qt5-5.15.5

[Bruce Dubbs]

New point version. Now released to open source.

[pierre]

From Ken's mail:
I have no idea if 5.15.5 includes aything useful compared to 5.15.4, but in paid-for 5.15.6 there is a fix for ​https://nvd.nist.gov/vuln/detail/CVE-2021-38593 with an individual patch at fedora ​https://src.fedoraproject.org/rpms/qt5-qtbase/blob/rawhide/f/qtbase-everywhere-src-5.15.4-cve-2021-38593.patch and presumably in current kf5.15.

And Bruce proposes this sed:

sed -e '/extent . patternLength/s/extent/qFuzzyIsNull(extent) || &/' \
     -i qtbase/src/gui/painting/qpaintengineex.cpp

In Ken's mail, there is also a reference to this qt6 commit: ​https://github.com/qt/qtbase/commit/6b400e3147dcfd8cc3a393ace1bd118c93762e0c, which looks like the same change...

Anyway it looks like qpaintengineex.cpp is already heavily patched in kf5 patch, so not sure whether this should be applied.

[pierre]

I've used the same procedure as in ticket #16549 for generating the patchset, except another module needs to be "deinitied":

git submodule deinit qtquick3dphysics

Of course the "git diff" command has to be changed to:

git diff v5.15.5-lts-lgpl..origin/kde/5.15 --submodule=diff > /path/to/patch

[pierre]

The file qtbase/src/gui/painting/qpaintengineex.cpp has been modified at commit 6d887717b9 in the repository maintained by kde folks, after the change above, so the sed is not needed, and the CVE should be considered as fixed.

[pierre]

fixed at 52e63febd3

[pierre]

Oops, forgot the SA...

[pierre]

Advisory committed at ac5b25a of the www repository.