Fix CVE-2025-5992 in Qt6 and also backport patches to fix crashes with KDE Plasma 6.4

[Douglas R. Reno]

While I was looking around on my Gentoo system earlier I noticed they have a new security patch. There's a blog post at ​https://www.qt.io/blog/security-advisory-recently-reported-denial-of-service-issue-in-qcolortransfergenericfunction-impacts-qt about it.

I have tested the patch from ​https://download.qt.io/official_releases/qt/6.9/CVE-2025-5992-qtbase-6.9.patch and it works well on one of my systems.

In addition to fixing this we'll want to also backport the following fixes:

• ​https://codereview.qt-project.org/c/qt/qtbase/+/652115 (Fixes HTTP/2 connections being unexpectedly closed, this appears to exhibit itself mostly in Falkon in our case as well as plasmashell) - bug report at ​https://bugreports.qt.io/browse/QTBUG-137427

• ​https://code.qt.io/cgit/qt/qtbase.git/commit/?h=6.9&id=eb6fd1d74b66fa2f390ec8b2456141cad3e571b9 (Fixes plasmashell crashes in QHttp2Connection::handleDATA) - upstream notes that this is a security related change due to it being a use after free.

• ​https://code.qt.io/cgit/qt/qtbase.git/commit/?h=6.9&id=f5eb24d5b8767521e821b00aed87ab87615800e4 (another use-after-free vulnerability in HTTP/2)

These came from ​https://gitlab.archlinux.org/archlinux/packaging/packages/qt6-base/-/commits/main with a pointer to ​https://gitlab.archlinux.org/archlinux/packaging/packages/qt6-base/-/merge_requests/2

[Douglas R. Reno]

Note that the next release of Qt6 will be after we go into package freeze, so we'll want to fix these now

[Douglas R. Reno]

Fixed at 375a16fa87cfd8ddb1783d8106316aa83677bd43

[Douglas R. Reno]

SA-12.3-083 issued