[Medium] Patch qt5-qtbase for CVE-2025-5455 (microsoft#14190)

Author: akhila-guruju

SPECS/qt5-qtbase/CVE-2025-5455.patch

@@ -0,0 +1,67 @@
+From 3e55c2a5d82093c2dddb7bcf61f431ad666f5103 Mon Sep 17 00:00:00 2001
+From: akhila-guruju <[email protected]>
+Date: Wed, 9 Jul 2025 13:04:18 +0000
+Subject: [PATCH] Address CVE-2025-5455
+
+Upstream Patch Reference:
+ 1. https://www.qt.io/blog/security-advisory-recently-discovered-issue-in-qdecodedataurl-in-qtcore-impacts-qt (v5.15) - https://download.qt.io/official_releases/qt/5.15/CVE-2025-5455-qtbase-5.15.patch
+ 2. for test: https://codereview.qt-project.org/c/qt/qtbase/+/642006/7/tests/auto/corelib/io/qdataurl/tst_qdataurl.cpp
+
+---
+ src/corelib/io/qdataurl.cpp                     |  9 +++++----
+ tests/auto/corelib/io/qdataurl/tst_qdataurl.cpp | 13 +++++++++++++
+ 2 files changed, 18 insertions(+), 4 deletions(-)
+
+diff --git a/src/corelib/io/qdataurl.cpp b/src/corelib/io/qdataurl.cpp
+index 9cb1b9ab..707bc358 100644
+--- a/src/corelib/io/qdataurl.cpp
++++ b/src/corelib/io/qdataurl.cpp
+@@ -76,10 +76,11 @@ Q_CORE_EXPORT bool qDecodeDataUrl(const QUrl &uri, QString &mimeType, QByteArray
+         }
+ 
+         if (data.toLower().startsWith("charset")) {
+-            int i = 7;      // strlen("charset")
+-            while (data.at(i) == ' ')
+-                ++i;
+-            if (data.at(i) == '=')
++            int prefixSize = 7; // strlen("charset")
++            QLatin1String copy(data.constData() + prefixSize, data.size() - prefixSize);
++            while (copy.startsWith(QLatin1String(" ")))
++                copy = copy.mid(1);
++            if (copy.startsWith(QLatin1String("=")))
+                 data.prepend("text/plain;");
+         }
+ 
+diff --git a/tests/auto/corelib/io/qdataurl/tst_qdataurl.cpp b/tests/auto/corelib/io/qdataurl/tst_qdataurl.cpp
+index 66720d28..a236a0dc 100644
+--- a/tests/auto/corelib/io/qdataurl/tst_qdataurl.cpp
++++ b/tests/auto/corelib/io/qdataurl/tst_qdataurl.cpp
+@@ -38,6 +38,7 @@ private slots:
+     void nonData();
+     void emptyData();
+     void alreadyPercentageEncoded();
++    void prematureCharsetEnd();
+ };
+ 
+ void tst_QDataUrl::nonData()
+@@ -74,5 +75,17 @@ void tst_QDataUrl::alreadyPercentageEncoded()
+     QCOMPARE(payload, QByteArray::fromPercentEncoding("%E2%88%9A"));
+ }
+ 
++void tst_QDataUrl::prematureCharsetEnd()
++{
++    QLatin1String data("data:charset,");
++    QUrl url(data);
++    QString mimeType;
++    QByteArray payload;
++    bool result = qDecodeDataUrl(url, mimeType, payload);
++    QVERIFY(result);
++    QCOMPARE(mimeType, QLatin1String("charset"));
++    QVERIFY(payload.isEmpty());
++}
++
+ QTEST_MAIN(tst_QDataUrl)
+ #include "tst_qdataurl.moc"
+-- 
+2.45.2
+

SPECS/qt5-qtbase/qt5-qtbase.spec

@@ -33,7 +33,7 @@
 Name:         qt5-qtbase
 Summary:      Qt5 - QtBase components
 Version:      5.12.11
-Release:      16%{?dist}
+Release:      17%{?dist}
 # See LICENSE.GPL3-EXCEPT.txt, for exception details
 License:      GFDL AND LGPLv3 AND GPLv2 AND GPLv3 with exceptions AND QT License Agreement 4.0
 Vendor:       Microsoft Corporation
@@ -168,6 +168,7 @@ Patch93: CVE-2022-25255.patch
 Patch94: CVE-2024-25580.patch
 Patch95: CVE-2023-34410.patch
 Patch96: CVE-2025-30348.patch
+Patch97: CVE-2025-5455.patch
 
 # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires.
 # Those themes are there for platform integration. If the required libraries are
@@ -777,6 +778,9 @@ fi
 %{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QXdgDesktopPortalThemePlugin.cmake
 
 %changelog
+* Tue Jul 01 2025 Akhila Guruju <[email protected]> - 5.12.11-17
+- Patch CVE-2025-5455
+
 * Fri Jun 13 2025 Jyoti Kanase <[email protected]> - 5.12.11-16
 - Fix CVE-2025-30348