diff -pruN 5.15.17+dfsg-1/debian/changelog 5.15.17+dfsg-1ubuntu1/debian/changelog --- 5.15.17+dfsg-1/debian/changelog 2025-05-24 19:32:13.000000000 +0000 +++ 5.15.17+dfsg-1ubuntu1/debian/changelog 2025-07-11 13:12:23.000000000 +0000 @@ -1,3 +1,11 @@ +qtbase-opensource-src (5.15.17+dfsg-1ubuntu1) questing; urgency=medium + + * Merge with Debian experimental, remaining changes: + - Force -D_FORTIFY_SOURCE=2 to avoid Qt/KDE apps crashing on start. + - Disable _Z5qHashgj symbol on ppc64el. + + -- Dmitry Shachnev Fri, 11 Jul 2025 16:12:23 +0300 + qtbase-opensource-src (5.15.17+dfsg-1) experimental; urgency=medium * New upstream release. @@ -33,6 +41,21 @@ qtbase-opensource-src (5.15.16+dfsg-1) e -- Dmitry Shachnev Fri, 24 Jan 2025 22:26:02 +0300 +qtbase-opensource-src (5.15.15+dfsg-6) unstable; urgency=medium + + * Backport upstream patch to fix assertion errors in data: URL parsing + (CVE-2025-5455, closes: #1108475). + + -- Dmitry Shachnev Sun, 29 Jun 2025 22:50:45 +0300 + +qtbase-opensource-src (5.15.15+dfsg-5ubuntu1) questing; urgency=medium + + * Merge with Debian. Remaining changes: + - Force -D_FORTIFY_SOURCE=2 to avoid Qt/KDE apps crashing on start. + - Update symbols on ppc64el. + + -- Rik Mills Sat, 10 May 2025 14:10:51 +0100 + qtbase-opensource-src (5.15.15+dfsg-5) unstable; urgency=medium * Backport upstream patch to add null checks in table iface methods in @@ -41,6 +64,14 @@ qtbase-opensource-src (5.15.15+dfsg-5) u -- Dmitry Shachnev Mon, 24 Mar 2025 15:42:48 +0300 +qtbase-opensource-src (5.15.15+dfsg-4ubuntu1) plucky; urgency=medium + + * Merge with Debian. Remaining changes: + - Force -D_FORTIFY_SOURCE=2 to avoid Qt/KDE apps crashing on start. + * Merge fixes (LP: #2098556) + + -- Rik Mills Sat, 15 Feb 2025 14:00:03 +0000 + qtbase-opensource-src (5.15.15+dfsg-4) unstable; urgency=medium * Fix containsTLDEntry() crash when tldChunkCount >= 3 (closes: #1095423). @@ -63,6 +94,19 @@ qtbase-opensource-src (5.15.15+dfsg-3) u -- Pino Toscano Fri, 07 Feb 2025 07:20:36 +0100 +qtbase-opensource-src (5.15.15+dfsg-1ubuntu2) plucky; urgency=medium + + * No-change rebuild for icu soname change. + + -- Matthias Klose Tue, 07 Jan 2025 08:36:52 +0100 + +qtbase-opensource-src (5.15.15+dfsg-1ubuntu1) oracular; urgency=medium + + * Merge with Debian experimental, remaining change: + - Force -D_FORTIFY_SOURCE=2 to avoid Qt/KDE apps crashing on start. + + -- Dmitry Shachnev Mon, 09 Sep 2024 19:15:29 +0300 + qtbase-opensource-src (5.15.15+dfsg-2) unstable; urgency=medium * Upload to unstable. @@ -99,6 +143,13 @@ qtbase-opensource-src (5.15.14+dfsg-1) e -- Dmitry Shachnev Sun, 26 May 2024 17:32:51 +0300 +qtbase-opensource-src (5.15.13+dfsg-4ubuntu1) oracular; urgency=medium + + * Merge with Debian unstable, remaining change: + - Force -D_FORTIFY_SOURCE=2 to avoid Qt/KDE apps crashing on start. + + -- Dmitry Shachnev Fri, 26 Jul 2024 14:47:52 +0300 + qtbase-opensource-src (5.15.13+dfsg-4) unstable; urgency=medium * Backport upstream patch to fix qfutureinterface.h for GCC 14 @@ -126,6 +177,13 @@ qtbase-opensource-src (5.15.13+dfsg-2) u -- Dmitry Shachnev Tue, 21 May 2024 10:53:43 +0300 +qtbase-opensource-src (5.15.13+dfsg-1ubuntu1) noble; urgency=medium + + * Merge with Debian experimental, remaining change: + - Force -D_FORTIFY_SOURCE=2 to avoid Qt/KDE apps crashing on start. + + -- Dmitry Shachnev Thu, 28 Mar 2024 11:19:11 +0300 + qtbase-opensource-src (5.15.13+dfsg-1) experimental; urgency=medium * Merge 5.15.10+dfsg-7.2 upload from unstable. @@ -143,6 +201,43 @@ qtbase-opensource-src (5.15.13+dfsg-1) e -- Dmitry Shachnev Sat, 09 Mar 2024 14:24:14 +0300 +qtbase-opensource-src (5.15.12+dfsg-3ubuntu6) noble; urgency=medium + + * No-change rebuild against libcups2t64 + + -- Michael Hudson-Doyle Wed, 20 Mar 2024 13:56:07 +1300 + +qtbase-opensource-src (5.15.12+dfsg-3ubuntu5) noble; urgency=medium + + * Merge 5.15.10+dfsg-7.2 upload from Debian unstable. + + -- Dmitry Shachnev Fri, 15 Mar 2024 01:00:58 +0300 + +qtbase-opensource-src (5.15.12+dfsg-3ubuntu4) noble; urgency=medium + + * No-change rebuild against libglib2.0-0t64 + + -- Steve Langasek Mon, 11 Mar 2024 23:33:19 +0000 + +qtbase-opensource-src (5.15.12+dfsg-3ubuntu3) noble; urgency=medium + + * No-change rebuild against libssl3t64 + + -- Steve Langasek Mon, 04 Mar 2024 21:09:22 +0000 + +qtbase-opensource-src (5.15.12+dfsg-3ubuntu2) noble; urgency=medium + + * No-change rebuild against libpng16-16t64 + + -- Steve Langasek Thu, 29 Feb 2024 08:02:22 +0000 + +qtbase-opensource-src (5.15.12+dfsg-3ubuntu1) noble; urgency=medium + + * Merge with Debian experimental, remaining change: + - Force -D_FORTIFY_SOURCE=2 to avoid Qt/KDE apps crashing on start. + + -- Dmitry Shachnev Sat, 24 Feb 2024 23:33:04 +0300 + qtbase-opensource-src (5.15.12+dfsg-3) experimental; urgency=medium * Merge 5.15.10+dfsg-7 upload from unstable. @@ -157,6 +252,13 @@ qtbase-opensource-src (5.15.12+dfsg-2) e -- Dmitry Shachnev Sun, 14 Jan 2024 13:23:36 +0300 +qtbase-opensource-src (5.15.12+dfsg-1ubuntu1) noble; urgency=medium + + * Merge with Debian experimental, remaining change: + - Force -D_FORTIFY_SOURCE=2 to avoid Qt/KDE apps crashing on start. + + -- Dmitry Shachnev Tue, 26 Dec 2023 10:42:00 +0300 + qtbase-opensource-src (5.15.12+dfsg-1) experimental; urgency=medium * New upstream release. @@ -207,6 +309,13 @@ qtbase-opensource-src (5.15.10+dfsg-6) u -- Dmitry Shachnev Sat, 13 Jan 2024 19:53:52 +0300 +qtbase-opensource-src (5.15.10+dfsg-5ubuntu1) noble; urgency=medium + + * For now force -D_FORTIFY_SOURCE=2 to avoid Qt/KDE apps crashing on + start. + + -- Rik Mills Fri, 22 Dec 2023 10:40:00 +0000 + qtbase-opensource-src (5.15.10+dfsg-5) unstable; urgency=medium * Add a patch to support LoongArch (closes: #1054569). Thanks Dandan Zhang! diff -pruN 5.15.17+dfsg-1/debian/control 5.15.17+dfsg-1ubuntu1/debian/control --- 5.15.17+dfsg-1/debian/control 2025-05-24 19:32:13.000000000 +0000 +++ 5.15.17+dfsg-1ubuntu1/debian/control 2025-07-11 13:12:23.000000000 +0000 @@ -1,7 +1,8 @@ Source: qtbase-opensource-src Section: libs Priority: optional -Maintainer: Debian Qt/KDE Maintainers +Maintainer: Ubuntu Developers +XSBC-Original-Maintainer: Debian Qt/KDE Maintainers Uploaders: Sune Vuorela , Pino Toscano , Timo Jyrinki , diff -pruN 5.15.17+dfsg-1/debian/libqt5core5t64.symbols 5.15.17+dfsg-1ubuntu1/debian/libqt5core5t64.symbols --- 5.15.17+dfsg-1/debian/libqt5core5t64.symbols 2025-05-24 19:32:13.000000000 +0000 +++ 5.15.17+dfsg-1ubuntu1/debian/libqt5core5t64.symbols 2025-07-11 13:12:23.000000000 +0000 @@ -146,7 +146,7 @@ libQt5Core.so.5 libqt5core5t64 #MINVER# _Z5qHashdj@Qt_5 5.3.0 (arch=!alpha !powerpc !ppc64 !ppc64el !s390x)_Z5qHashej@Qt_5 5.3.0 _Z5qHashfj@Qt_5 5.3.0 - (arch=alpha powerpc ppc64 ppc64el s390x)_Z5qHashgj@Qt_5 5.6.1 + (arch=alpha powerpc ppc64 s390x)_Z5qHashgj@Qt_5 5.6.1 _Z5qQNaNv@Qt_5 5.0.2 _Z5qSNaNv@Qt_5 5.0.2 _Z5qdtoadPiS_@Qt_5 5.7.0 diff -pruN 5.15.17+dfsg-1/debian/patches/CVE-2025-5455.diff 5.15.17+dfsg-1ubuntu1/debian/patches/CVE-2025-5455.diff --- 5.15.17+dfsg-1/debian/patches/CVE-2025-5455.diff 1970-01-01 00:00:00.000000000 +0000 +++ 5.15.17+dfsg-1ubuntu1/debian/patches/CVE-2025-5455.diff 2025-07-11 13:12:23.000000000 +0000 @@ -0,0 +1,30 @@ +Description: qDecodeDataUrl(): fix precondition violation in call to QByteArrayView::at() + It is a precondition violation to call QByteArrayView::at() with + size() as argument. The code used that, though, as an implicit + end-of-string check, assuming == ' ' and == '=' would both fail for + null bytes. Besides, QByteArrays (but most certainly QByteArrayViews) + need not be null-terminated, so this could read even past size(). + . + To fix, use higher-level API (startsWith()), consuming parsed tokens + along the way. +Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2025-5455-qtbase-5.15.patch +Last-Update: 2025-06-29 + +--- a/src/corelib/io/qdataurl.cpp ++++ b/src/corelib/io/qdataurl.cpp +@@ -76,10 +76,11 @@ Q_CORE_EXPORT bool qDecodeDataUrl(const + } + + if (data.toLower().startsWith("charset")) { +- int i = 7; // strlen("charset") +- while (data.at(i) == ' ') +- ++i; +- if (data.at(i) == '=') ++ int prefixSize = 7; // strlen("charset") ++ QLatin1String copy(data.constData() + prefixSize, data.size() - prefixSize); ++ while (copy.startsWith(QLatin1String(" "))) ++ copy = copy.mid(1); ++ if (copy.startsWith(QLatin1String("="))) + data.prepend("text/plain;"); + } + diff -pruN 5.15.17+dfsg-1/debian/patches/series 5.15.17+dfsg-1ubuntu1/debian/patches/series --- 5.15.17+dfsg-1/debian/patches/series 2025-05-24 19:32:13.000000000 +0000 +++ 5.15.17+dfsg-1ubuntu1/debian/patches/series 2025-07-11 13:12:23.000000000 +0000 @@ -15,6 +15,7 @@ revert_statusnotifierhost_checking.diff dont_fallback_to_x11_tray_on_non_x11.diff check_dbus_tray_availability_every_time.diff a11y_null_checks.diff +CVE-2025-5455.diff # Debian specific. no_htmlinfo_example.diff diff -pruN 5.15.17+dfsg-1/debian/rules 5.15.17+dfsg-1ubuntu1/debian/rules --- 5.15.17+dfsg-1/debian/rules 2025-05-24 19:32:13.000000000 +0000 +++ 5.15.17+dfsg-1ubuntu1/debian/rules 2025-07-11 13:12:23.000000000 +0000 @@ -71,6 +71,8 @@ else NUMJOBS = 1 endif +export DEB_CPPFLAGS_MAINT_APPEND = -U_FORTIFY_SOURCE -D_FORTIFY_SOURCE=2 + %: dh $@ --with pkgkde_symbolshelper