diff --git a/SPECS/qt5-qtbase/CVE-2025-64506.patch b/SPECS/qt5-qtbase/CVE-2025-64506.patch new file mode 100644 index 00000000000..be2f4805a08 --- /dev/null +++ b/SPECS/qt5-qtbase/CVE-2025-64506.patch @@ -0,0 +1,58 @@ +From 9a69969fe981c889691ee96b7981c8cda465af16 Mon Sep 17 00:00:00 2001 +From: Cosmin Truta +Date: Fri, 7 Nov 2025 22:40:05 +0200 +Subject: [PATCH] Fix a heap buffer overflow in `png_write_image_8bit` + +The condition guarding the pre-transform path incorrectly allowed 8-bit +input data to enter `png_write_image_8bit` which expects 16-bit input. +This caused out-of-bounds reads when processing 8-bit grayscale+alpha +images (GitHub #688), or 8-bit RGB or RGB+alpha images (GitHub #746), +with the `convert_to_8bit` flag set (an invalid combination that should +bypass the pre-transform path). + +The second part of the condition, i.e. + + colormap == 0 && convert_to_8bit != 0 + +failed to verify that input was 16-bit, i.e. + + linear != 0 + +contradicting the comment "This only applies when the input is 16-bit". + +The fix consists in restructuring the condition to ensure both the +`alpha` path and the `convert_to_8bit` path require linear (16-bit) +input. The corrected condition, i.e. + + linear != 0 && (alpha != 0 || display->convert_to_8bit != 0) + +matches the expectation of the `png_write_image_8bit` function and +prevents treating 8-bit buffers as 16-bit data. + +Reported-by: Samsung-PENTEST +Reported-by: weijinjinnihao +Analyzed-by: degrigis +Reviewed-by: John Bowler +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/pnggroup/libpng/pull/749/commits/2bd84c019c300b78e811743fbcddb67c9d9bf821.patch +--- + src/3rdparty/UNUSED/libpng/pngwrite.c | 3 +-- + 1 file changed, 1 insertion(+), 2 deletions(-) + +diff --git a/src/3rdparty/UNUSED/libpng/pngwrite.c b/src/3rdparty/UNUSED/libpng/pngwrite.c +index 59377a4d..40ce7ef4 100644 +--- a/src/3rdparty/UNUSED/libpng/pngwrite.c ++++ b/src/3rdparty/UNUSED/libpng/pngwrite.c +@@ -2119,8 +2119,7 @@ png_image_write_main(png_voidp argument) + * before it is written. This only applies when the input is 16-bit and + * either there is an alpha channel or it is converted to 8-bit. + */ +- if ((linear != 0 && alpha != 0 ) || +- (colormap == 0 && display->convert_to_8bit != 0)) ++ if (linear != 0 && (alpha != 0 || display->convert_to_8bit != 0)) + { + png_bytep row = png_voidcast(png_bytep, png_malloc(png_ptr, + png_get_rowbytes(png_ptr, info_ptr))); +-- +2.45.4 + diff --git a/SPECS/qt5-qtbase/CVE-2025-64720.patch b/SPECS/qt5-qtbase/CVE-2025-64720.patch new file mode 100644 index 00000000000..f8251378218 --- /dev/null +++ b/SPECS/qt5-qtbase/CVE-2025-64720.patch @@ -0,0 +1,107 @@ +From 3c4a7b4a85e2c351fdc8d2795680651809176c71 Mon Sep 17 00:00:00 2001 +From: Cosmin Truta +Date: Wed, 12 Nov 2025 13:46:23 +0200 +Subject: [PATCH] Fix a buffer overflow in `png_init_read_transformations` + +The palette compositing code in `png_init_read_transformations` was +incorrectly applying background compositing when PNG_FLAG_OPTIMIZE_ALPHA +was set. This violated the premultiplied alpha invariant +`component <= alpha` expected by `png_image_read_composite`, causing +values that exceeded the valid range for the PNG_sRGB_FROM_LINEAR lookup +tables. + +When PNG_ALPHA_OPTIMIZED is active, palette entries should contain pure +premultiplied RGB values without background compositing. The background +compositing must happen later in `png_image_read_composite` where the +actual background color from the PNG file is available. + +The fix consists in introducing conditional behavior based on +PNG_FLAG_OPTIMIZE_ALPHA: when set, the code performs only +premultiplication using the formula `component * alpha + 127) / 255` +with proper gamma correction. When not set, the original background +compositing calculation based on the `png_composite` macro is preserved. + +This prevents buffer overflows in `png_image_read_composite` where +out-of-range premultiplied values would cause out-of-bounds array access +in `png_sRGB_base[]` and `png_sRGB_delta[]`. + +Reported-by: Samsung-PENTEST +Analyzed-by: John Bowler +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: https://github.com/pnggroup/libpng/commit/08da33b4c88cfcd36e5a706558a8d7e0e4773643.patch +--- + src/3rdparty/UNUSED/libpng/pngrtran.c | 58 +++++++++++++++++++++------ + 1 file changed, 45 insertions(+), 13 deletions(-) + +diff --git a/src/3rdparty/UNUSED/libpng/pngrtran.c b/src/3rdparty/UNUSED/libpng/pngrtran.c +index 9a8fad9f..c9330f59 100644 +--- a/src/3rdparty/UNUSED/libpng/pngrtran.c ++++ b/src/3rdparty/UNUSED/libpng/pngrtran.c +@@ -1694,19 +1694,51 @@ png_init_read_transformations(png_structrp png_ptr) + } + else /* if (png_ptr->trans_alpha[i] != 0xff) */ + { +- png_byte v, w; +- +- v = png_ptr->gamma_to_1[palette[i].red]; +- png_composite(w, v, png_ptr->trans_alpha[i], back_1.red); +- palette[i].red = png_ptr->gamma_from_1[w]; +- +- v = png_ptr->gamma_to_1[palette[i].green]; +- png_composite(w, v, png_ptr->trans_alpha[i], back_1.green); +- palette[i].green = png_ptr->gamma_from_1[w]; +- +- v = png_ptr->gamma_to_1[palette[i].blue]; +- png_composite(w, v, png_ptr->trans_alpha[i], back_1.blue); +- palette[i].blue = png_ptr->gamma_from_1[w]; ++ if ((png_ptr->flags & PNG_FLAG_OPTIMIZE_ALPHA) != 0) ++ { ++ /* Premultiply only: ++ * component = round((component * alpha) / 255) ++ */ ++ png_uint_32 component; ++ ++ component = png_ptr->gamma_to_1[palette[i].red]; ++ component = ++ (component * png_ptr->trans_alpha[i] + 128) / 255; ++ palette[i].red = png_ptr->gamma_from_1[component]; ++ ++ component = png_ptr->gamma_to_1[palette[i].green]; ++ component = ++ (component * png_ptr->trans_alpha[i] + 128) / 255; ++ palette[i].green = png_ptr->gamma_from_1[component]; ++ ++ component = png_ptr->gamma_to_1[palette[i].blue]; ++ component = ++ (component * png_ptr->trans_alpha[i] + 128) / 255; ++ palette[i].blue = png_ptr->gamma_from_1[component]; ++ } ++ else ++ { ++ /* Composite with background color: ++ * component = ++ * alpha * component + (1 - alpha) * background ++ */ ++ png_byte v, w; ++ ++ v = png_ptr->gamma_to_1[palette[i].red]; ++ png_composite(w, v, ++ png_ptr->trans_alpha[i], back_1.red); ++ palette[i].red = png_ptr->gamma_from_1[w]; ++ ++ v = png_ptr->gamma_to_1[palette[i].green]; ++ png_composite(w, v, ++ png_ptr->trans_alpha[i], back_1.green); ++ palette[i].green = png_ptr->gamma_from_1[w]; ++ ++ v = png_ptr->gamma_to_1[palette[i].blue]; ++ png_composite(w, v, ++ png_ptr->trans_alpha[i], back_1.blue); ++ palette[i].blue = png_ptr->gamma_from_1[w]; ++ } + } + } + else +-- +2.45.4 + diff --git a/SPECS/qt5-qtbase/qt5-qtbase.spec b/SPECS/qt5-qtbase/qt5-qtbase.spec index 942401a30f3..262f28977fa 100644 --- a/SPECS/qt5-qtbase/qt5-qtbase.spec +++ b/SPECS/qt5-qtbase/qt5-qtbase.spec @@ -33,7 +33,7 @@ Name: qt5-qtbase Summary: Qt5 - QtBase components Version: 5.12.11 -Release: 18%{?dist} +Release: 19%{?dist} # See LICENSE.GPL3-EXCEPT.txt, for exception details License: GFDL AND LGPLv3 AND GPLv2 AND GPLv3 with exceptions AND QT License Agreement 4.0 Vendor: Microsoft Corporation @@ -170,6 +170,8 @@ Patch95: CVE-2023-34410.patch Patch96: CVE-2025-30348.patch Patch97: CVE-2025-6558.patch Patch98: CVE-2025-5455.patch +Patch99: CVE-2025-64506.patch +Patch100:CVE-2025-64720.patch # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires. # Those themes are there for platform integration. If the required libraries are @@ -779,6 +781,9 @@ fi %{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QXdgDesktopPortalThemePlugin.cmake %changelog +* Thu Nov 27 2025 Azure Linux Security Servicing Account - 5.12.11-19 +- Patch for CVE-2025-64720, CVE-2025-64506 + * Fri Jul 25 2025 Akhila Guruju - 5.12.11-18 - Patch CVE-2025-5455 @@ -1347,7 +1352,7 @@ fi - Crash in QXcbWindow::setParent() due to NULL xcbScreen (QTBUG-50081, #1291003) * Mon Dec 21 2015 Rex Dieter 5.6.0-0.17.beta -- fix/update Release: 1%%{?dist} +- fix/update Release: 19%{?dist} * Fri Dec 18 2015 Rex Dieter 5.6.0-0.16 - 5.6.0-beta (final)