[v4,01/14] package/qt6: bump version to 6.7.0

From: Roy Kollen Svendsen <roy.kollen.svendsen@akersolutions.com>

For details see [1], [2], [3], [4], [5], [6], [7], [8] and [9].

[1] https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.5.0/release-note.md
[2] https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.5.1/release-note.md
[3] https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.5.2/release-note.md
[4] https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.5.3/release-note.md

[5] https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.6.0/release-note.md
[6] https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.6.1/release-note.md
[7] https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.6.2/release-note.md
[8] https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.6.3/release-note.md

[9] https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.7.0/release-note.md

We also apply the associated CVE-2024-33861 patch from:

https://download.qt.io/archive/qt/6.7/

As Jesse Van Gavere noted:

"This is not applicable to 6.4.3, the affected versions are detailed in
the bugzilla report below and it's only 6.5.0+
So this seems perfectly valid to go along with the version bump.

OpenSUSE report:
https://www.suse.com/security/cve/CVE-2024-33861.html
Bugzilla report clarifying affected versions
https://bugzilla.suse.com/show_bug.cgi?id=1223917"

Signed-off-by: Roy Kollen Svendsen <roykollensvendsen@gmail.com>
---
Changes v3 -> v4:
  - Explain why the associated CVE-patch should be part of this series
    (suggested by Thomas)
  - Squash the CVE-patch into this patch.
  - Add CVE-ID to QT6BASE_IGNORE_CVES. (suggested by Thomas)

 package/qt6/qt6.mk                            |  4 +--
 .../0001-Fix-CVE-2024-33861-for-Qt6.7.patch   | 36 +++++++++++++++++++
 package/qt6/qt6base/qt6base.hash              |  4 +--
 package/qt6/qt6base/qt6base.mk                |  2 +-
 .../qt6/qt6core5compat/qt6core5compat.hash    |  4 +--
 package/qt6/qt6serialbus/qt6serialbus.hash    |  4 +--
 package/qt6/qt6serialport/qt6serialport.hash  |  4 +--
 package/qt6/qt6svg/qt6svg.hash                |  4 +--
 8 files changed, 49 insertions(+), 13 deletions(-)
 create mode 100644 package/qt6/qt6base/0001-Fix-CVE-2024-33861-for-Qt6.7.patch

Op di 14 mei 2024 om 00:03 schreef Roy Kollen Svendsen <
roykollensvendsen@gmail.com>:

> From: Roy Kollen Svendsen <roy.kollen.svendsen@akersolutions.com>
>
> For details see [1], [2], [3], [4], [5], [6], [7], [8] and [9].
>
> [1]
> https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.5.0/release-note.md
> [2]
> https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.5.1/release-note.md
> [3]
> https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.5.2/release-note.md
> [4]
> https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.5.3/release-note.md
>
> [5]
> https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.6.0/release-note.md
> [6]
> https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.6.1/release-note.md
> [7]
> https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.6.2/release-note.md
> [8]
> https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.6.3/release-note.md
>
> [9]
> https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.7.0/release-note.md
>
> We also apply the associated CVE-2024-33861 patch from:
>
> https://download.qt.io/archive/qt/6.7/
>
> As Jesse Van Gavere noted:
>
> "This is not applicable to 6.4.3, the affected versions are detailed in
> the bugzilla report below and it's only 6.5.0+
> So this seems perfectly valid to go along with the version bump.
>
> OpenSUSE report:
> https://www.suse.com/security/cve/CVE-2024-33861.html
> Bugzilla report clarifying affected versions
> https://bugzilla.suse.com/show_bug.cgi?id=1223917"
>
> Signed-off-by: Roy Kollen Svendsen <roykollensvendsen@gmail.com>
> ---
> Changes v3 -> v4:
>   - Explain why the associated CVE-patch should be part of this series
>     (suggested by Thomas)
>   - Squash the CVE-patch into this patch.
>   - Add CVE-ID to QT6BASE_IGNORE_CVES. (suggested by Thomas)
>
>  package/qt6/qt6.mk                            |  4 +--
>  .../0001-Fix-CVE-2024-33861-for-Qt6.7.patch   | 36 +++++++++++++++++++
>  package/qt6/qt6base/qt6base.hash              |  4 +--
>  package/qt6/qt6base/qt6base.mk                |  2 +-
>  .../qt6/qt6core5compat/qt6core5compat.hash    |  4 +--
>  package/qt6/qt6serialbus/qt6serialbus.hash    |  4 +--
>  package/qt6/qt6serialport/qt6serialport.hash  |  4 +--
>  package/qt6/qt6svg/qt6svg.hash                |  4 +--
>  8 files changed, 49 insertions(+), 13 deletions(-)
>  create mode 100644
> package/qt6/qt6base/0001-Fix-CVE-2024-33861-for-Qt6.7.patch
>
> diff --git a/package/qt6/qt6.mk b/package/qt6/qt6.mk
> index 1edb252c96..b87cb6748d 100644
> --- a/package/qt6/qt6.mk
> +++ b/package/qt6/qt6.mk
> @@ -4,8 +4,8 @@
>  #
>
>  ################################################################################
>
> -QT6_VERSION_MAJOR = 6.4
> -QT6_VERSION = $(QT6_VERSION_MAJOR).3
> +QT6_VERSION_MAJOR = 6.7
> +QT6_VERSION = $(QT6_VERSION_MAJOR).0
>  QT6_SOURCE_TARBALL_PREFIX = everywhere-src
>  QT6_SITE =
> https://download.qt.io/archive/qt/$(QT6_VERSION_MAJOR)/$(QT6_VERSION)/submodules
>
> diff --git a/package/qt6/qt6base/0001-Fix-CVE-2024-33861-for-Qt6.7.patch
> b/package/qt6/qt6base/0001-Fix-CVE-2024-33861-for-Qt6.7.patch
> new file mode 100644
> index 0000000000..f016788017
> --- /dev/null
> +++ b/package/qt6/qt6base/0001-Fix-CVE-2024-33861-for-Qt6.7.patch
> @@ -0,0 +1,36 @@
> +From 7f88945625f560796c86a267086f163e74c1407b Mon Sep 17 00:00:00 2001
> +From: Roy Kollen Svendsen <roy.kollen.svendsen@akersolutions.com>
> +Date: Sun, 12 May 2024 07:15:32 +0200
> +Subject: [PATCH] Fix CVE-2024-33861 for Qt6.7
> +
> +Signed-off-by: Roy Kollen Svendsen <roy.kollen.svendsen@akersolutions.com
> >
> +Upstream:
> https://download.qt.io/archive/qt/6.7/CVE-2024-33861-qtbase-6.7.diff
> +---
> + src/corelib/text/qstringconverter.cpp | 4 ++--
> + 1 file changed, 2 insertions(+), 2 deletions(-)
> +
> +diff --git a/src/corelib/text/qstringconverter.cpp
> b/src/corelib/text/qstringconverter.cpp
> +index b5749843..fd45ccf2 100644
> +--- a/src/corelib/text/qstringconverter.cpp
> ++++ b/src/corelib/text/qstringconverter.cpp
> +@@ -1954,7 +1954,7 @@ struct QStringConverterICU : QStringConverter
> +         const void *context;
> +         ucnv_getToUCallBack(icu_conv, &action, &context);
> +         if (context != state)
> +-             ucnv_setToUCallBack(icu_conv, action, &state, nullptr,
> nullptr, &err);
> ++             ucnv_setToUCallBack(icu_conv, action, state, nullptr,
> nullptr, &err);
> +
> +         ucnv_toUnicode(icu_conv, &target, targetLimit, &source,
> sourceLimit, nullptr, flush, &err);
> +         // We did reserve enough space:
> +@@ -1987,7 +1987,7 @@ struct QStringConverterICU : QStringConverter
> +         const void *context;
> +         ucnv_getFromUCallBack(icu_conv, &action, &context);
> +         if (context != state)
> +-             ucnv_setFromUCallBack(icu_conv, action, &state, nullptr,
> nullptr, &err);
> ++             ucnv_setFromUCallBack(icu_conv, action, state, nullptr,
> nullptr, &err);
> +
> +         ucnv_fromUnicode(icu_conv, &target, targetLimit, &source,
> sourceLimit, nullptr, flush, &err);
> +         // We did reserve enough space:
> +--
> +2.45.0
> +
> diff --git a/package/qt6/qt6base/qt6base.hash
> b/package/qt6/qt6base/qt6base.hash
> index cb111bd405..0f45826a45 100644
> --- a/package/qt6/qt6base/qt6base.hash
> +++ b/package/qt6/qt6base/qt6base.hash
> @@ -1,5 +1,5 @@
> -# Hash from:
> https://download.qt.io/official_releases/qt/6.4/6.4.3/submodules/qtbase-everywhere-src-6.4.3.tar.xz.sha256
> -sha256
> <https://download.qt.io/official_releases/qt/6.4/6.4.3/submodules/qtbase-everywhere-src-6.4.3.tar.xz.sha256-sha256>
> 5087c9e5b0165e7bc3c1a4ab176b35d0cd8f52636aea903fa377bdba00891a60
> qtbase-everywhere-src-6.4.3.tar.xz
> +# Hash from:
> https://download.qt.io/official_releases/qt/6.7/6.7.0/submodules/qtbase-everywhere-src-6.7.0.tar.xz.sha256
> +sha256
> <https://download.qt.io/official_releases/qt/6.7/6.7.0/submodules/qtbase-everywhere-src-6.7.0.tar.xz.sha256+sha256>
> 11b2e29e2e52fb0e3b453ea13bbe51a10fdff36e1c192d8868c5a40233b8b254
> qtbase-everywhere-src-6.7.0.tar.xz
>
>  # Hashes for license files
>  sha256  e3ba223bb1423f0aad8c3dfce0fe3148db48926d41e6fbc3afbbf5ff9e1c89cb
> LICENSES/Apache-2.0.txt
> diff --git a/package/qt6/qt6base/qt6base.mk b/package/qt6/qt6base/
> qt6base.mk
> index 6857725ef5..b8040e395b 100644
> --- a/package/qt6/qt6base/qt6base.mk
> +++ b/package/qt6/qt6base/qt6base.mk
> @@ -9,7 +9,7 @@ QT6BASE_SITE = $(QT6_SITE)
>  QT6BASE_SOURCE =
> qtbase-$(QT6_SOURCE_TARBALL_PREFIX)-$(QT6BASE_VERSION).tar.xz
>  QT6BASE_CPE_ID_VENDOR = qt
>  QT6BASE_CPE_ID_PRODUCT = qt
> -
> +QT6BASE_IGNORE_CVES = CVE-2024-33861
>  QT6BASE_CMAKE_BACKEND = ninja
>
>  QT6BASE_LICENSE = \
> diff --git a/package/qt6/qt6core5compat/qt6core5compat.hash
> b/package/qt6/qt6core5compat/qt6core5compat.hash
> index 0735df3af2..1eb0b5b460 100644
> --- a/package/qt6/qt6core5compat/qt6core5compat.hash
> +++ b/package/qt6/qt6core5compat/qt6core5compat.hash
> @@ -1,5 +1,5 @@
> -# Hash from:
> https://download.qt.io/official_releases/qt/6.4/6.4.3/submodules/qtserialport-everywhere-src-6.4.3.tar.xz.sha256
> -sha256
> <https://download.qt.io/official_releases/qt/6.4/6.4.3/submodules/qtserialport-everywhere-src-6.4.3.tar.xz.sha256-sha256>
> d4b249abb823d575eee9045c24d924ba8d1276e6be7735b287689991d998aa7a
> qt5compat-everywhere-src-6.4.3.tar.xz
> +# Hash from:
> https://download.qt.io/official_releases/qt/6.7/6.7.0/submodules/qt5compat-everywhere-src-6.7.0.tar.xz.sha256
> +sha256
> <https://download.qt.io/official_releases/qt/6.7/6.7.0/submodules/qt5compat-everywhere-src-6.7.0.tar.xz.sha256+sha256>
> 9d49d4fd8345d8a40b63e0b65cd49c1d8286e33a7f1409bf1316763f654e19f5
> qt5compat-everywhere-src-6.7.0.tar.xz
>
>  # Hashes for license files:
>  sha256  9f0490f18656c6f2435bd14f603ef0c96434d1825615363dce43abb42ed1dcce
> LICENSES/BSD-3-Clause.txt
> diff --git a/package/qt6/qt6serialbus/qt6serialbus.hash
> b/package/qt6/qt6serialbus/qt6serialbus.hash
> index 98c8931962..17d5090076 100644
> --- a/package/qt6/qt6serialbus/qt6serialbus.hash
> +++ b/package/qt6/qt6serialbus/qt6serialbus.hash
> @@ -1,5 +1,5 @@
> -# Hash from:
> https://download.qt.io/official_releases/qt/6.4/6.4.3/submodules/qtserialbus-everywhere-src-6.4.3.tar.xz.sha256
> -sha256
> <https://download.qt.io/official_releases/qt/6.4/6.4.3/submodules/qtserialbus-everywhere-src-6.4.3.tar.xz.sha256-sha256>
> b6446a7516d1f04e561c00f9c50ce4d39dad72150f067722ba759f00b4b34366
> qtserialbus-everywhere-src-6.4.3.tar.xz
> +# Hash from:
> https://download.qt.io/official_releases/qt/6.7/6.7.0/submodules/qtserialbus-everywhere-src-6.7.0.tar.xz.sha256
> +sha256
> <https://download.qt.io/official_releases/qt/6.7/6.7.0/submodules/qtserialbus-everywhere-src-6.7.0.tar.xz.sha256+sha256>
> 498193a9860664f8a55f676656c45af179ac13d48184af43fc58ddf795bb76dd
> qtserialbus-everywhere-src-6.7.0.tar.xz
>
>  # Hashes for license files:
>  sha256  9f0490f18656c6f2435bd14f603ef0c96434d1825615363dce43abb42ed1dcce
> LICENSES/BSD-3-Clause.txt
> diff --git a/package/qt6/qt6serialport/qt6serialport.hash
> b/package/qt6/qt6serialport/qt6serialport.hash
> index 9341978d86..cd51fbe435 100644
> --- a/package/qt6/qt6serialport/qt6serialport.hash
> +++ b/package/qt6/qt6serialport/qt6serialport.hash
> @@ -1,5 +1,5 @@
> -# Hash from:
> https://download.qt.io/official_releases/qt/6.4/6.4.3/submodules/qtserialport-everywhere-src-6.4.3.tar.xz.sha256
> -sha256
> <https://download.qt.io/official_releases/qt/6.4/6.4.3/submodules/qtserialport-everywhere-src-6.4.3.tar.xz.sha256-sha256>
> 5f97ad9067efa39a8a2a39fbbc1e03d2191f305733d9c2f3060f8017ecfc95de
> qtserialport-everywhere-src-6.4.3.tar.xz
> +# Hash from:
> https://download.qt.io/official_releases/qt/6.7/6.7.0/submodules/qtserialport-everywhere-src-6.7.0.tar.xz.sha256
> +sha256
> <https://download.qt.io/official_releases/qt/6.7/6.7.0/submodules/qtserialport-everywhere-src-6.7.0.tar.xz.sha256+sha256>
> b1f02a3d8c9cc8ba2ffa7cca3749f1f147d327e8dfc633fd4ec3cb770d7981c9
> qtserialport-everywhere-src-6.7.0.tar.xz
>
>  # Hashes for license files:
>  sha256  9f0490f18656c6f2435bd14f603ef0c96434d1825615363dce43abb42ed1dcce
> LICENSES/BSD-3-Clause.txt
> diff --git a/package/qt6/qt6svg/qt6svg.hash
> b/package/qt6/qt6svg/qt6svg.hash
> index bb239cb012..32c1a79a5c 100644
> --- a/package/qt6/qt6svg/qt6svg.hash
> +++ b/package/qt6/qt6svg/qt6svg.hash
> @@ -1,5 +1,5 @@
> -# Hash from:
> https://download.qt.io/official_releases/qt/6.4/6.4.3/submodules/qtsvg-everywhere-src-6.4.3.tar.xz.sha256
> -sha256
> <https://download.qt.io/official_releases/qt/6.4/6.4.3/submodules/qtsvg-everywhere-src-6.4.3.tar.xz.sha256-sha256>
> 88315f886cf81898705e487cedba6e6160724359d23c518c92c333c098879a4a
> qtsvg-everywhere-src-6.4.3.tar.xz
> +# Hash from:
> https://download.qt.io/official_releases/qt/6.7/6.7.0/submodules/qtsvg-everywhere-src-6.7.0.tar.xz.sha256
> +sha256
> <https://download.qt.io/official_releases/qt/6.7/6.7.0/submodules/qtsvg-everywhere-src-6.7.0.tar.xz.sha256+sha256>
> 1518f40e08ff5e6153a6e26e5b95b033413ac143b70795dc1317e7f73ebf922d
> qtsvg-everywhere-src-6.7.0.tar.xz
>
>  # Hashes for license files:
>  sha256  9f0490f18656c6f2435bd14f603ef0c96434d1825615363dce43abb42ed1dcce
> LICENSES/BSD-3-Clause.txt
> --
> 2.45.0
>
>
Acked-by: Jesse Van Gavere <jesse.vangavere@scioteq.com>

Of course testing a huge module like Qt fully is difficult given all the
possible options but with these new iterations I tested them as good as I
could and I feel confident this series is good to go as-is, great work Roy.