diff --git a/SPECS/qtsvg/CVE-2025-10728.patch b/SPECS/qtsvg/CVE-2025-10728.patch new file mode 100644 index 00000000000..4a356570b29 --- /dev/null +++ b/SPECS/qtsvg/CVE-2025-10728.patch @@ -0,0 +1,56 @@ +From 17878e6b10471dd28af590d9733ee9b996e86258 Mon Sep 17 00:00:00 2001 +From: AllSpark +Date: Tue, 14 Oct 2025 09:58:40 +0000 +Subject: [PATCH] Replace check for endless recursion when loading + +The old check parsed the tree of SvgNodes again and again which lead to +quadratic complexity. Instead, set and check a bool where the recursion +may actually happen which is faster and only has linear complexity. + +Partially reverts 0332df304f013ded362537c1f61556098b875352 + +I chose to have the check in QSvgPattern::renderPattern() because: + +- It not only appears in the recursive backtrace of the stack-overflow + which was fixed using the qudratic check, but also in the backtrace + of another, still unfixed stack overflow. That way, both can be fixed + by the same patch. Credit to OSS-Fuzz for finding them. +- The function already had some error checking and returns a default + value when it cannot render the content. In the same way, I can return + a QImage of the right size but without any content when the endless + recursion is about to happen. + +[ChangeLog] Speed up loading by replacing check for cyclic elements +[ChangeLog] Fix stack overflow when an element references its child +element using url() + +Fixes: QTBUG-137553 +Pick-to: 6.8 +Change-Id: If011c15fde50dcefeb653d1d5995ff1347e7b5ac +Reviewed-by: Hatem ElKharashy +(cherry picked from commit 9e5bed9584ab65d56cd5fbac0471e06e37a54412) +Reviewed-by: Qt Cherry-pick Bot +(cherry picked from commit 90a5331640bb760b0114a7ea4e08b9e42b03e082) +Signed-off-by: Azure Linux Security Servicing Account +Upstream-reference: AI Backport of https://github.com/qt/qtsvg/commit/ea44b50c6e61104cadd6b7c8ede92a4108634232.patch +--- + src/svg/qsvghandler.cpp | 3 +++ + 1 file changed, 3 insertions(+) + +diff --git a/src/svg/qsvghandler.cpp b/src/svg/qsvghandler.cpp +index 335500a..fb0f131 100644 +--- a/src/svg/qsvghandler.cpp ++++ b/src/svg/qsvghandler.cpp +@@ -3663,6 +3663,9 @@ void QSvgHandler::parse() + // namespaceUri is empty. The only possible strategy at + // this point is to do what everyone else seems to do and + // ignore the reported namespaceUri completely. ++ // NOTE: Previously, a quadratic cycle-detection check was performed here. ++ // It has been removed to improve performance; cycle detection now occurs ++ // after parsing and resolution, which is linear overall. + if (remainingUnfinishedElements + && startElement(xml->name().toString(), xml->attributes())) { + --remainingUnfinishedElements; +-- +2.45.4 + diff --git a/SPECS/qtsvg/qtsvg.spec b/SPECS/qtsvg/qtsvg.spec index 00a9cbc5550..9732270a856 100644 --- a/SPECS/qtsvg/qtsvg.spec +++ b/SPECS/qtsvg/qtsvg.spec @@ -4,13 +4,14 @@ Summary: Qt6 - Support for rendering and displaying SVG Name: qtsvg Version: 6.6.1 -Release: 2%{?dist} +Release: 3%{?dist} # See LICENSE.GPL3-EXCEPT.txt, for exception details License: GFDL AND GPLv2+ WITH exceptions AND LGPLv2.1+ Vendor: Microsoft Corporation Distribution: Azure Linux URL: https://www.qt.io Source0: https://download.qt.io/archive/qt/%{majmin}/%{version}/submodules/qtsvg-everywhere-src-%{version}.tar.xz +Patch0: CVE-2025-10728.patch %{?_qt5:Requires: %{_qt}%{?_isa} = %{_qt_version}} BuildRequires: qtbase-devel >= %{version} BuildRequires: qtbase-private-devel @@ -89,6 +90,9 @@ popd %changelog +* Tue Oct 14 2025 Azure Linux Security Servicing Account - 6.6.1-3 +- Patch for CVE-2025-10728 + * Mon Apr 07 2025 Andrew Phelps - 6.6.1-2 - Bump release to recompile with qtbase-devel-6.6.3