Debian Patches

Status for qt6-base/6.8.2+dfsg-10.1

Patch Description Author Forwarded Bugs Origin Last update
upstream_cve-2025-3512_fix_heap_buffer_overflow.diff [PATCH] QTextMarkdownImporter: Fix heap-buffer-overflow
After finding the end marker `---`, the code expected more characters
crashes if asked for a substring that starts at or beyond the end.

Now it's restructured into a separate splitFrontMatter() function, and
we're stricter, tolerating only `---\n` or `---\r\n` as marker lines.
So the code is easier to prove correct, and we don't need to check
characters between the end of the marker and the end of the line
(to allow inadvertent whitespace, for example). If the markers are
not valid, the Markdown parser will see them as thematic breaks,
as it would have done if we were not extracting the Front Matter
beforehand.

Amends e10c9b5c0f8f194a79ce12dcf9b6b5cb19976942 and
bffddc6a993c4b6b64922e8d327bdf32e0d4975a

Credit to OSS-Fuzz which found this as issue 42533775.

[ChangeLog][QtGui][Text] Fixed a heap buffer overflow in
QTextMarkdownImporter. The first marker for Front Matter
must begin at the first character of a Markdown document,
and both markers must be exactly ---\n or ---\r\n.

(cherry picked from commit 25986746947798e1a22d0830d3bcb11a55fcd3ae)
(cherry picked from commit eced22d7250fc7ba4dbafa1694bf149c2259d9ea)
(cherry picked from commit 9e59a924a04606c386b970ee6c9c7819cdd7ae1a)		 Shawn Rutledge <shawn.rutledge@qt.io> no 2025-03-27
upstream_cve-2025-5455_fix_data_assertion_error.diff qDecodeDataUrl(): fix precondition violation in call to QByteArrayView::at() It is a precondition violation to call QByteArrayView::at() with
size() as argument. The code used that, though, as an implicit
end-of-string check, assuming == ' ' and == '=' would both fail for
null bytes. Besides, QByteArrays (but most certainly QByteArrayViews)
need not be null-terminated, so this could read even past size().
.
To fix, use higher-level API (startsWith()), consuming parsed tokens
along the way.		 no upstream, https://download.qt.io/official_releases/qt/6.8/CVE-2025-5455-qtbase-6.8.patch 2025-06-29
upstream_unset_current_openglcontext.diff [PATCH] QOpenGlContext: Always unset current context in doneCurrent()
Otherwise when no other context is made current until thread exit, the
QGuiGLThreadContext destructor will try to call doneCurrent() on an
already deleted context.

(cherry picked from commit cd1686e55f706048286cbc962bbe02032c2396cd)
(cherry picked from commit 10c195b86432eaa430c6991c0fcb74c411407cdf)		 David Redondo <qt@david-redondo.de> no 2025-01-15
build_path_embedded_qtbuildinternalsextra_cmake.patch [PATCH] cmake/QtBuildInternalsExtra.cmake.in: Patch out embedded build path.

The original build path should not be needed in the shipped package,
and causes reproducibility issues when built in different paths.

https://reproducible-builds.org/docs/build-path/		 Vagrant Cascadian <vagrant@reproducible-builds.org> no 2022-02-25
cross.patch no
remove_rpath_from_examples.patch remove RPATH/RUNPATH from examples' binaries. On Debian the examples are built against system's libraries, so there is no
need to set RPATH/RUNPATH.		 Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org> not-needed 2024-02-15
forkfd_grow_stack_upwards_on_hppa.patch Change how stack grows on HPPA. On HPPA stack grows upwards. This patch introduces this change for
this 3rd party code.		 John David Anglin <dave.anglin@bell.net> no debian 2023-07-28
enable_skip_plugins.patch Enable skipping plugins search at build time. This patch sets
QT_SKIP_AUTO_PLUGIN_INCLUSION and QT_SKIP_AUTO_QML_PLUGIN_INCLUSION to ON
by default, thus avoiding unnecesary build dependencies on plugins.
.
The variables can still be set to OFF by the user at build time, allowing
them to find the packages if necessary. But if you need so for a Debian
package please reach the Qt maintainers first. We want to know why you
need to do so. Thanks in advance!		 Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org> not-needed
armv4.diff support ARMv4 architecture, needed for armel builds Dmitry Shachnev <mitya57@debian.org> no 2016-07-01
upstream_QColorTransferGeneric_fix_BT2100PQEOTF.patch [PATCH] QColorTransferGeneric: fix the BT.2100 PQ EOTF
The PQ EOTF formula for BT.2100 [1][2] was incorrect. Fix it; while at
it, rename the variables to match the symbols used in the original
formula.

The inverse EOTF was correct, but also rename the variables there (for
the same reason).

[1] https://www.itu.int/rec/R-REC-BT.2100-2-201807-I/en
[2] https://en.wikipedia.org/wiki/Perceptual_quantizer#Technical_details

(cherry picked from commit a7ff4679facb9a44dff8b63a7e461ababa6aedfb)
(cherry picked from commit 35c18eba64b6220e36ea14d32b911342e9d0921c)		 Giuseppe D'Angelo <giuseppe.dangelo@kdab.com> no 2025-02-06
upstream_cve-2025-5992_input_range_qcolortransformation.diff [PATCH] Add clamping to QColorTransferGenericFunction
This ensures that the inputs are within range for the use of these
function.

Depending on the values passed, they can trigger FE_INVALID errors
and thus NaN as return values.

This can happen for example when feeding an invalid ICC profile to
QColorSpace::fromIccProfile.

Credit to OSS-Fuzz		 Samuel Gaist <samuel.gaist@idiap.ch> no upstream, https://download.qt.io/official_releases/qt/6.8/CVE-2025-5992-qtbase-6.8.patch 2025-05-24
upstream_fix_high_cpu_load_kwin_x11.diff [PATCH] XCB: Remove extra xcb_randr_select_input() calls
This fixes high CPU usage in kwin.

If there is a ConfigureNotify event for the root window, QtXCB will
call xcb_randr_select_input(). The problem is that the X server may send
an output change event in response to xcb_randr_select_input().

When kwin sees that output change event, it will process the event and
it can update its override redirect windows, which can produce a few
ConfigureNotify events for the root window and make kwin get stuck in an
update loop.

Since the QXcbConnection constructor already subscribes to the RandR
events, these xcb_randr_select_input() function calls can be removed.
Also, `true` is not a valid argument for xcb_randr_select_input(). It
expects a mask of events to listen. For what it's worth, `true`
corresponds to XCB_RANDR_NOTIFY_MASK_SCREEN_CHANGE = 1, which
xrandrSelectEvents() already subscribes to.		 Vlad Zahorodnii <vlad.zahorodnii@kde.org> no 2025-07-27
upstream_prevent_recursion_in_qsortfilterproxymodel.diff [PATCH] QSortFilterProxyModel: don't call index(row, 0) if there are no columns
This is invalid, e.g. it asserts in
QConcatenateTablesProxyModel::index()

(cherry picked from commit 93694e99c214a5166fc842f92659e42260230dce)		 David Faure <david.faure@kdab.com> no 2025-03-03
upstream_IPC-add-PATH_MAX-less-fallback-definition-for-MAX_PA.patch [PATCH] IPC: add PATH_MAX-less fallback definition for MAX_PATH
Define MAX_PATH also when PATH_MAX is not defined (e.g on GNU/Hurd).
MAX_PATH is Windows constant, and it is used in this file only in a
code path for Windows; because of this, the static fallback define
should be good enough.		 Pino Toscano <toscano.pino@tiscali.it> no 2024-06-22
upstream_QStorageInfo-Unix-fix-declaration-of-mnt-on-Hurd.patch [PATCH] QStorageInfo/Unix: fix declaration of 'mnt' on Hurd
Directly use the right type for it, after the Linux code was dropped.
Fixes commit 543ae6e6a43519b9fca6758c4a8c78625fcb2c86.		 Pino Toscano <toscano.pino@tiscali.it> no 2024-10-06
upstream_qlocale_shutdown.patch [PATCH] QLocale: try to survive being created during application shut down

QLocale is very often accessed during global static destructors, so
let's try and survive if the default has already been destroyed. In that
case, we shall fall back to the C locale.

I've placed the call to systemData(), which updates the system locale,
before the initialization of defaultLocalePrivate, as the initialization
of the latter depends on the former.

(cherry picked from commit e0a1f491567f2495443babc5aa36a038260f96c6)
(cherry picked from commit bcc0e6124a2ec80df535178d056324433f9ff984)		 Thiago Macieira <thiago.macieira@intel.com> no 2025-01-24
upstream_qsystemlocale_post_destruction_access.patch [PATCH] QSystemLocale: bail out if accessed post-destruction
There's little we can do, but a lot of content ends up in QLocale very
late in the execution. Let's at least not crash.

(cherry picked from commit e32f28034ad2383393645777bcd96eab3f696076)
(cherry picked from commit d5c5f9f3529b384d0d4bea2d51f0ad6a3d57481d)		 Thiago Macieira <thiago.macieira@intel.com> no 2025-01-24
upstream_qlibraryinfo_speedup.patch [PATCH] QLibraryInfo: speed up checking if ":/qt/etc/qt.conf" resource exists

Go straight for QResource, because this is run very early in Qt's
initialization, usually as a result of some debug message, via
QLoggingRegistry::initializeRules(). This bypasses the need to create
QResourceFileEnginePrivate, QResourceFileEngine, QFileInfoPrivate, and
QFileInfo, all of which would end up in this .isValid() call.

Additionally, I'm making it query in the C locale, which will also avoid
initializing the system & default QLocales. If a resource exists in any
language, the C locale query will find it.

(cherry picked from commit d59e640c868f3db2d661970f3d34a22013d49053)
(cherry picked from commit ae2502b4ad3d1215211bf4ed44037a40f52a313d)		 Thiago Macieira <thiago.macieira@intel.com> no 2025-01-24
upstream_prevent_unregistering_input_device.diff [PATCH] GUI: no need to unregister input device if list is destroyed
(cherry picked from commit 1040728e39b8b898d6e96b79a4c7bfcd0cb3f027)
(cherry picked from commit 6ad615cd1218a9b7f4204c04288ae2d6ed6c232b)		 Thiago Macieira <thiago.macieira@intel.com> no 2025-02-17
upstream_cups_for_multiple_page_ranges.diff [PATCH] rely on CUPS for multiple page ranges in unix version of QPrintDialog
Since the introduction of QPageRanges with Qt6, multiple/arbitrary page
ranges are broken in the unix implementation of QPrintDialog due to a
possible double application of the page ranges: on the application side
and on the server side with CUPS. Reason for this is that the
QPrinter::PrintRange is set to PageRange instead of AllPages.
The latter is needed when relying on the CUPS server-side page range.
However, the server-side page range is always applied later on.

Restore the behavior of Qt5 and set the PrintRange to AllPages for
multiple/arbitrary page ranges and rely on the server-side filtering
with CUPS.

(cherry picked from commit 2428cbf44e3e2aa4eaf00c9548ac5a74685101c4)
(cherry picked from commit b630ed4ef8c7ae43c8ab2a8826d664995cc8b685)		 Alexander Stippich <a.stippich@gmx.net> no 2025-02-26
Add-SH-detection.patch Add SH description Upstream processes archs from time to time and tends to disable those that
they do not know wether they are working or not.
.
SH is working on Debian, so as an intermediate measure re enable it here.		 John Paul Adrian Glaubitz <glaubitz@physik.fu-berlin.de> no debian
remove_privacy_breaches.diff remove non-used privacy-breach code This code makes Lintian unhappy. But we are really not using it, it only
gets inserted when building the online doc.
Anyways the best way to calm down Lintian is to simply remove it.		 Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org> not-needed 2015-02-18

All known versions for source package 'qt6-base'

Links