| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| cve-2023-51714.diff | diff --git a/src/network/access/http2/hpacktable.cpp b/src/network/access/http2/hpacktable.cpp index 0b69ee86a9..f20ec92d4c 100644 |
no | ||||
| libxkbcommon_1.6.0.diff | [PATCH] xkb: fix build with libxkbcommon 1.6.0 and later A few XKB_KEY_dead_* defines got removed from 1.6.0. See also https://github.com/xkbcommon/libxkbcommon/blob/6073565903488cb5b9a8d37fdc4a7c2f9d7ad04d/NEWS#L9-L14 https://gitlab.freedesktop.org/xorg/proto/xorgproto/-/merge_requests/70/diffs?commit_id=cb44799b72f611eb4c9d7cc185bc3b09e070be08 |
Liang Qi <liang.qi@qt.io> | no | 2023-10-10 | ||
| cve-2023-37369.diff | [PATCH] QXmlStreamReader: make fastScanName() indicate parsing status to callers This fixes a crash while parsing an XML file with garbage data, the file starts with '<' then garbage data: - The loop in the parse() keeps iterating until it hits "case 262:", which calls fastScanName() - fastScanName() iterates over the text buffer scanning for the attribute name (e.g. "xml:lang"), until it finds ':' - Consider a Value val, fastScanName() is called on it, it would set val.prefix to a number > val.len, then it would hit the 4096 condition and return (returned 0, now it returns the equivalent of std::null_opt), which means that val.len doesn't get modified, making it smaller than val.prefix - The code would try constructing an XmlStringRef with negative length, which would hit an assert in one of QStringView's constructors Add an assert to the XmlStringRef constructor. Add unittest based on the file from the bug report. Later on I will replace FastScanNameResult with std::optional<qsizetype> (std::optional is C++17, which isn't required by Qt 5.15, and we want to backport this fix). Credit to OSS-Fuzz. |
Ahmad Samir <a.samirh78@gmail.com> | no | 2023-06-22 | ||
| cve-2023-34410-57ba626.diff | [PATCH] Ssl: Copy the on-demand cert loading bool from default config Otherwise individual sockets will still load system certificates when a chain doesn't match against the configured CA certificates. That's not intended behavior, since specifically setting the CA certificates means you don't want the system certificates to be used. Follow-up to/amends ada2c573c1a25f8d96577734968fe317ddfa292a This is potentially a breaking change because now, if you ever add a CA to the default config, it will disable loading system certificates on demand for all sockets. And the only way to re-enable it is to create a null-QSslConfiguration and set it as the new default. |
Mårten Nordheim <marten.nordheim@qt.io> | no | 2023-05-25 | ||
| cve-2023-34410-ada2c57.diff | [PATCH] Schannel: Reject certificate not signed by a configured CA certificate Not entirely clear why, but when building the certificate chain for a peer the system certificate store is searched for root certificates. General expectation is that after calling `sslConfiguration.setCaCertificates()` the system certificates will not be taken into consideration. To work around this behavior, we do a manual check that the root of the chain is part of the configured CA certificates. |
Mårten Nordheim <marten.nordheim@qt.io> | no | 2023-05-10 | ||
| cve-2023-32762.diff | no | |||||
| cve-2023-32763.diff | no | |||||
| cve-2023-33285.diff | diff --git a/src/network/kernel/qdnslookup_unix.cpp b/src/network/kernel/qdnslookup_unix.cpp index 75f7c6c440..de0113494f 100644 |
no | ||||
| upstream_Add-HPPA-detection.patch | [PATCH] Add HPPA detection - detect the HPPA architecture (PA-RISC) and define Q_PROCESSOR_HPPA - set the right machine type in QElfParser for HPPA ELF files |
Pino Toscano <toscano.pino@tiscali.it> | no | 2022-10-06 | ||
| upstream_Add-M68k-detection.patch | [PATCH] Add M68k detection - detect the M68k architecture (Motorola 68000) and define Q_PROCESSOR_M68K - set the right machine type in QElfParser for M68k ELF files |
Pino Toscano <toscano.pino@tiscali.it> | no | 2022-10-06 | ||
| upstream_Add-enable-Alpha-detection.patch | [PATCH] Add/enable Alpha detection - uncomment the Alpha detection defining Q_PROCESSOR_ALPHA, which is already used/documented in few places - set the right machine type in QElfParser for Alpha ELF files |
Pino Toscano <toscano.pino@tiscali.it> | no | 2022-11-15 | ||
| cve-2023-24607.patch | Fix CVE-2023-24607 CVE-2023-24607 can trigger a DOS with a specifically crafted string, see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031871. This patch https://codereview.qt-project.org/c/qt/qtbase/+/456216, https://codereview.qt-project.org/c/qt/qtbase/+/457637 and https://codereview.qt-project.org/c/qt/qtbase/+/457937 See: https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin |
not-needed | ||||
| Add-SH-detection.patch | Add SH description Upstream processes archs from time to time and tends to disable those that they do not know wether they are working or not. . SH is working on Debian, so as an intermediate measure re enable it here. =================================================================== |
John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> | no | debian | ||
| remove_privacy_breaches.diff | remove non-used privacy-breach code This code makes Lintian unhappy. But we are really not using it, it only gets inserted when building the online doc. Anyways the best way to calm down Lintian is to simply remove it. |
Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org> | not-needed | 2015-02-18 | ||
| build_path_embedded_qtbuildinternalsextra_cmake.patch | [PATCH] cmake/QtBuildInternalsExtra.cmake.in: Patch out embedded build path. The original build path should not be needed in the shipped package, and causes reproducibility issues when built in different paths. https://reproducible-builds.org/docs/build-path/ |
Vagrant Cascadian <vagrant@reproducible-builds.org> | no | 2022-02-25 | ||
| cross.patch | no | |||||
| force_shared_libzstd.patch | force the usage of the shared libzstd library. The library provides both versions, and the original code prefers the static version over the shared, while on Debian it should always use the shared version. |
Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org> | not-needed | upstream | ||
| no_htmlinfo_example.patch | Avoid trying to build the htmlinfo example This example uses non-free images, so we had to remove it from the original tarball. . This patch avoid building this example. |
Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org> | not-needed | |||
| remove_rpath_from_examples.patch | remove RPATH/RUNPATH from examples' binaries. On Debian the examples are built against system's libraries, so there is no need to set RPATH/RUNPATH. |
Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org> | not-needed | 2023-07-23 | ||
| forkfd_grow_stack_upwards_on_hppa.patch | Change how stack grows on HPPA. On HPPA stack grows upwards. This patch introduces this change for this 3rd party code. |
John David Anglin <dave.anglin@bell.net> | no | debian | 2023-07-28 | |
| armel-noyield.patch | Don't use yield on CPUs that might not support it | no |