fix: qt5 package script cleanup

2024-08-22 13:07:37 +03:00 · 2024-08-22 13:07:37 +03:00 · 587d7f310c
commit 587d7f310c
parent d46e2e7715
3 changed files with 13994 additions and 23 deletions
--- a/src/qt5/pkg.sh
+++ b/src/qt5/pkg.sh
@ -1,22 +1,26 @@
 NAME="qt5"
 DESC="Cross-platform application framework that is widely used for developing application software with a graphical user interface"
-VERSION="5.15.10"
+VERSION="5.15.12"
+
 FILES=(
-  "https://download.qt.io/archive/qt/${VERSION%.*}/$VERSION/single/qt-everywhere-opensource-src-$VERSION.tar.xz"
-  "https://www.linuxfromscratch.org/patches/blfs/12.0/qt-everywhere-opensource-src-$VERSION-kf5-1.patch"
+  "https://download.qt.io/archive/qt/${VERSION%.*}/${VERSION}/single/qt-everywhere-opensource-src-${VERSION}.tar.xz"
+  "qt-everywhere-opensource-src-5.15.12-security_fix-1.patch"
+  "qt-everywhere-opensource-src-5.15.12-kf5-1.patch"
  "assistant-qt5.desktop"
  "designer-qt5.desktop"
  "linguist-qt5.desktop"
  "qdbusviewer-qt5.desktop"
 )
 HASHES=(
-  "fb41d86bea6bc4886030a5092c910b09"
-  "39848ffa81817b251db5f122b6942362174274e670ce51443878d4012c7ebf53"
+  "3fb1cd4f763f5d50d491508b7b99fb77"
+  "50db2eb15bada7e87ddbe43a9a6a8f2844513356dd9c9adc9f4fedfc12b0db6d"
+  "82257f13e8c3b85955bf1d0750049b945dedadc3f2f76960f3d922347372b1da"
  "162c1b77fa48db234f483148337c57f3850d9749cfdb8660054a8c81a52c1f4b"
  "945d209667d4bdb01ddb9d5ee4968dee55e4386f0927246995de8bda93b0c274"
  "27b1237daf07ac00b9035f607744c42f5824455f20f94e3f1ac9eed64508542c"
  "5ce3d8b7550bdd1423c786b6ef543564aacaec61a62fdee1601bea249ff794cb"
 )
+
 DEPENDS=(
  "xorg" "fontconfig" "libinput" "double-conversion"
  "libjpeg-turbo" "libxi" "libxkbcommon"
@ -26,15 +30,16 @@ DEPENDS=(
 )

 PACKAGE() {
-  tar xf qt-everywhere-opensource-src-$VERSION.tar.xz
-  cd qt-everywhere-src-$VERSION 
+  tar xf "qt-everywhere-opensource-src-${VERSION}.tar.xz"
+  cd "qt-everywhere-src-${VERSION}"

-  patch -Np1 -i ../qt-everywhere-opensource-src-$VERSION-kf5-1.patch
+  patch -Np1 -i "../qt-everywhere-opensource-src-${VERSION}-kf5-1.patch"
  mkdir -pv qtbase/.git
  sed -e "/pragma once/a#include <cstdint>"                                    \
    -i qtlocation/src/3rdparty/mapbox-gl-native/include/mbgl/util/geometry.hpp \
       qtlocation/src/3rdparty/mapbox-gl-native/include/mbgl/util/string.hpp   \
       qtlocation/src/3rdparty/mapbox-gl-native/src/mbgl/gl/stencil_mode.hpp
+  patch -Np1 -i "../qt-everywhere-opensource-src-${VERSION}-security_fix-1.patch"

  ./configure -prefix /usr                              \
            -sysconfdir /etc/xdg                        \
@ -57,30 +62,31 @@ PACKAGE() {
            -docdir         /usr/share/doc/qt5          \
            -translationdir /usr/share/qt5/translations \
            -examplesdir    /usr/share/doc/qt5/examples
-  make && echo "Make completed, running the install"
-  make INSTALL_ROOT="$ROOTDIR" install
-  find "$ROOTDIR/usr/lib" -name \*.prl \
+  make
+  make INSTALL_ROOT="${ROOTDIR}" install
+
+  find "${ROOTDIR}/usr/lib" -name \*.prl \
   -exec sed -i -e '/^QMAKE_PRL_BUILD_DIR/d' {} \;
  
-  install -v -dm755 "$ROOTDIR/usr/share/pixmaps/"
+  install -v -dm755 "${ROOTDIR}/usr/share/pixmaps/"
  install -v -Dm644 qttools/src/assistant/assistant/images/assistant-128.png \
-                  "$ROOTDIR/usr/share/pixmaps/assistant-qt5.png"
+                    "${ROOTDIR}/usr/share/pixmaps/assistant-qt5.png"
  install -v -Dm644 qttools/src/designer/src/designer/images/designer.png \
-                  "$ROOTDIR/usr/share/pixmaps/designer-qt5.png" 
+                    "${ROOTDIR}/usr/share/pixmaps/designer-qt5.png" 
  install -v -Dm644 qttools/src/linguist/linguist/images/icons/linguist-128-32.png \
-                  "$ROOTDIR/usr/share/pixmaps/linguist-qt5.png"
+                    "${ROOTDIR}/usr/share/pixmaps/linguist-qt5.png"
  install -v -Dm644 qttools/src/qdbus/qdbusviewer/images/qdbusviewer-128.png \
-                  "$ROOTDIR/usr/share/pixmaps/qdbusviewer-qt5.png"
+                    "${ROOTDIR}/usr/share/pixmaps/qdbusviewer-qt5.png"

-  install -dm755 "$ROOTDIR/usr/share/applications"
-  cp "$ROOTDIR/assistant-qt5.desktop"   "$ROOTDIR/usr/share/applications/"
-  cp "$ROOTDIR/designer-qt5.desktop"    "$ROOTDIR/usr/share/applications/"
-  cp "$ROOTDIR/linguist-qt5.desktop"    "$ROOTDIR/usr/share/applications/"
-  cp "$ROOTDIR/qdbusviewer-qt5.desktop" "$ROOTDIR/usr/share/applications/"
+  install -Ddm755 "${ROOTDIR}/usr/share/applications"
+  cp "${ROOTDIR}/assistant-qt5.desktop"   "${ROOTDIR}/usr/share/applications/"
+  cp "${ROOTDIR}/designer-qt5.desktop"    "${ROOTDIR}/usr/share/applications/"
+  cp "${ROOTDIR}/linguist-qt5.desktop"    "${ROOTDIR}/usr/share/applications/"
+  cp "${ROOTDIR}/qdbusviewer-qt5.desktop" "${ROOTDIR}/usr/share/applications/"

  for file in moc uic rcc qmake lconvert lrelease lupdate; do
-    ln -sfrvn "$ROOTDIR/usr/bin/$file" "$ROOTDIR/usr/bin/$file-qt5"
+    ln -sfrvn "${ROOTDIR}/usr/bin/$file" "${ROOTDIR}/usr/bin/${file}-qt5"
  done

-  cd .. && rm -r qt-everywhere-src-$VERSION
+  cd .. && rm -r "qt-everywhere-src-${VERSION}"
 }
--- a/src/qt5/qt-everywhere-opensource-src-5.15.12-kf5-1.patch
+++ b/src/qt5/qt-everywhere-opensource-src-5.15.12-kf5-1.patch
--- a/src/qt5/qt-everywhere-opensource-src-5.15.12-security_fix-1.patch
+++ b/src/qt5/qt-everywhere-opensource-src-5.15.12-security_fix-1.patch
@ -0,0 +1,205 @@
+Submitted By:            Douglas R. Reno <renodr at linuxfromscratch dot org>
+Date:                    2024-02-17
+Initial Package Version: 5.15.12
+Origin:                  Upstream FTP Site (https://download.qt.io/official_releases/qt/5.15/CVE-2024-25580-qtbase-5.15.diff)
+Upstream Status:         Applied
+Description:             Patches CVE-2024-25580, a security vulnerability that
+                         allows for a buffer overflow when reading crafted KTX
+                         images. Qt6 is also impacted but it was fixed in an
+                         official release (6.6.2).
+
+diff -Naurp qt-everywhere-src-5.15.12.orig/qtbase/src/gui/util/qktxhandler.cpp qt-everywhere-src-5.15.12/qtbase/src/gui/util/qktxhandler.cpp
+--- qt-everywhere-src-5.15.12.orig/qtbase/src/gui/util/qktxhandler.cpp	2024-02-16 19:43:44.752246504 -0600
+++ qt-everywhere-src-5.15.12/qtbase/src/gui/util/qktxhandler.cpp	2024-02-16 19:45:05.779751093 -0600
+@@ -73,7 +73,7 @@ struct KTXHeader {
+     quint32 bytesOfKeyValueData;
+ };
+ 
+-static const quint32 headerSize = sizeof(KTXHeader);
+static constexpr quint32 qktxh_headerSize = sizeof(KTXHeader);
+ 
+ // Currently unused, declared for future reference
+ struct KTXKeyValuePairItem {
+@@ -103,11 +103,36 @@ struct KTXMipmapLevel {
+     */
+ };
+ 
+-bool QKtxHandler::canRead(const QByteArray &suffix, const QByteArray &block)
+static bool qAddOverflow(quint32 v1, quint32 v2, quint32 *r) {
+    // unsigned additions are well-defined
+    *r = v1 + v2;
+    return v1 > quint32(v1 + v2);
+}
+
+// Returns the nearest multiple of 4 greater than or equal to 'value'
+static bool nearestMultipleOf4(quint32 value, quint32 *result)
+ {
+-    Q_UNUSED(suffix)
+    constexpr quint32 rounding = 4;
+    *result = 0;
+    if (qAddOverflow(value, rounding - 1, result))
+        return true;
+    *result &= ~(rounding - 1);
+    return false;
+}
+ 
+-    return (qstrncmp(block.constData(), ktxIdentifier, KTX_IDENTIFIER_LENGTH) == 0);
+// Returns a slice with prechecked bounds
+static QByteArray safeSlice(const QByteArray& array, quint32 start, quint32 length)
+{
+    quint32 end = 0;
+    if (qAddOverflow(start, length, &end) || end > quint32(array.length()))
+        return {};
+    return QByteArray(array.data() + start, length);
+}
+
+bool QKtxHandler::canRead(const QByteArray &suffix, const QByteArray &block)
+{
+    Q_UNUSED(suffix);
+    return block.startsWith(QByteArray::fromRawData(ktxIdentifier, KTX_IDENTIFIER_LENGTH));
+ }
+ 
+ QTextureFileData QKtxHandler::read()
+@@ -115,42 +140,97 @@ QTextureFileData QKtxHandler::read()
+     if (!device())
+         return QTextureFileData();
+ 
+-    QByteArray buf = device()->readAll();
+-    const quint32 dataSize = quint32(buf.size());
+-    if (dataSize < headerSize || !canRead(QByteArray(), buf)) {
+-        qCDebug(lcQtGuiTextureIO, "Invalid KTX file %s", logName().constData());
+    const QByteArray buf = device()->readAll();
+    if (size_t(buf.size()) > std::numeric_limits<quint32>::max()) {
+        qWarning(lcQtGuiTextureIO, "Too big KTX file %s", logName().constData());
+        return QTextureFileData();
+    }
+
+    if (!canRead(QByteArray(), buf)) {
+        qWarning(lcQtGuiTextureIO, "Invalid KTX file %s", logName().constData());
+        return QTextureFileData();
+    }
+
+    if (buf.size() < qsizetype(qktxh_headerSize)) {
+        qWarning(lcQtGuiTextureIO, "Invalid KTX header size in %s", logName().constData());
+         return QTextureFileData();
+     }
+ 
+-    const KTXHeader *header = reinterpret_cast<const KTXHeader *>(buf.constData());
+-    if (!checkHeader(*header)) {
+-        qCDebug(lcQtGuiTextureIO, "Unsupported KTX file format in %s", logName().constData());
+    KTXHeader header;
+    memcpy(&header, buf.data(), qktxh_headerSize);
+    if (!checkHeader(header)) {
+        qWarning(lcQtGuiTextureIO, "Unsupported KTX file format in %s", logName().constData());
+         return QTextureFileData();
+     }
+ 
+     QTextureFileData texData;
+     texData.setData(buf);
+ 
+-    texData.setSize(QSize(decode(header->pixelWidth), decode(header->pixelHeight)));
+-    texData.setGLFormat(decode(header->glFormat));
+-    texData.setGLInternalFormat(decode(header->glInternalFormat));
+-    texData.setGLBaseInternalFormat(decode(header->glBaseInternalFormat));
+-
+-    texData.setNumLevels(decode(header->numberOfMipmapLevels));
+-    quint32 offset = headerSize + decode(header->bytesOfKeyValueData);
+-    const int maxLevels = qMin(texData.numLevels(), 32);               // Cap iterations in case of corrupt file.
+-    for (int i = 0; i < maxLevels; i++) {
+-        if (offset + sizeof(KTXMipmapLevel) > dataSize)                // Corrupt file; avoid oob read
+-            break;
+-        const KTXMipmapLevel *level = reinterpret_cast<const KTXMipmapLevel *>(buf.constData() + offset);
+-        quint32 levelLen = decode(level->imageSize);
+-        texData.setDataOffset(offset + sizeof(KTXMipmapLevel::imageSize), i);
+-        texData.setDataLength(levelLen, i);
+-        offset += sizeof(KTXMipmapLevel::imageSize) + levelLen + (3 - ((levelLen + 3) % 4));
+    texData.setSize(QSize(decode(header.pixelWidth), decode(header.pixelHeight)));
+    texData.setGLFormat(decode(header.glFormat));
+    texData.setGLInternalFormat(decode(header.glInternalFormat));
+    texData.setGLBaseInternalFormat(decode(header.glBaseInternalFormat));
+
+    texData.setNumLevels(decode(header.numberOfMipmapLevels));
+
+    const quint32 bytesOfKeyValueData = decode(header.bytesOfKeyValueData);
+    quint32 headerKeyValueSize;
+    if (qAddOverflow(qktxh_headerSize, bytesOfKeyValueData, &headerKeyValueSize)) {
+        qWarning(lcQtGuiTextureIO, "Overflow in size of key value data in header of KTX file %s",
+                 logName().constData());
+        return QTextureFileData();
+    }
+
+    if (headerKeyValueSize >= quint32(buf.size())) {
+        qWarning(lcQtGuiTextureIO, "OOB request in KTX file %s", logName().constData());
+        return QTextureFileData();
+    }
+
+    // Technically, any number of levels is allowed but if the value is bigger than
+    // what is possible in KTX V2 (and what makes sense) we return an error.
+    // maxLevels = log2(max(width, height, depth))
+    const int maxLevels = (sizeof(quint32) * 8)
+            - qCountLeadingZeroBits(std::max(
+                    { header.pixelWidth, header.pixelHeight, header.pixelDepth }));
+
+    if (texData.numLevels() > maxLevels) {
+        qWarning(lcQtGuiTextureIO, "Too many levels in KTX file %s", logName().constData());
+        return QTextureFileData();
+    }
+
+    quint32 offset = headerKeyValueSize;
+    for (int level = 0; level < texData.numLevels(); level++) {
+        const auto imageSizeSlice = safeSlice(buf, offset, sizeof(quint32));
+        if (imageSizeSlice.isEmpty()) {
+            qWarning(lcQtGuiTextureIO, "OOB request in KTX file %s", logName().constData());
+            return QTextureFileData();
+        }
+
+        const quint32 imageSize = decode(qFromUnaligned<quint32>(imageSizeSlice.data()));
+        offset += sizeof(quint32); // overflow checked indirectly above
+
+        texData.setDataOffset(offset, level);
+        texData.setDataLength(imageSize, level);
+
+        // Add image data and padding to offset
+        quint32 padded = 0;
+        if (nearestMultipleOf4(imageSize, &padded)) {
+            qWarning(lcQtGuiTextureIO, "Overflow in KTX file %s", logName().constData());
+            return QTextureFileData();
+        }
+
+        quint32 offsetNext;
+        if (qAddOverflow(offset, padded, &offsetNext)) {
+            qWarning(lcQtGuiTextureIO, "OOB request in KTX file %s", logName().constData());
+            return QTextureFileData();
+        }
+
+        offset = offsetNext;
+     }
+ 
+     if (!texData.isValid()) {
+-        qCDebug(lcQtGuiTextureIO, "Invalid values in header of KTX file %s", logName().constData());
+        qWarning(lcQtGuiTextureIO, "Invalid values in header of KTX file %s",
+                 logName().constData());
+         return QTextureFileData();
+     }
+ 
+@@ -191,7 +271,7 @@ bool QKtxHandler::checkHeader(const KTXH
+             (decode(header.numberOfFaces) == 1));
+ }
+ 
+-quint32 QKtxHandler::decode(quint32 val)
+quint32 QKtxHandler::decode(quint32 val) const
+ {
+     return inverseEndian ? qbswap<quint32>(val) : val;
+ }
+diff -Naurp qt-everywhere-src-5.15.12.orig/qtbase/src/gui/util/qktxhandler_p.h qt-everywhere-src-5.15.12/qtbase/src/gui/util/qktxhandler_p.h
+--- qt-everywhere-src-5.15.12.orig/qtbase/src/gui/util/qktxhandler_p.h	2024-02-16 19:43:44.752246504 -0600
+++ qt-everywhere-src-5.15.12/qtbase/src/gui/util/qktxhandler_p.h	2024-02-16 19:45:05.779751093 -0600
+@@ -68,7 +68,7 @@ public:
+ 
+ private:
+     bool checkHeader(const KTXHeader &header);
+-    quint32 decode(quint32 val);
+    quint32 decode(quint32 val) const;
+ 
+     bool inverseEndian = false;
+ };