Patchwork [2/2] qt4-4.8.6: fix CVE-2014-0190

login
register
mail settings
Submitter jackie huang
Date June 18, 2014, 9:41 a.m.
Message ID <1403084491-1614-2-git-send-email-jackie.huang@windriver.com>
Download mbox | patch
Permalink /patch/74007/
State New
Headers show

Comments

jackie huang - June 18, 2014, 9:41 a.m.
From: yzhu1 <yanjun.zhu@windriver.com>

The GIF decoder in QtGui in Qt before 5.3 allows remote attackers
to cause a denial of service (NULL pointer dereference) via
invalid width and height values in a GIF image.
Per: http://cwe.mitre.org/data/definitions/476.html

CWE-476: NULL Pointer Dereference

http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0190
Signed-off-by: yzhu1 <yanjun.zhu@windriver.com>
Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
---
 meta/recipes-qt/qt4/qt4-4.8.6.inc                  |  1 +
 .../qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch    | 31 ++++++++++++++++++++++
 2 files changed, 32 insertions(+)
 create mode 100644 meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch
Paul Eggleton - June 18, 2014, 10:06 a.m.
Hi Jackie,

On Wednesday 18 June 2014 05:41:31 jackie.huang@windriver.com wrote:
> From: yzhu1 <yanjun.zhu@windriver.com>
> 
> The GIF decoder in QtGui in Qt before 5.3 allows remote attackers
> to cause a denial of service (NULL pointer dereference) via
> invalid width and height values in a GIF image.
> Per: http://cwe.mitre.org/data/definitions/476.html
> 
> CWE-476: NULL Pointer Dereference
> 
> http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0190
> Signed-off-by: yzhu1 <yanjun.zhu@windriver.com>
> Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
> ---
>  meta/recipes-qt/qt4/qt4-4.8.6.inc                  |  1 +
>  .../qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch    | 31
> ++++++++++++++++++++++ 2 files changed, 32 insertions(+)
>  create mode 100644
> meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch
> 
> diff --git a/meta/recipes-qt/qt4/qt4-4.8.6.inc
> b/meta/recipes-qt/qt4/qt4-4.8.6.inc index ae6692b..9db77c9 100644
> --- a/meta/recipes-qt/qt4/qt4-4.8.6.inc
> +++ b/meta/recipes-qt/qt4/qt4-4.8.6.inc
> @@ -24,6 +24,7 @@ SRC_URI =
> "http://download.qt-project.org/official_releases/qt/4.8/${PV}/qt-ever
> file://0028-Don-t-crash-on-broken-GIF-images.patch \
>             file://g++.conf \
>             file://linux.conf \
> +           file://qt4-4.8.6-fix-CVE-2014-0190.patch \
>             "
> 
>  SRC_URI[md5sum] = "2edbe4d6c2eff33ef91732602f3518eb"
> diff --git a/meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch
> b/meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch new file
> mode 100644
> index 0000000..b8baea8
> --- /dev/null
> +++ b/meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch
> @@ -0,0 +1,31 @@
> +Upstream-status: Pending
> +Don't crash on broken GIF images
> +
> +Broken GIF images could set invalid width and height
> +values inside the image, leading to Qt creating a null
> +QImage for it. In that case we need to abort decoding
> +the image and return an error.
> +
> +Initial patch by Rich Moore.
> +
> +Task-number: QTBUG-38367
> +Change-Id: Id82a4036f478bd6e49c402d6598f57e7e5bb5e1e
> +Security-advisory: CVE-2014-0190
> +Reviewed-by: Richard J. Moore <rich@kde.org>
> +
> +--- a/src/gui/image/qgifhandler.cpp
> ++++ b/src/gui/image/qgifhandler.cpp
> +@@ -359,6 +359,13 @@ int QGIFFormat::decode(QImage *image, co
> +                     memset(bits, 0, image->byteCount());
> +                 }
> +
> ++                // Check if the previous attempt to create the image
> failed. If it ++                // did then the image is broken and we
> should give up. ++                if (image->isNull()) {
> ++                    state = Error;
> ++                    return -1;
> ++                }
> ++
> +                 disposePrevious(image);
> +                 disposed = false;
> +

This upstream patch is already being applied within the recipe - see 
0028-Don-t-crash-on-broken-GIF-images.patch.

Cheers,
Paul
jackie huang - June 19, 2014, 2:31 a.m.
> -----Original Message-----
> From: Paul Eggleton [mailto:paul.eggleton@linux.intel.com]
> Sent: Wednesday, June 18, 2014 6:06 PM
> To: Huang, Jie (Jackie)
> Cc: Zhu, Yanjun; openembedded-core@lists.openembedded.org
> Subject: Re: [OE-core] [PATCH 2/2] qt4-4.8.6: fix CVE-2014-0190
> 
> Hi Jackie,
> 
> On Wednesday 18 June 2014 05:41:31 jackie.huang@windriver.com wrote:
> > From: yzhu1 <yanjun.zhu@windriver.com>
> >
> > The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to
> > cause a denial of service (NULL pointer dereference) via invalid width
> > and height values in a GIF image.
> > Per: http://cwe.mitre.org/data/definitions/476.html
> >
> > CWE-476: NULL Pointer Dereference
> >
> > http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2014-0190
> > Signed-off-by: yzhu1 <yanjun.zhu@windriver.com>
> > Signed-off-by: Jackie Huang <jackie.huang@windriver.com>
> > ---
> >  meta/recipes-qt/qt4/qt4-4.8.6.inc                  |  1 +
> >  .../qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch    | 31
> > ++++++++++++++++++++++ 2 files changed, 32 insertions(+)
> >  create mode 100644
> > meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch
> >
> > diff --git a/meta/recipes-qt/qt4/qt4-4.8.6.inc
> > b/meta/recipes-qt/qt4/qt4-4.8.6.inc index ae6692b..9db77c9 100644
> > --- a/meta/recipes-qt/qt4/qt4-4.8.6.inc
> > +++ b/meta/recipes-qt/qt4/qt4-4.8.6.inc
> > @@ -24,6 +24,7 @@ SRC_URI =
> > "http://download.qt-project.org/official_releases/qt/4.8/${PV}/qt-ever
> > file://0028-Don-t-crash-on-broken-GIF-images.patch \
> >             file://g++.conf \
> >             file://linux.conf \
> > +           file://qt4-4.8.6-fix-CVE-2014-0190.patch \
> >             "
> >
> >  SRC_URI[md5sum] = "2edbe4d6c2eff33ef91732602f3518eb"
> > diff --git
> > a/meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch
> > b/meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch new
> > file mode 100644 index 0000000..b8baea8
> > --- /dev/null
> > +++ b/meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch
> > @@ -0,0 +1,31 @@
> > +Upstream-status: Pending
> > +Don't crash on broken GIF images
> > +
> > +Broken GIF images could set invalid width and height values inside
> > +the image, leading to Qt creating a null QImage for it. In that case
> > +we need to abort decoding the image and return an error.
> > +
> > +Initial patch by Rich Moore.
> > +
> > +Task-number: QTBUG-38367
> > +Change-Id: Id82a4036f478bd6e49c402d6598f57e7e5bb5e1e
> > +Security-advisory: CVE-2014-0190
> > +Reviewed-by: Richard J. Moore <rich@kde.org>
> > +
> > +--- a/src/gui/image/qgifhandler.cpp
> > ++++ b/src/gui/image/qgifhandler.cpp
> > +@@ -359,6 +359,13 @@ int QGIFFormat::decode(QImage *image, co
> > +                     memset(bits, 0, image->byteCount());
> > +                 }
> > +
> > ++                // Check if the previous attempt to create the image
> > failed. If it ++                // did then the image is broken and we
> > should give up. ++                if (image->isNull()) {
> > ++                    state = Error;
> > ++                    return -1;
> > ++                }
> > ++
> > +                 disposePrevious(image);
> > +                 disposed = false;
> > +
> 
> This upstream patch is already being applied within the recipe - see 0028-Don-t-crash-on-broken-GIF-
> images.patch.

Sorry I didn't notice it, thanks for pointing out and please ignore this.

Thanks,
Jackie

> 
> Cheers,
> Paul
> 
> --
> 
> Paul Eggleton
> Intel Open Source Technology Centre

Patch

diff --git a/meta/recipes-qt/qt4/qt4-4.8.6.inc b/meta/recipes-qt/qt4/qt4-4.8.6.inc
index ae6692b..9db77c9 100644
--- a/meta/recipes-qt/qt4/qt4-4.8.6.inc
+++ b/meta/recipes-qt/qt4/qt4-4.8.6.inc
@@ -24,6 +24,7 @@  SRC_URI = "http://download.qt-project.org/official_releases/qt/4.8/${PV}/qt-ever
            file://0028-Don-t-crash-on-broken-GIF-images.patch \
            file://g++.conf \
            file://linux.conf \
+           file://qt4-4.8.6-fix-CVE-2014-0190.patch \
            "
 
 SRC_URI[md5sum] = "2edbe4d6c2eff33ef91732602f3518eb"
diff --git a/meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch b/meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch
new file mode 100644
index 0000000..b8baea8
--- /dev/null
+++ b/meta/recipes-qt/qt4/qt4-4.8.6/qt4-4.8.6-fix-CVE-2014-0190.patch
@@ -0,0 +1,31 @@ 
+Upstream-status: Pending
+Don't crash on broken GIF images
+
+Broken GIF images could set invalid width and height
+values inside the image, leading to Qt creating a null
+QImage for it. In that case we need to abort decoding
+the image and return an error.
+
+Initial patch by Rich Moore.
+
+Task-number: QTBUG-38367
+Change-Id: Id82a4036f478bd6e49c402d6598f57e7e5bb5e1e
+Security-advisory: CVE-2014-0190
+Reviewed-by: Richard J. Moore <rich@kde.org>
+
+--- a/src/gui/image/qgifhandler.cpp
++++ b/src/gui/image/qgifhandler.cpp
+@@ -359,6 +359,13 @@ int QGIFFormat::decode(QImage *image, co
+                     memset(bits, 0, image->byteCount());
+                 }
+ 
++                // Check if the previous attempt to create the image failed. If it
++                // did then the image is broken and we should give up.
++                if (image->isNull()) {
++                    state = Error;
++                    return -1;
++                }
++
+                 disposePrevious(image);
+                 disposed = false;
+