Dmitry Shachnev [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
Merge qtbase-opensource-src (5.15.15+dfsg-2) import into refs/heads/workingbranch
Rex Dieter [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
properly cast types for libglvnd 1.3.4
Origin: https://src.fedoraproject.org/rpms/qt5-qtbase/blob/rawhide/f/qtbase-everywhere-src-5.15.2-libglvnd.patch
Gbp-Pq: Name cast_types_for_egl_x11_test.diff
Helmut Grohne [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
call pkgconfig in order to be able to cross build qtbase with MySql.
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971604
Forwarded: not-needed
Reviewed-by: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
Qt's build system calls mysql_config... which won't work in a cross build
environment like Debian's, as it will throw an exec format error.
In order to solve this call pkgconfig and use mysqlclient.pc.
Gbp-Pq: Name cross_build_mysql.diff
Pino Toscano [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
Limit Linux-only code with Q_OS_LINUX
Forwarded: no
Last-Update: 2020-04-19
The QStorageInfo/QStorageIterator implementation used for Linux is used also
on Hurd, as it uses an interface provided by GNU libc.
QStorageIterator::device() tries to use PATH_MAX (unavailable on the Hurd)
to lookup a /dev/block/ path, which exists on Linux only; hence, perform that
check within a Q_OS_LINUX block.
Gbp-Pq: Name qstorageinfo_linux.diff
Pino Toscano [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
Avoid unconditional PATH_MAX usage
Forwarded: no
Last-Update: 2020-04-19
Use a "safe" size in case PATH_MAX is not defined; in the end, this should not
be used, as a allocating realpath() will be used instead.
Gbp-Pq: Name path_max.diff
Martin Smith [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
pass default include directories to qdoc
Bug: https://bugs.debian.org/908328
Forwarded: no
Last-Update: 2020-01-28
Gbp-Pq: Name qdoc_default_incdirs.diff
Dmitry Shachnev [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
support ARMv4 architecture, needed for armel builds
Forwarded: no
Last-Update: 2016-07-01
Gbp-Pq: Name armv4.diff
Dmitry Shachnev [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
catch linker warnings in some config tests
Forwarded: https://codereview.qt-project.org/163214 (rejected)
Bug: https://bugs.debian.org/827935
Last-Update: 2019-03-02
Without this, qmake wrongly thinks that the tests succeed, for example:
./config.tests/unix/futimens/futimens.cpp:44: warning: futimens is not implemented and will always fail
test config.corelib.tests.futimens succeeded
Gbp-Pq: Name gnukfreebsd_linker_warnings.diff
Fathi Boudra [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
build ibase sql plugin against firebird
Forwarded: no
Last-Update: 2017-06-30
Gbp-Pq: Name link_fbclient.diff
Lisandro Damián Nicanor Pérez Meyer [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
remove non-used privacy-breach code
Forwarded: not-needed
Last-Update: 2015-02-18
This code makes Lintian unhappy. But we are really not using it, it only
gets inserted when building the online doc.
Anyways the best way to calm down Lintian is to simply remove it.
Gbp-Pq: Name remove_privacy_breaches.diff
Dmitry Shachnev [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
disable htmlinfo example which contains non-free files
Forwarded: not-needed
Last-Update: 2014-12-17
Gbp-Pq: Name no_htmlinfo_example.diff
Debian Qt/KDE Maintainers [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
check D-Bus tray availability every time
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
3c93dedc063bf453
Last-Update: 2024-07-24
It could appear in runtime, this allows applications to watch for it
themselves and re-create QSystemTrayIcon as needed.
Gbp-Pq: Name check_dbus_tray_availability_every_time.diff
Debian Qt/KDE Maintainers [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
don't fallback to X11 tray backend on non-X11
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
f6cd286e6609cfbf
Last-Update: 2024-07-24
This allows to have system tray support on the fly on Wayland at least
where only QDBusTrayIcon is possible and no need to fallback to
QSystemTrayIconSys
Gbp-Pq: Name dont_fallback_to_x11_tray_on_non_x11.diff
Debian Qt/KDE Maintainers [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
Revert "D-Bus system tray: properly check whether StatusNotifierHost available"
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
447f3ade9a284d52
Last-Update: 2024-07-24
The original commit was made based on a KDE workaround for
libdbusmenu-qt crash, but Qt is not using libdbusmenu-qt, Qt is not
watching for StatusNotifierHost registration and Qt is not capable
to switch backends on the fly leading to tray support being
not detected on Plasma Wayland sessions and falling back to the poor
legacy protocol on X11.
Gbp-Pq: Name revert_statusnotifierhost_checking.diff
Debian Qt/KDE Maintainers [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
QFutureInterface: fix build with GCC14/C++20: template-id not allowed
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
111c08d0eaa13465
Last-Update: 2024-07-24
When declaring a constructor, you must use the injected name, not a
template.
qfutureinterface.h:472:37: error: template-id not allowed for constructor in C++20 [-Werror=template-id-cdtor]
Gbp-Pq: Name gcc_14.diff
Debian Qt/KDE Maintainers [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
HTTP2: delay any communication until encrypted() can be responded to
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
b1e75376cc3adfc7
Last-Update: 2024-07-14
We have the encrypted() signal that lets users do extra checks on the
established connection. It is emitted as BlockingQueued, so the HTTP
thread stalls until it is done emitting. Users can potentially call
abort() on the QNetworkReply at that point, which is passed as a Queued
call back to the HTTP thread. That means that any currently queued
signal emission will be processed before the abort() call is processed.
In the case of HTTP2 it is a little special since it is multiplexed and
the code is built to start requests as they are available. This means
that, while the code worked fine for HTTP1, since one connection only
has one request, it is not working for HTTP2, since we try to send more
requests in-between the encrypted() signal and the abort() call.
This patch changes the code to delay any communication until the
encrypted() signal has been emitted and processed, for HTTP2 only.
It's done by adding a few booleans, both to know that we have to return
early and so we can keep track of what events arose and what we need to
resume once enough time has passed that any abort() call must have been
processed.
Gbp-Pq: Name CVE-2024-39936.diff
Debian Qt/KDE Maintainers [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
improve KTX file reading memory safety
Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2024-25580-qtbase-5.15.diff
Last-Update: 2024-02-17
Gbp-Pq: Name CVE-2024-25580.diff
Debian Qt/KDE Maintainers [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
HPack: fix incorrect integer overflow check
Origin: upstream
https://download.qt.io/official_releases/qt/5.15/0001-CVE-2023-51714-qtbase-5.15.diff
https://download.qt.io/official_releases/qt/5.15/0002-CVE-2023-51714-qtbase-5.15.diff
Last-Update: 2024-01-13
Gbp-Pq: Name CVE-2023-51714.diff
Debian Qt/KDE Maintainers [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
add support for LoongArch
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
bdc16f086f1664b5
Last-Update: 2024-03-09
Gbp-Pq: Name loongarch.diff
Debian Qt/KDE Maintainers [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
xkb: fix build with libxkbcommon 1.6.0 and later
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
8af35d27e8f02bbb
Last-Update: 2023-10-17
A few XKB_KEY_dead_* defines got removed from 1.6.0. See also
https://github.com/xkbcommon/libxkbcommon/blob/
6073565903488cb5b9a8d37fdc4a7c2f9d7ad04d/NEWS#L9-L14
https://gitlab.freedesktop.org/xorg/proto/xorgproto/-/merge_requests/70/diffs?commit_id=
cb44799b72f611eb4c9d7cc185bc3b09e070be08
Gbp-Pq: Name libxkbcommon_1.6.0.diff
Debian Qt/KDE Maintainers [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
fix capitalization error in auto-generated qdbusmacros.h include
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
dca0304c26012a57
Last-Update: 2023-05-13
Gbp-Pq: Name fix_qdbusmacros_h.diff
Debian Qt/KDE Maintainers [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
OpenFile portal: do not use O_PATH fds
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
03cbcba7b2b0e42a
Last-Update: 2023-05-13
Using O_PATH requires correctly specifying whether the fd is writable or
not. Stating that the fd is writable without it actually being writable
results into rejection on xdg-desktop-portal side. Other implementations
like xdg-open or gtk have also moved away from O_PATH fds so this will
make a matching implementation and avoid possible rejections from xdp.
Gbp-Pq: Name dont_use_O_PATH.diff
Debian Qt/KDE Maintainers [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
fix accessibility on XCB when running as root
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
db346e711c9af505
Bug: https://bugs.debian.org/
1033995
Last-Update: 2023-04-15
Accessibility actually works when running applications as root, but we
would never properly connect, since the enabledChanged signal would be
emitted from the constructor in this case. So after connecting the
signal, check the value by hand to make sure not to miss the
notification.
Only applications running as root would be affected, because all other
applications would go through the asynchronous pattern of getting the
bus address from dbus instead.
Gbp-Pq: Name a11y_root.diff
Debian Qt/KDE Maintainers [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
SQL/ODBC: add another check to detect unicode availability in driver
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
f19320748d282b1e
Last-Update: 2024-05-25
Since ODBC does not have a direct way finding out if unicode is
supported by the underlying driver the ODBC plugin does some checks. As
a last resort a sql statement is executed which returns a string. But
even this may fail because the select statement has no FROM part which
is rejected by at least Oracle does not allow. Therefore add another
query which is correct for Oracle & DB2 as a workaround. The question
why the first three statements to check for unicode availability fail
is still open but can't be checked since I've no access to an oracle
database.
Gbp-Pq: Name sql_odbc_more_unicode_checks.diff
Debian Qt/KDE Maintainers [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
do not set Qt::ToolTip flag for QShapedPixmapWindow
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
180b496b537089b8
Bug: https://bugreports.qt.io/browse/QTBUG-98048
Last-Update: 2023-05-20
This hint is not really needed in the first place and only causes
problems in some environments.
For example in KDE, the compositor animates changes in position and size
for all ToolTip windows. However, this is not wanted here because we use
this window as a thumbnail for a drag-and-drop operation.
Before this patch the dragged element would lag significantly behind the
cursor. Now it works as expected, i.e. the dragged element follows the
cursor immediately.
Gbp-Pq: Name qshapedpixmapwindow_no_tooltip.diff
Debian Qt/KDE Maintainers [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
use wayland platform plugin on GNOME wayland sessions by default
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
dda7dab8274991e4
Last-Update: 2022-10-16
Qt wayland platform plugin has improved quite a lot and it is now pretty
much usable on Gnome. It also improves user experience a lot on HiDPI
displays.
Gbp-Pq: Name gnome_wayland.diff
Debian Qt/KDE Maintainers [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
widgets: setTransientParent() when a QMenu is a window
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
493a85a9e4688744
Last-Update: 2022-10-16
On some platforms, such as X11 and Wayland with some compositors,
QMenu could be a popup window, which should be set a transient parent
to get relative position, which is requested by Wayland.
Added transientParentWindow() for QMenuPrivate like QDialogPrivate.
Gbp-Pq: Name qmenu_set_transient_parent.diff
Debian Qt/KDE Maintainers [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
upstream fixes to support OpenSSL 3.0
Origin: upstream, commits
https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
3186ca3e3972cf46
https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
408656c6f9de326c
Last-Update: 2023-10-17
Gbp-Pq: Name openssl3.diff
Debian Qt/KDE Maintainers [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
QPushButton/fusion style: don't ignore QIcon::On icon
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
e9ccdf4d84157173
Last-Update: 2021-08-10
The fusion style did ignore the QIcon::On icon because it reset
State_On to avoid the visual shift of a pressed button.
But it's not needed to reset this flag - the shift does not happen
because the fusion style does return 0 as offset for
PM_ButtonShiftHorizontal/PM_ButtonShiftVertical so no shifting will
happen.
Gbp-Pq: Name fusion_checkable_qpushbutton.diff
Debian Qt/KDE Maintainers [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
adjust QMimeDatabase implementation
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
0cbbba2aa5b47224
Last-Update: 2021-06-12
When multiple globs match, and the result from magic sniffing is
unrelated to any of those globs, globs have priority and one of them
should be picked up.
Gbp-Pq: Name mime_globs.diff
Dmitry Shachnev [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
qtbase-opensource-src (5.15.15+dfsg-2) unstable; urgency=medium
* Upload to unstable.
[dgit import unpatched qtbase-opensource-src 5.15.15+dfsg-2]
Dmitry Shachnev [Fri, 25 Oct 2024 09:40:08 +0000 (12:40 +0300)]
Import qtbase-opensource-src_5.15.15+dfsg-2.debian.tar.xz
[dgit import tarball qtbase-opensource-src 5.15.15+dfsg-2 qtbase-opensource-src_5.15.15+dfsg-2.debian.tar.xz]
Dmitry Shachnev [Fri, 30 Aug 2024 19:07:11 +0000 (22:07 +0300)]
Import qtbase-opensource-src_5.15.15+dfsg.orig.tar.xz
[dgit import orig qtbase-opensource-src_5.15.15+dfsg.orig.tar.xz]
Dmitry Shachnev [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
Merge qtbase-opensource-src (5.15.13+dfsg-4) import into refs/heads/workingbranch
Rex Dieter [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
properly cast types for libglvnd 1.3.4
Origin: https://src.fedoraproject.org/rpms/qt5-qtbase/blob/rawhide/f/qtbase-everywhere-src-5.15.2-libglvnd.patch
Gbp-Pq: Name cast_types_for_egl_x11_test.diff
Helmut Grohne [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
call pkgconfig in order to be able to cross build qtbase with MySql.
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971604
Forwarded: not-needed
Reviewed-by: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
Qt's build system calls mysql_config... which won't work in a cross build
environment like Debian's, as it will throw an exec format error.
In order to solve this call pkgconfig and use mysqlclient.pc.
Gbp-Pq: Name cross_build_mysql.diff
Pino Toscano [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
Limit Linux-only code with Q_OS_LINUX
Forwarded: no
Last-Update: 2020-04-19
The QStorageInfo/QStorageIterator implementation used for Linux is used also
on Hurd, as it uses an interface provided by GNU libc.
QStorageIterator::device() tries to use PATH_MAX (unavailable on the Hurd)
to lookup a /dev/block/ path, which exists on Linux only; hence, perform that
check within a Q_OS_LINUX block.
Gbp-Pq: Name qstorageinfo_linux.diff
Pino Toscano [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
Avoid unconditional PATH_MAX usage
Forwarded: no
Last-Update: 2020-04-19
Use a "safe" size in case PATH_MAX is not defined; in the end, this should not
be used, as a allocating realpath() will be used instead.
Gbp-Pq: Name path_max.diff
Martin Smith [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
pass default include directories to qdoc
Bug: https://bugs.debian.org/908328
Forwarded: no
Last-Update: 2020-01-28
Gbp-Pq: Name qdoc_default_incdirs.diff
Dmitry Shachnev [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
support ARMv4 architecture, needed for armel builds
Forwarded: no
Last-Update: 2016-07-01
Gbp-Pq: Name armv4.diff
Dmitry Shachnev [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
catch linker warnings in some config tests
Forwarded: https://codereview.qt-project.org/163214 (rejected)
Bug: https://bugs.debian.org/827935
Last-Update: 2019-03-02
Without this, qmake wrongly thinks that the tests succeed, for example:
./config.tests/unix/futimens/futimens.cpp:44: warning: futimens is not implemented and will always fail
test config.corelib.tests.futimens succeeded
Gbp-Pq: Name gnukfreebsd_linker_warnings.diff
Fathi Boudra [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
build ibase sql plugin against firebird
Forwarded: no
Last-Update: 2017-06-30
Gbp-Pq: Name link_fbclient.diff
Lisandro Damián Nicanor Pérez Meyer [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
remove non-used privacy-breach code
Forwarded: not-needed
Last-Update: 2015-02-18
This code makes Lintian unhappy. But we are really not using it, it only
gets inserted when building the online doc.
Anyways the best way to calm down Lintian is to simply remove it.
Gbp-Pq: Name remove_privacy_breaches.diff
Dmitry Shachnev [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
disable htmlinfo example which contains non-free files
Forwarded: not-needed
Last-Update: 2014-12-17
Gbp-Pq: Name no_htmlinfo_example.diff
Debian Qt/KDE Maintainers [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
check D-Bus tray availability every time
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
3c93dedc063bf453
Last-Update: 2024-07-24
It could appear in runtime, this allows applications to watch for it
themselves and re-create QSystemTrayIcon as needed.
Gbp-Pq: Name check_dbus_tray_availability_every_time.diff
Debian Qt/KDE Maintainers [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
don't fallback to X11 tray backend on non-X11
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
f6cd286e6609cfbf
Last-Update: 2024-07-24
This allows to have system tray support on the fly on Wayland at least
where only QDBusTrayIcon is possible and no need to fallback to
QSystemTrayIconSys
Gbp-Pq: Name dont_fallback_to_x11_tray_on_non_x11.diff
Debian Qt/KDE Maintainers [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
Revert "D-Bus system tray: properly check whether StatusNotifierHost available"
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
447f3ade9a284d52
Last-Update: 2024-07-24
The original commit was made based on a KDE workaround for
libdbusmenu-qt crash, but Qt is not using libdbusmenu-qt, Qt is not
watching for StatusNotifierHost registration and Qt is not capable
to switch backends on the fly leading to tray support being
not detected on Plasma Wayland sessions and falling back to the poor
legacy protocol on X11.
Gbp-Pq: Name revert_statusnotifierhost_checking.diff
Debian Qt/KDE Maintainers [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
QFutureInterface: fix build with GCC14/C++20: template-id not allowed
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
111c08d0eaa13465
Last-Update: 2024-07-24
When declaring a constructor, you must use the injected name, not a
template.
qfutureinterface.h:472:37: error: template-id not allowed for constructor in C++20 [-Werror=template-id-cdtor]
Gbp-Pq: Name gcc_14.diff
Debian Qt/KDE Maintainers [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
HTTP2: delay any communication until encrypted() can be responded to
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
b1e75376cc3adfc7
Last-Update: 2024-07-14
We have the encrypted() signal that lets users do extra checks on the
established connection. It is emitted as BlockingQueued, so the HTTP
thread stalls until it is done emitting. Users can potentially call
abort() on the QNetworkReply at that point, which is passed as a Queued
call back to the HTTP thread. That means that any currently queued
signal emission will be processed before the abort() call is processed.
In the case of HTTP2 it is a little special since it is multiplexed and
the code is built to start requests as they are available. This means
that, while the code worked fine for HTTP1, since one connection only
has one request, it is not working for HTTP2, since we try to send more
requests in-between the encrypted() signal and the abort() call.
This patch changes the code to delay any communication until the
encrypted() signal has been emitted and processed, for HTTP2 only.
It's done by adding a few booleans, both to know that we have to return
early and so we can keep track of what events arose and what we need to
resume once enough time has passed that any abort() call must have been
processed.
Gbp-Pq: Name CVE-2024-39936.diff
Debian Qt/KDE Maintainers [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
improve KTX file reading memory safety
Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2024-25580-qtbase-5.15.diff
Last-Update: 2024-02-17
Gbp-Pq: Name CVE-2024-25580.diff
Debian Qt/KDE Maintainers [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
HPack: fix incorrect integer overflow check
Origin: upstream
https://download.qt.io/official_releases/qt/5.15/0001-CVE-2023-51714-qtbase-5.15.diff
https://download.qt.io/official_releases/qt/5.15/0002-CVE-2023-51714-qtbase-5.15.diff
Last-Update: 2024-01-13
Gbp-Pq: Name CVE-2023-51714.diff
Debian Qt/KDE Maintainers [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
add support for LoongArch
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
bdc16f086f1664b5
Last-Update: 2024-03-09
Gbp-Pq: Name loongarch.diff
Debian Qt/KDE Maintainers [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
xkb: fix build with libxkbcommon 1.6.0 and later
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
8af35d27e8f02bbb
Last-Update: 2023-10-17
A few XKB_KEY_dead_* defines got removed from 1.6.0. See also
https://github.com/xkbcommon/libxkbcommon/blob/
6073565903488cb5b9a8d37fdc4a7c2f9d7ad04d/NEWS#L9-L14
https://gitlab.freedesktop.org/xorg/proto/xorgproto/-/merge_requests/70/diffs?commit_id=
cb44799b72f611eb4c9d7cc185bc3b09e070be08
Gbp-Pq: Name libxkbcommon_1.6.0.diff
Debian Qt/KDE Maintainers [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
QXmlStreamReader: Raise error on unexpected tokens
Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2023-38197-qtbase-5.15.diff
Last-Update: 2023-07-15
QXmlStreamReader accepted multiple DOCTYPE elements, containing DTD
fragments in the XML prolog, and in the XML body.
Well-formed but invalid XML files - with multiple DTD fragments in
prolog and body, combined with recursive entity expansions - have
caused infinite loops in QXmlStreamReader.
This patch implements a token check in QXmlStreamReader.
A stream is allowed to start with an XML prolog. StartDocument
and DOCTYPE elements are only allowed in this prolog, which
may also contain ProcessingInstruction and Comment elements.
As soon as anything else is seen, the prolog ends.
After that, the prolog-specific elements are treated as unexpected.
Furthermore, the prolog can contain at most one DOCTYPE element.
Update the documentation to reflect the new behavior.
Add an autotest that checks the new error cases are correctly detected,
and no error is raised for legitimate input.
The original OSS-Fuzz files (see bug reports) are not included in this
patch for file size reasons. They have been tested manually. Each of
them has more than one DOCTYPE element, causing infinite loops in
recursive entity expansions. The newly implemented functionality
detects those invalid DTD fragments. By raising an error, it aborts
stream reading before an infinite loop occurs.
Thanks to OSS-Fuzz for finding this.
Gbp-Pq: Name CVE-2023-38197.diff
Debian Qt/KDE Maintainers [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
QXmlStreamReader: make fastScanName() indicate parsing status to callers
Origin: upstream, commits
https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
1a423ce4372d18a7
https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
6326bec46a618c72
https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
bdc8dc51380d2ce4
https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
3bc3b8d69a291aa5
.
Based on KDE's backport:
https://invent.kde.org/qt/qt/qtbase/-/merge_requests/263
Last-Update: 2023-07-15
This fixes a crash while parsing an XML file with garbage data, the file
starts with '<' then garbage data:
- The loop in the parse() keeps iterating until it hits "case 262:",
which calls fastScanName()
- fastScanName() iterates over the text buffer scanning for the
attribute name (e.g. "xml:lang"), until it finds ':'
- Consider a Value val, fastScanName() is called on it, it would set
val.prefix to a number > val.len, then it would hit the 4096 condition
and return (returned 0, now it returns the equivalent of
std::null_opt), which means that val.len doesn't get modified, making
it smaller than val.prefix
- The code would try constructing an XmlStringRef with negative length,
which would hit an assert in one of QStringView's constructors
Add an assert to the XmlStringRef constructor.
Add unittest based on the file from the bug report.
Credit to OSS-Fuzz.
Gbp-Pq: Name CVE-2023-37369.diff
Debian Qt/KDE Maintainers [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
fix capitalization error in auto-generated qdbusmacros.h include
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
dca0304c26012a57
Last-Update: 2023-05-13
Gbp-Pq: Name fix_qdbusmacros_h.diff
Debian Qt/KDE Maintainers [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
OpenFile portal: do not use O_PATH fds
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
03cbcba7b2b0e42a
Last-Update: 2023-05-13
Using O_PATH requires correctly specifying whether the fd is writable or
not. Stating that the fd is writable without it actually being writable
results into rejection on xdg-desktop-portal side. Other implementations
like xdg-open or gtk have also moved away from O_PATH fds so this will
make a matching implementation and avoid possible rejections from xdp.
Gbp-Pq: Name dont_use_O_PATH.diff
Debian Qt/KDE Maintainers [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
fix accessibility on XCB when running as root
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
db346e711c9af505
Bug: https://bugs.debian.org/
1033995
Last-Update: 2023-04-15
Accessibility actually works when running applications as root, but we
would never properly connect, since the enabledChanged signal would be
emitted from the constructor in this case. So after connecting the
signal, check the value by hand to make sure not to miss the
notification.
Only applications running as root would be affected, because all other
applications would go through the asynchronous pattern of getting the
bus address from dbus instead.
Gbp-Pq: Name a11y_root.diff
Debian Qt/KDE Maintainers [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
QSQL/ODBC: fix regression (trailing NUL)
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
9020034b3b6a3a81
Last-Update: 2023-06-30
When we fixed the callers of toSQLTCHAR() to use the result's size()
instead of the input's (which differ, if sizeof(SQLTCHAR) != 2), we
exposed callers to the append(0), which changes the size() of the
result QVLA. Callers that don't rely on NUL-termination (all?) now saw
an additional training NUL.
Fix by not NUL-terminating, and changing the only user of SQL_NTS to
use an explicit length.
Gbp-Pq: Name sql_odbc_fix_unicode_check.diff
Debian Qt/KDE Maintainers [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
SQL/ODBC: add another check to detect unicode availability in driver
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
f19320748d282b1e
Last-Update: 2023-06-30
Since ODBC does not have a direct way finding out if unicode is
supported by the underlying driver the ODBC plugin does some checks. As
a last resort a sql statement is executed which returns a string. But
even this may fail because the select statement has no FROM part which
is rejected by at least Oracle does not allow. Therefore add another
query which is correct for Oracle & DB2 as a workaround. The question
why the first three statements to check for unicode availability fail
is still open but can't be checked since I've no access to an oracle
database.
Gbp-Pq: Name sql_odbc_more_unicode_checks.diff
Debian Qt/KDE Maintainers [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
Ssl: Copy the on-demand cert loading bool from default config
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
57ba6260c0801055
Last-Update: 2023-06-08
Otherwise individual sockets will still load system certificates when
a chain doesn't match against the configured CA certificates.
That's not intended behavior, since specifically setting the CA
certificates means you don't want the system certificates to be used.
This is potentially a breaking change because now, if you ever add a
CA to the default config, it will disable loading system certificates
on demand for all sockets. And the only way to re-enable it is to
create a null-QSslConfiguration and set it as the new default.
Gbp-Pq: Name CVE-2023-34410.diff
Debian Qt/KDE Maintainers [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
QDnsLookup/Unix: make sure we don't overflow the buffer
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
7dba2c87619d558a
Last-Update: 2023-05-25
The DNS Records are variable length and encode their size in 16 bits
before the Record Data (RDATA). Ensure that both the RDATA and the
Record header fields before it fall inside the buffer we have.
Additionally reject any replies containing more than one query records.
Gbp-Pq: Name CVE-2023-33285.diff
Debian Qt/KDE Maintainers [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
hsts: match header names case insensitively
Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2023-32762-qtbase-5.15.diff
Last-Update: 2023-05-22
Header field names are always considered to be case-insensitive.
Gbp-Pq: Name CVE-2023-32762.diff
Debian Qt/KDE Maintainers [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
fix buffer overflow in Qt SVG
Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2023-32763-qtbase-5.15.diff
Last-Update: 2023-05-22
Adds qAddOverflow and qMulOverflow definitions to QFixed.
Gbp-Pq: Name CVE-2023-32763.diff
Debian Qt/KDE Maintainers [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
do not set Qt::ToolTip flag for QShapedPixmapWindow
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
180b496b537089b8
Bug: https://bugreports.qt.io/browse/QTBUG-98048
Last-Update: 2023-05-20
This hint is not really needed in the first place and only causes
problems in some environments.
For example in KDE, the compositor animates changes in position and size
for all ToolTip windows. However, this is not wanted here because we use
this window as a thumbnail for a drag-and-drop operation.
Before this patch the dragged element would lag significantly behind the
cursor. Now it works as expected, i.e. the dragged element follows the
cursor immediately.
Gbp-Pq: Name qshapedpixmapwindow_no_tooltip.diff
Debian Qt/KDE Maintainers [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
use wayland platform plugin on GNOME wayland sessions by default
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
dda7dab8274991e4
Last-Update: 2022-10-16
Qt wayland platform plugin has improved quite a lot and it is now pretty
much usable on Gnome. It also improves user experience a lot on HiDPI
displays.
Gbp-Pq: Name gnome_wayland.diff
Debian Qt/KDE Maintainers [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
widgets: setTransientParent() when a QMenu is a window
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
493a85a9e4688744
Last-Update: 2022-10-16
On some platforms, such as X11 and Wayland with some compositors,
QMenu could be a popup window, which should be set a transient parent
to get relative position, which is requested by Wayland.
Added transientParentWindow() for QMenuPrivate like QDialogPrivate.
Gbp-Pq: Name qmenu_set_transient_parent.diff
Debian Qt/KDE Maintainers [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
upstream fixes to support OpenSSL 3.0
Origin: upstream, commits
https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
3186ca3e3972cf46
https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
408656c6f9de326c
Last-Update: 2023-10-17
Gbp-Pq: Name openssl3.diff
Debian Qt/KDE Maintainers [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
QPushButton/fusion style: don't ignore QIcon::On icon
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
e9ccdf4d84157173
Last-Update: 2021-08-10
The fusion style did ignore the QIcon::On icon because it reset
State_On to avoid the visual shift of a pressed button.
But it's not needed to reset this flag - the shift does not happen
because the fusion style does return 0 as offset for
PM_ButtonShiftHorizontal/PM_ButtonShiftVertical so no shifting will
happen.
Gbp-Pq: Name fusion_checkable_qpushbutton.diff
Debian Qt/KDE Maintainers [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
adjust QMimeDatabase implementation
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
0cbbba2aa5b47224
Last-Update: 2021-06-12
When multiple globs match, and the result from magic sniffing is
unrelated to any of those globs, globs have priority and one of them
should be picked up.
Gbp-Pq: Name mime_globs.diff
Dmitry Shachnev [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
qtbase-opensource-src (5.15.13+dfsg-4) unstable; urgency=medium
* Backport upstream patch to fix qfutureinterface.h for GCC 14
(closes: #
1075430).
* Backport three upstream patches to improve D-Bus tray integration,
in particular on non-X11 desktops (LP: #
2059819).
* Update symbols files for GCC 14.
[dgit import unpatched qtbase-opensource-src 5.15.13+dfsg-4]
Dmitry Shachnev [Thu, 25 Jul 2024 12:43:37 +0000 (15:43 +0300)]
Import qtbase-opensource-src_5.15.13+dfsg-4.debian.tar.xz
[dgit import tarball qtbase-opensource-src 5.15.13+dfsg-4 qtbase-opensource-src_5.15.13+dfsg-4.debian.tar.xz]
Dmitry Shachnev [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
Merge qtbase-opensource-src (5.15.13+dfsg-3) import into refs/heads/workingbranch
Rex Dieter [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
properly cast types for libglvnd 1.3.4
Origin: https://src.fedoraproject.org/rpms/qt5-qtbase/blob/rawhide/f/qtbase-everywhere-src-5.15.2-libglvnd.patch
Gbp-Pq: Name cast_types_for_egl_x11_test.diff
Helmut Grohne [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
call pkgconfig in order to be able to cross build qtbase with MySql.
Bug-Debian: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=971604
Forwarded: not-needed
Reviewed-by: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
Qt's build system calls mysql_config... which won't work in a cross build
environment like Debian's, as it will throw an exec format error.
In order to solve this call pkgconfig and use mysqlclient.pc.
Gbp-Pq: Name cross_build_mysql.diff
Pino Toscano [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
Limit Linux-only code with Q_OS_LINUX
Forwarded: no
Last-Update: 2020-04-19
The QStorageInfo/QStorageIterator implementation used for Linux is used also
on Hurd, as it uses an interface provided by GNU libc.
QStorageIterator::device() tries to use PATH_MAX (unavailable on the Hurd)
to lookup a /dev/block/ path, which exists on Linux only; hence, perform that
check within a Q_OS_LINUX block.
Gbp-Pq: Name qstorageinfo_linux.diff
Pino Toscano [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
Avoid unconditional PATH_MAX usage
Forwarded: no
Last-Update: 2020-04-19
Use a "safe" size in case PATH_MAX is not defined; in the end, this should not
be used, as a allocating realpath() will be used instead.
Gbp-Pq: Name path_max.diff
Martin Smith [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
pass default include directories to qdoc
Bug: https://bugs.debian.org/908328
Forwarded: no
Last-Update: 2020-01-28
Gbp-Pq: Name qdoc_default_incdirs.diff
Dmitry Shachnev [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
support ARMv4 architecture, needed for armel builds
Forwarded: no
Last-Update: 2016-07-01
Gbp-Pq: Name armv4.diff
Dmitry Shachnev [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
catch linker warnings in some config tests
Forwarded: https://codereview.qt-project.org/163214 (rejected)
Bug: https://bugs.debian.org/827935
Last-Update: 2019-03-02
Without this, qmake wrongly thinks that the tests succeed, for example:
./config.tests/unix/futimens/futimens.cpp:44: warning: futimens is not implemented and will always fail
test config.corelib.tests.futimens succeeded
Gbp-Pq: Name gnukfreebsd_linker_warnings.diff
Fathi Boudra [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
build ibase sql plugin against firebird
Forwarded: no
Last-Update: 2017-06-30
Gbp-Pq: Name link_fbclient.diff
Lisandro Damián Nicanor Pérez Meyer [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
remove non-used privacy-breach code
Forwarded: not-needed
Last-Update: 2015-02-18
This code makes Lintian unhappy. But we are really not using it, it only
gets inserted when building the online doc.
Anyways the best way to calm down Lintian is to simply remove it.
Gbp-Pq: Name remove_privacy_breaches.diff
Dmitry Shachnev [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
disable htmlinfo example which contains non-free files
Forwarded: not-needed
Last-Update: 2014-12-17
Gbp-Pq: Name no_htmlinfo_example.diff
Debian Qt/KDE Maintainers [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
HTTP2: delay any communication until encrypted() can be responded to
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
b1e75376cc3adfc7
Last-Update: 2024-07-14
We have the encrypted() signal that lets users do extra checks on the
established connection. It is emitted as BlockingQueued, so the HTTP
thread stalls until it is done emitting. Users can potentially call
abort() on the QNetworkReply at that point, which is passed as a Queued
call back to the HTTP thread. That means that any currently queued
signal emission will be processed before the abort() call is processed.
In the case of HTTP2 it is a little special since it is multiplexed and
the code is built to start requests as they are available. This means
that, while the code worked fine for HTTP1, since one connection only
has one request, it is not working for HTTP2, since we try to send more
requests in-between the encrypted() signal and the abort() call.
This patch changes the code to delay any communication until the
encrypted() signal has been emitted and processed, for HTTP2 only.
It's done by adding a few booleans, both to know that we have to return
early and so we can keep track of what events arose and what we need to
resume once enough time has passed that any abort() call must have been
processed.
Gbp-Pq: Name CVE-2024-39936.diff
Debian Qt/KDE Maintainers [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
improve KTX file reading memory safety
Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2024-25580-qtbase-5.15.diff
Last-Update: 2024-02-17
Gbp-Pq: Name CVE-2024-25580.diff
Debian Qt/KDE Maintainers [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
HPack: fix incorrect integer overflow check
Origin: upstream
https://download.qt.io/official_releases/qt/5.15/0001-CVE-2023-51714-qtbase-5.15.diff
https://download.qt.io/official_releases/qt/5.15/0002-CVE-2023-51714-qtbase-5.15.diff
Last-Update: 2024-01-13
Gbp-Pq: Name CVE-2023-51714.diff
Debian Qt/KDE Maintainers [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
add support for LoongArch
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
bdc16f086f1664b5
Last-Update: 2024-03-09
Gbp-Pq: Name loongarch.diff
Debian Qt/KDE Maintainers [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
xkb: fix build with libxkbcommon 1.6.0 and later
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
8af35d27e8f02bbb
Last-Update: 2023-10-17
A few XKB_KEY_dead_* defines got removed from 1.6.0. See also
https://github.com/xkbcommon/libxkbcommon/blob/
6073565903488cb5b9a8d37fdc4a7c2f9d7ad04d/NEWS#L9-L14
https://gitlab.freedesktop.org/xorg/proto/xorgproto/-/merge_requests/70/diffs?commit_id=
cb44799b72f611eb4c9d7cc185bc3b09e070be08
Gbp-Pq: Name libxkbcommon_1.6.0.diff
Debian Qt/KDE Maintainers [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
QXmlStreamReader: Raise error on unexpected tokens
Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2023-38197-qtbase-5.15.diff
Last-Update: 2023-07-15
QXmlStreamReader accepted multiple DOCTYPE elements, containing DTD
fragments in the XML prolog, and in the XML body.
Well-formed but invalid XML files - with multiple DTD fragments in
prolog and body, combined with recursive entity expansions - have
caused infinite loops in QXmlStreamReader.
This patch implements a token check in QXmlStreamReader.
A stream is allowed to start with an XML prolog. StartDocument
and DOCTYPE elements are only allowed in this prolog, which
may also contain ProcessingInstruction and Comment elements.
As soon as anything else is seen, the prolog ends.
After that, the prolog-specific elements are treated as unexpected.
Furthermore, the prolog can contain at most one DOCTYPE element.
Update the documentation to reflect the new behavior.
Add an autotest that checks the new error cases are correctly detected,
and no error is raised for legitimate input.
The original OSS-Fuzz files (see bug reports) are not included in this
patch for file size reasons. They have been tested manually. Each of
them has more than one DOCTYPE element, causing infinite loops in
recursive entity expansions. The newly implemented functionality
detects those invalid DTD fragments. By raising an error, it aborts
stream reading before an infinite loop occurs.
Thanks to OSS-Fuzz for finding this.
Gbp-Pq: Name CVE-2023-38197.diff
Debian Qt/KDE Maintainers [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
QXmlStreamReader: make fastScanName() indicate parsing status to callers
Origin: upstream, commits
https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
1a423ce4372d18a7
https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
6326bec46a618c72
https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
bdc8dc51380d2ce4
https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
3bc3b8d69a291aa5
.
Based on KDE's backport:
https://invent.kde.org/qt/qt/qtbase/-/merge_requests/263
Last-Update: 2023-07-15
This fixes a crash while parsing an XML file with garbage data, the file
starts with '<' then garbage data:
- The loop in the parse() keeps iterating until it hits "case 262:",
which calls fastScanName()
- fastScanName() iterates over the text buffer scanning for the
attribute name (e.g. "xml:lang"), until it finds ':'
- Consider a Value val, fastScanName() is called on it, it would set
val.prefix to a number > val.len, then it would hit the 4096 condition
and return (returned 0, now it returns the equivalent of
std::null_opt), which means that val.len doesn't get modified, making
it smaller than val.prefix
- The code would try constructing an XmlStringRef with negative length,
which would hit an assert in one of QStringView's constructors
Add an assert to the XmlStringRef constructor.
Add unittest based on the file from the bug report.
Credit to OSS-Fuzz.
Gbp-Pq: Name CVE-2023-37369.diff
Debian Qt/KDE Maintainers [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
fix capitalization error in auto-generated qdbusmacros.h include
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
dca0304c26012a57
Last-Update: 2023-05-13
Gbp-Pq: Name fix_qdbusmacros_h.diff
Debian Qt/KDE Maintainers [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
OpenFile portal: do not use O_PATH fds
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
03cbcba7b2b0e42a
Last-Update: 2023-05-13
Using O_PATH requires correctly specifying whether the fd is writable or
not. Stating that the fd is writable without it actually being writable
results into rejection on xdg-desktop-portal side. Other implementations
like xdg-open or gtk have also moved away from O_PATH fds so this will
make a matching implementation and avoid possible rejections from xdp.
Gbp-Pq: Name dont_use_O_PATH.diff
Debian Qt/KDE Maintainers [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
fix accessibility on XCB when running as root
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
db346e711c9af505
Bug: https://bugs.debian.org/
1033995
Last-Update: 2023-04-15
Accessibility actually works when running applications as root, but we
would never properly connect, since the enabledChanged signal would be
emitted from the constructor in this case. So after connecting the
signal, check the value by hand to make sure not to miss the
notification.
Only applications running as root would be affected, because all other
applications would go through the asynchronous pattern of getting the
bus address from dbus instead.
Gbp-Pq: Name a11y_root.diff
Debian Qt/KDE Maintainers [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
QSQL/ODBC: fix regression (trailing NUL)
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
9020034b3b6a3a81
Last-Update: 2023-06-30
When we fixed the callers of toSQLTCHAR() to use the result's size()
instead of the input's (which differ, if sizeof(SQLTCHAR) != 2), we
exposed callers to the append(0), which changes the size() of the
result QVLA. Callers that don't rely on NUL-termination (all?) now saw
an additional training NUL.
Fix by not NUL-terminating, and changing the only user of SQL_NTS to
use an explicit length.
Gbp-Pq: Name sql_odbc_fix_unicode_check.diff
Debian Qt/KDE Maintainers [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
SQL/ODBC: add another check to detect unicode availability in driver
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
f19320748d282b1e
Last-Update: 2023-06-30
Since ODBC does not have a direct way finding out if unicode is
supported by the underlying driver the ODBC plugin does some checks. As
a last resort a sql statement is executed which returns a string. But
even this may fail because the select statement has no FROM part which
is rejected by at least Oracle does not allow. Therefore add another
query which is correct for Oracle & DB2 as a workaround. The question
why the first three statements to check for unicode availability fail
is still open but can't be checked since I've no access to an oracle
database.
Gbp-Pq: Name sql_odbc_more_unicode_checks.diff
Debian Qt/KDE Maintainers [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
Ssl: Copy the on-demand cert loading bool from default config
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
57ba6260c0801055
Last-Update: 2023-06-08
Otherwise individual sockets will still load system certificates when
a chain doesn't match against the configured CA certificates.
That's not intended behavior, since specifically setting the CA
certificates means you don't want the system certificates to be used.
This is potentially a breaking change because now, if you ever add a
CA to the default config, it will disable loading system certificates
on demand for all sockets. And the only way to re-enable it is to
create a null-QSslConfiguration and set it as the new default.
Gbp-Pq: Name CVE-2023-34410.diff
Debian Qt/KDE Maintainers [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
QDnsLookup/Unix: make sure we don't overflow the buffer
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
7dba2c87619d558a
Last-Update: 2023-05-25
The DNS Records are variable length and encode their size in 16 bits
before the Record Data (RDATA). Ensure that both the RDATA and the
Record header fields before it fall inside the buffer we have.
Additionally reject any replies containing more than one query records.
Gbp-Pq: Name CVE-2023-33285.diff
Debian Qt/KDE Maintainers [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
hsts: match header names case insensitively
Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2023-32762-qtbase-5.15.diff
Last-Update: 2023-05-22
Header field names are always considered to be case-insensitive.
Gbp-Pq: Name CVE-2023-32762.diff
Debian Qt/KDE Maintainers [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
fix buffer overflow in Qt SVG
Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2023-32763-qtbase-5.15.diff
Last-Update: 2023-05-22
Adds qAddOverflow and qMulOverflow definitions to QFixed.
Gbp-Pq: Name CVE-2023-32763.diff
Debian Qt/KDE Maintainers [Sun, 14 Jul 2024 15:35:58 +0000 (18:35 +0300)]
do not set Qt::ToolTip flag for QShapedPixmapWindow
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
180b496b537089b8
Bug: https://bugreports.qt.io/browse/QTBUG-98048
Last-Update: 2023-05-20
This hint is not really needed in the first place and only causes
problems in some environments.
For example in KDE, the compositor animates changes in position and size
for all ToolTip windows. However, this is not wanted here because we use
this window as a thumbnail for a drag-and-drop operation.
Before this patch the dragged element would lag significantly behind the
cursor. Now it works as expected, i.e. the dragged element follows the
cursor immediately.
Gbp-Pq: Name qshapedpixmapwindow_no_tooltip.diff
projects / qtbase-opensource-src.git / log