| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| CVE-2025-23050.diff | QLowEnergyControllerPrivateBluez: guard against malformed replies The QLowEnergyControllerPrivateBluez::l2cpReadyRead() slot reads the data from a Bluetooth L2CAP socket and then tries to process it according to ATT protocol specs. . However, the code was missing length and sanity checks at some codepaths in processUnsolicitedReply() and processReply() helper methods, simply relying on the data to be in the proper format. . This patch adds some minimal checks to make sure that we do not read past the end of the received array and do not divide by zero. . This problem was originally pointed out by Marc Mutz in an unrelated patch. . Conflict resolution for 5.15: adjusted the patch to the fact that there is no QBluezConst::AttCommand enum in this branch, and the code uses quint8 to represent the ATT commands. This required to change the debug message in reportMalformedData() function. |
no | upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2025-23050-qtconnectivity-5.15.diff | 2025-01-29 |