Patch qtsvg for CVE-2025-10728

Author: azurelinux-security

SPECS/qtsvg/CVE-2025-10728.patch

@@ -0,0 +1,56 @@
+From 17878e6b10471dd28af590d9733ee9b996e86258 Mon Sep 17 00:00:00 2001
+From: AllSpark <[email protected]>
+Date: Tue, 14 Oct 2025 09:58:40 +0000
+Subject: [PATCH] Replace check for endless recursion when loading
+
+The old check parsed the tree of SvgNodes again and again which lead to
+quadratic complexity. Instead, set and check a bool where the recursion
+may actually happen which is faster and only has linear complexity.
+
+Partially reverts 0332df304f013ded362537c1f61556098b875352
+
+I chose to have the check in QSvgPattern::renderPattern() because:
+
+- It not only appears in the recursive backtrace of the stack-overflow
+  which was fixed using the qudratic check, but also in the backtrace
+  of another, still unfixed stack overflow. That way, both can be fixed
+  by the same patch. Credit to OSS-Fuzz for finding them.
+- The function already had some error checking and returns a default
+  value when it cannot render the content. In the same way, I can return
+  a QImage of the right size but without any content when the endless
+  recursion is about to happen.
+
+[ChangeLog] Speed up loading by replacing check for cyclic elements
+[ChangeLog] Fix stack overflow when an element references its child
+element using url()
+
+Fixes: QTBUG-137553
+Pick-to: 6.8
+Change-Id: If011c15fde50dcefeb653d1d5995ff1347e7b5ac
+Reviewed-by: Hatem ElKharashy <[email protected]>
+(cherry picked from commit 9e5bed9584ab65d56cd5fbac0471e06e37a54412)
+Reviewed-by: Qt Cherry-pick Bot <[email protected]>
+(cherry picked from commit 90a5331640bb760b0114a7ea4e08b9e42b03e082)
+Signed-off-by: Azure Linux Security Servicing Account <[email protected]>
+Upstream-reference: AI Backport of https://github.com/qt/qtsvg/commit/ea44b50c6e61104cadd6b7c8ede92a4108634232.patch
+---
+ src/svg/qsvghandler.cpp | 3 +++
+ 1 file changed, 3 insertions(+)
+
+diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp
+index 335500a..fb0f131 100644
+--- a/src/svg/qsvghandler.cpp
++++ b/src/svg/qsvghandler.cpp
+@@ -3663,6 +3663,9 @@ void QSvgHandler::parse()
+             // namespaceUri is empty. The only possible strategy at
+             // this point is to do what everyone else seems to do and
+             // ignore the reported namespaceUri completely.
++            // NOTE: Previously, a quadratic cycle-detection check was performed here.
++            // It has been removed to improve performance; cycle detection now occurs
++            // after parsing and resolution, which is linear overall.
+             if (remainingUnfinishedElements
+                     && startElement(xml->name().toString(), xml->attributes())) {
+                 --remainingUnfinishedElements;
+-- 
+2.45.4
+

SPECS/qtsvg/qtsvg.spec

@@ -4,13 +4,14 @@
 Summary:        Qt6 - Support for rendering and displaying SVG
 Name:           qtsvg
 Version:        6.6.1
-Release:        2%{?dist}
+Release:        3%{?dist}
 # See LICENSE.GPL3-EXCEPT.txt, for exception details
 License:        GFDL AND GPLv2+ WITH exceptions AND LGPLv2.1+
 Vendor:         Microsoft Corporation
 Distribution:   Azure Linux
 URL:            https://www.qt.io
 Source0:        https://download.qt.io/archive/qt/%{majmin}/%{version}/submodules/qtsvg-everywhere-src-%{version}.tar.xz
+Patch0:         CVE-2025-10728.patch
 %{?_qt5:Requires: %{_qt}%{?_isa} = %{_qt_version}}
 BuildRequires:  qtbase-devel >= %{version}
 BuildRequires:  qtbase-private-devel
@@ -89,6 +90,9 @@ popd
 
 
 %changelog
+* Tue Oct 14 2025 Azure Linux Security Servicing Account <[email protected]> - 6.6.1-3
+- Patch for CVE-2025-10728
+
 * Mon Apr 07 2025 Andrew Phelps <[email protected]> - 6.6.1-2
 - Bump release to recompile with qtbase-devel-6.6.3