoni@bootlin.com>: >> >> > >> > Hello Roy, >> > >> > On Sun, 12 May 2024 13:45:49 +0200 >> > Roy Kollen Svendsen <roykollensvendsen@gmail.com> wrote: >> > >> > > From: Roy Kollen Svendsen <roy.kollen.svendsen@akersolutions.com> >> > > >> > > Got patch from: >> > > >> > > https://download.qt.io/archive/qt/6.7/ >> > > Signed-off-by: Roy Kollen Svendsen <roykollensvendsen@gmail.com> >> > >> > Thanks for this v3. However, you're again putting a fix as PATCH 02/14 >> > of the series, after a bump. Is it because this CVE is only applicable >> > to Qt 6.7 (and not the 6.4.3 we already have in Buildroot) ? Could you >> > clarify this point, which is very important? >> >> This is not applicable to 6.4.3, the affected versions are detailed in >> the bugzilla report below and it's only 6.5.0+ >> So this seems perfectly valid to go along with the version bump. >> >> OpenSUSE report: >> https://www.suse.com/security/cve/CVE-2024-33861.html >> Bugzilla report clarifying affected versions >> https://bugzilla.suse.com/show_bug.cgi?id=1223917 >> >> > Thanks! >> > >> > Thomas >> > -- >> > Thomas Petazzoni, co-owner and CEO, Bootlin >> > Embedded Linux and Kernel engineering and training >> > https://bootlin.com >> >> Best regards, >> Jesse > >
Hell Jesse, Hello Roy, On Mon, 13 May 2024 13:05:05 +0200 Jesse Van Gavere <jesseevg@gmail.com> wrote: > > I assume I should add this information to the commit message and make a v4 > > patch-set? > > Personally I don't see why that would be necessary, it's applicable to your > version bump only and it's a valid CVE identifier (even if reserved for the > moment) that can be looked up, putting the exact same CVE info in the > commit for the patch seems a bit redundant Well, in fact in this particular case, the CVE fix should be directly with the version bump, and indeed clarify in the commit log why it is together with the version bump. Also, QT6BASE_IGNORE_CVES variable will be needed in qt6base.mk. I'd say no need to resend the full series for this at this point. I'll try to apply some parts of it, and see if I have other review comments for the rest. Thanks! Thomas
diff --git a/package/qt6/qt6base/0001-Fix-CVE-2024-33861-for-Qt6.7.patch b/package/qt6/qt6base/0001-Fix-CVE-2024-33861-for-Qt6.7.patch new file mode 100644 index 0000000000..f016788017 --- /dev/null +++ b/package/qt6/qt6base/0001-Fix-CVE-2024-33861-for-Qt6.7.patch @@ -0,0 +1,36 @@ +From 7f88945625f560796c86a267086f163e74c1407b Mon Sep 17 00:00:00 2001 +From: Roy Kollen Svendsen <roy.kollen.svendsen@akersolutions.com> +Date: Sun, 12 May 2024 07:15:32 +0200 +Subject: [PATCH] Fix CVE-2024-33861 for Qt6.7 + +Signed-off-by: Roy Kollen Svendsen <roy.kollen.svendsen@akersolutions.com> +Upstream: https://download.qt.io/archive/qt/6.7/CVE-2024-33861-qtbase-6.7.diff +--- + src/corelib/text/qstringconverter.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/corelib/text/qstringconverter.cpp b/src/corelib/text/qstringconverter.cpp +index b5749843..fd45ccf2 100644 +--- a/src/corelib/text/qstringconverter.cpp ++++ b/src/corelib/text/qstringconverter.cpp +@@ -1954,7 +1954,7 @@ struct QStringConverterICU : QStringConverter + const void *context; + ucnv_getToUCallBack(icu_conv, &action, &context); + if (context != state) +- ucnv_setToUCallBack(icu_conv, action, &state, nullptr, nullptr, &err); ++ ucnv_setToUCallBack(icu_conv, action, state, nullptr, nullptr, &err); + + ucnv_toUnicode(icu_conv, &target, targetLimit, &source, sourceLimit, nullptr, flush, &err); + // We did reserve enough space: +@@ -1987,7 +1987,7 @@ struct QStringConverterICU : QStringConverter + const void *context; + ucnv_getFromUCallBack(icu_conv, &action, &context); + if (context != state) +- ucnv_setFromUCallBack(icu_conv, action, &state, nullptr, nullptr, &err); ++ ucnv_setFromUCallBack(icu_conv, action, state, nullptr, nullptr, &err); + + ucnv_fromUnicode(icu_conv, &target, targetLimit, &source, sourceLimit, nullptr, flush, &err); + // We did reserve enough space: +-- +2.45.0 +