XPost: linux.debian.devel.release
--32fTPQYyFsDJQjUU
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
Package: release.debian.org
Severity: normal
Tags: bookworm
X-Debbugs-Cc:
qtbase-opensource-src@packages.debian.org
Control: affects -1 + src:qtbase-opensource-src
User:
release.debian.org@packages.debian.org
Usertags: pu
Dear Release team,
I would like to request a stable update of qtbase package for Bookworm.
[ Reason ]
It will fix two bugs:
- #1081682: Segfault in QAccessibleTableInterface::cellAt
- #1076293: CVE-2024-39936
[ Impact ]
The first bug is an important issue for screen reader users, which
makes Qt applications with tables unusable.
The second bug is minor security issue.
See
https://security-tracker.debian.org/tracker/CVE-2024-39936 for details.
[ Tests ]
The reporter of #1081682 has tested the patch and it works for them.
See
https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1081682#17.
The patch for CVE-2024-39936 was not tested explicitly, but it was applied
in sid since 2024-07-14 and no issues were reported.
[ Risks ]
The patch for #1081682 is quite trivial, it just adds NULL pointer checks.
The patch for CVE-2024-39936 is a bit more complex, but it has a verbose explanation of what it does (I have included it in the Debian patch too).
[ Checklist ]
[x] *all* changes are documented in the d/changelog
[x] I reviewed all changes and I approve them
[x] attach debdiff against the package in (old)stable
[x] the issue is verified as fixed in unstable
[ Changes ]
* Backport upstream patch to add null checks in table iface methods in
linuxaccessibility/atspiadaptor.cpp (closes: #1081682).
* Backport upstream patch to delay any communication until encrypted() can
be responded to (CVE-2024-39936, closes: #1076293).
[ Other info ]
Links to upstream bugs, commits, patches for the first issue:
-
https://bugreports.qt.io/browse/QTBUG-125954
-
https://codereview.qt-project.org/c/qt/qtbase/+/518991
-
https://invent.kde.org/qt/qt/qtbase/-/commit/076da096464a5d3f (KDE branch)
For the second issue:
-
https://codereview.qt-project.org/c/qt/qtbase/+/571601
-
https://download.qt.io/official_releases/qt/5.15/CVE-2024-39936-qtbase-5.15.patch
-
https://invent.kde.org/qt/qt/qtbase/-/commit/0581ace6d4b8c0c0 (KDE branch)
--
Dmitry Shachnev
--32fTPQYyFsDJQjUU
Content-Type: text/x-diff; charset=us-ascii
Content-Disposition: attachment;
filename="qtbase-opensource-src_5.15.8+dfsg-11+deb12u3.diff" Content-Transfer-Encoding: quoted-printable
--- a/debian/changelog
+++ b/debian/changelog
@@ -1,3 +1,12 @@
+qtbase-opensource-src (5.15.8+dfsg-11+deb12u3) bookworm; urgency=medium
+
+ * Backport upstream patch to add null checks in table iface methods in
+ linuxaccessibility/atspiadaptor.cpp (closes: #1081682).
+ * Backport upstream patch to delay any communication until encrypted() can
+ be responded to (CVE-2024-39936, closes: #1076293).
+
+ -- Dmitry Shachnev <
mitya57@debian.org> Mon, 24 Mar 2025 11:41:15 +0300
+
qtbase-opensource-src (5.15.8+dfsg-11+deb12u2) bookworm; urgency=medium
* Non-maintainer upload by the LTS Team.
--- /dev/null
+++ b/debian/patches/CVE-2024-39936.diff
@@ -0,0 +1,153 @@
+Description: HTTP2: delay any communication until encrypted() can be responded to
+ We have the encrypted() signal that lets users do extra checks on the
+ established connection. It is emitted as BlockingQueued, so the HTTP
+ thread stalls until it is done emitting. Users can potentially call
+ abort() on the QNetworkRe