Debian Patches

Status for qtbase-opensource-src/5.15.10+dfsg-7

Patch Description Author Forwarded Bugs Origin Last update
mime_globs.diff adjust QMimeDatabase implementation When multiple globs match, and the result from magic sniffing is
unrelated to any of those globs, globs have priority and one of them
should be picked up.
no upstream, 2021-06-12
fusion_checkable_qpushbutton.diff QPushButton/fusion style: don't ignore QIcon::On icon The fusion style did ignore the QIcon::On icon because it reset
State_On to avoid the visual shift of a pressed button.
But it's not needed to reset this flag - the shift does not happen
because the fusion style does return 0 as offset for
PM_ButtonShiftHorizontal/PM_ButtonShiftVertical so no shifting will
no upstream, 2021-08-10
openssl3.diff upstream fixes to support OpenSSL 3.0
and a small part of
no upstream, commits 2021-12-09
openssl_set_options.diff update function argument of SSL_CTX_set_options openssl3 uses uint64_t for the options argument in SSL_CTX_set_options,
older ones used long.
sizeof(long) is not the same on any platform as sizeof(uint64_t)
Backported for 5.15 by the patch author, Michael Saxl.
no upstream, 2022-08-07
qmenu_set_transient_parent.diff widgets: setTransientParent() when a QMenu is a window On some platforms, such as X11 and Wayland with some compositors,
QMenu could be a popup window, which should be set a transient parent
to get relative position, which is requested by Wayland.
Added transientParentWindow() for QMenuPrivate like QDialogPrivate.
no upstream, 2022-10-16
gnome_wayland.diff use wayland platform plugin on GNOME wayland sessions by default Qt wayland platform plugin has improved quite a lot and it is now pretty
much usable on Gnome. It also improves user experience a lot on HiDPI
no upstream, 2022-10-16
fix_alt_backtick.diff fix Alt+` shortcut on non-US layouts Make it possible for non-letter-keys with Latin 1 symbols (`, !, @ etc.)
to participate in shortcuts also, when the keys generate national
symbols on non-Latin layout.
For example, in Russian layout, "`" key generates cyrillic "" letter of
national alphabet, so shortcuts with the key should still work
regardless of the actual layout.
no upstream, 2022-12-03
image_deletion_order.diff fix deletion order in QImageReader/Writer destructors The device would be deleted before the image format handler, and hence
be a dangling pointer that could easily cause a crash if the handler
or codec would access it on destruction, e.g. for cleanup.
no upstream, commits 2023-02-26
qxcbwindow_set_geometry.diff set geometry property in QXcbWindow after checking minimum size QXcbWindow::create() bound the window's size to windowMinimumSize(),
after its size had been inherited from parent().
QPlatformWindow::setGeometry() was called before that sanity check.
When a fullscreen window is re-mapped from a deactivated screen to the
remaining screen, the call to QPlatformWindow::setGeometry() assigns
an invalid QRect to QPlatformWindowPrivate::rect
The negative int values x2 and/or y2 cause
QXcbBackingStoreImage::flushPixmap to address unmapped memory and
This patch moves the call to QPlatformWindow::setGeometry() from
before to after bounding to a minimum value. That assures a valid
rectangle to be assigned in all cases.
no upstream, 2023-01-04
CVE-2023-24607.diff Fix denial-of-service in Qt SQL ODBC driver plugin no upstream, 2023-02-26
qshapedpixmapwindow_no_tooltip.diff do not set Qt::ToolTip flag for QShapedPixmapWindow This hint is not really needed in the first place and only causes
problems in some environments.
For example in KDE, the compositor animates changes in position and size
for all ToolTip windows. However, this is not wanted here because we use
this window as a thumbnail for a drag-and-drop operation.
Before this patch the dragged element would lag significantly behind the
cursor. Now it works as expected, i.e. the dragged element follows the
cursor immediately.
yes upstream upstream, 2023-05-20
CVE-2023-32763.diff fix buffer overflow in Qt SVG Adds qAddOverflow and qMulOverflow definitions to QFixed. no upstream, 2023-05-22
CVE-2023-32762.diff hsts: match header names case insensitively Header field names are always considered to be case-insensitive. no upstream, 2023-05-22
CVE-2023-33285.diff QDnsLookup/Unix: make sure we don't overflow the buffer The DNS Records are variable length and encode their size in 16 bits
before the Record Data (RDATA). Ensure that both the RDATA and the
Record header fields before it fall inside the buffer we have.
Additionally reject any replies containing more than one query records.
no upstream, 2023-05-25
CVE-2023-34410.diff Ssl: Copy the on-demand cert loading bool from default config Otherwise individual sockets will still load system certificates when
a chain doesn't match against the configured CA certificates.
That's not intended behavior, since specifically setting the CA
certificates means you don't want the system certificates to be used.
This is potentially a breaking change because now, if you ever add a
CA to the default config, it will disable loading system certificates
on demand for all sockets. And the only way to re-enable it is to
create a null-QSslConfiguration and set it as the new default.
no upstream, 2023-06-08
sql_odbc_more_unicode_checks.diff SQL/ODBC: add another check to detect unicode availability in driver Since ODBC does not have a direct way finding out if unicode is
supported by the underlying driver the ODBC plugin does some checks. As
a last resort a sql statement is executed which returns a string. But
even this may fail because the select statement has no FROM part which
is rejected by at least Oracle does not allow. Therefore add another
query which is correct for Oracle & DB2 as a workaround. The question
why the first three statements to check for unicode availability fail
is still open but can't be checked since I've no access to an oracle
no upstream, 2023-06-30
sql_odbc_fix_unicode_check.diff QSQL/ODBC: fix regression (trailing NUL) When we fixed the callers of toSQLTCHAR() to use the result's size()
instead of the input's (which differ, if sizeof(SQLTCHAR) != 2), we
exposed callers to the append(0), which changes the size() of the
result QVLA. Callers that don't rely on NUL-termination (all?) now saw
an additional training NUL.
Fix by not NUL-terminating, and changing the only user of SQL_NTS to
use an explicit length.
no upstream, 2023-06-30
a11y_root.diff fix accessibility on XCB when running as root Accessibility actually works when running applications as root, but we
would never properly connect, since the enabledChanged signal would be
emitted from the constructor in this case. So after connecting the
signal, check the value by hand to make sure not to miss the
Only applications running as root would be affected, because all other
applications would go through the asynchronous pattern of getting the
bus address from dbus instead.
invalid upstream upstream, 2023-04-15
dont_use_O_PATH.diff OpenFile portal: do not use O_PATH fds Using O_PATH requires correctly specifying whether the fd is writable or
not. Stating that the fd is writable without it actually being writable
results into rejection on xdg-desktop-portal side. Other implementations
like xdg-open or gtk have also moved away from O_PATH fds so this will
make a matching implementation and avoid possible rejections from xdp.
no upstream, 2023-05-13
fix_qdbusmacros_h.diff fix capitalization error in auto-generated qdbusmacros.h include no upstream, 2023-05-13
CVE-2023-37369.diff QXmlStreamReader: make fastScanName() indicate parsing status to callers This fixes a crash while parsing an XML file with garbage data, the file
starts with '<' then garbage data:
- The loop in the parse() keeps iterating until it hits "case 262:",
which calls fastScanName()
- fastScanName() iterates over the text buffer scanning for the
attribute name (e.g. "xml:lang"), until it finds ':'
- Consider a Value val, fastScanName() is called on it, it would set
val.prefix to a number > val.len, then it would hit the 4096 condition
and return (returned 0, now it returns the equivalent of
std::null_opt), which means that val.len doesn't get modified, making
it smaller than val.prefix
- The code would try constructing an XmlStringRef with negative length,
which would hit an assert in one of QStringView's constructors
Add an assert to the XmlStringRef constructor.
Add unittest based on the file from the bug report.
Credit to OSS-Fuzz.
Based on KDE's backport:
no upstream, commits 2023-07-15
CVE-2023-38197.diff QXmlStreamReader: Raise error on unexpected tokens QXmlStreamReader accepted multiple DOCTYPE elements, containing DTD
fragments in the XML prolog, and in the XML body.
Well-formed but invalid XML files - with multiple DTD fragments in
prolog and body, combined with recursive entity expansions - have
caused infinite loops in QXmlStreamReader.
This patch implements a token check in QXmlStreamReader.
A stream is allowed to start with an XML prolog. StartDocument
and DOCTYPE elements are only allowed in this prolog, which
may also contain ProcessingInstruction and Comment elements.
As soon as anything else is seen, the prolog ends.
After that, the prolog-specific elements are treated as unexpected.
Furthermore, the prolog can contain at most one DOCTYPE element.
Update the documentation to reflect the new behavior.
Add an autotest that checks the new error cases are correctly detected,
and no error is raised for legitimate input.
The original OSS-Fuzz files (see bug reports) are not included in this
patch for file size reasons. They have been tested manually. Each of
them has more than one DOCTYPE element, causing infinite loops in
recursive entity expansions. The newly implemented functionality
detects those invalid DTD fragments. By raising an error, it aborts
stream reading before an infinite loop occurs.
Thanks to OSS-Fuzz for finding this.
no upstream, 2023-07-15
libxkbcommon_1.6.0.diff xkb: fix build with libxkbcommon 1.6.0 and later A few XKB_KEY_dead_* defines got removed from 1.6.0. See also
no upstream, 2023-10-17
loongarch.diff add support for LoongArch
no upstream, commits 2023-11-05
CVE-2023-51714.diff HPack: fix incorrect integer overflow check
no upstream 2024-01-13
CVE-2024-25580.diff improve KTX file reading memory safety no upstream, 2024-02-17
no_htmlinfo_example.diff disable htmlinfo example which contains non-free files Dmitry Shachnev <> not-needed 2014-12-17
remove_privacy_breaches.diff remove non-used privacy-breach code This code makes Lintian unhappy. But we are really not using it, it only
gets inserted when building the online doc.
Anyways the best way to calm down Lintian is to simply remove it.
Lisandro Damin Nicanor Prez Meyer <> not-needed 2015-02-18
link_fbclient.diff build ibase sql plugin against firebird Dmitry Shachnev <> no 2017-06-30
gnukfreebsd_linker_warnings.diff catch linker warnings in some config tests Without this, qmake wrongly thinks that the tests succeed, for example:
./config.tests/unix/futimens/futimens.cpp:44: warning: futimens is not implemented and will always fail
test config.corelib.tests.futimens succeeded
Dmitry Shachnev <> yes upstream 2019-03-02
armv4.diff support ARMv4 architecture, needed for armel builds Dmitry Shachnev <> no 2016-07-01
qdoc_default_incdirs.diff pass default include directories to qdoc Martin Smith <> no upstream 2020-01-28
path_max.diff Avoid unconditional PATH_MAX usage Use a "safe" size in case PATH_MAX is not defined; in the end, this should not
be used, as a allocating realpath() will be used instead.
Pino Toscano <> no 2020-04-19
qstorageinfo_linux.diff Limit Linux-only code with Q_OS_LINUX The QStorageInfo/QStorageIterator implementation used for Linux is used also
on Hurd, as it uses an interface provided by GNU libc.
QStorageIterator::device() tries to use PATH_MAX (unavailable on the Hurd)
to lookup a /dev/block/ path, which exists on Linux only; hence, perform that
check within a Q_OS_LINUX block.
Pino Toscano <> no 2020-04-19
cross_build_mysql.diff call pkgconfig in order to be able to cross build qtbase with MySql. Qt's build system calls mysql_config... which won't work in a cross build
environment like Debian's, as it will throw an exec format error.
In order to solve this call pkgconfig and use mysqlclient.pc.
Helmut Grohne <> not-needed debian
cast_types_for_egl_x11_test.diff properly cast types for libglvnd 1.3.4 Rex Dieter <> no
revert_startBlocking_removal.diff revert "Remove the dead code for blocking methods from QtConcurrent" It's a binary incompatible change.
Also submitted to upstream 5.15 branch according to
no KDE, 2022-09-10

All known versions for source package 'qtbase-opensource-src'