new file mode 100644
@@ -0,0 +1,43 @@
+From fc5e607b78dc6dc2a17e3586d2085e9d25412785 Mon Sep 17 00:00:00 2001
+From: Marc Mutz <marc.mutz@qt.io>
+Date: Tue, 12 Dec 2023 20:51:56 +0100
+Subject: [PATCH] HPack: fix a Yoda Condition
+
+Putting the variable on the LHS of a relational operation makes the
+expression easier to read. In this case, we find that the whole
+expression is nonsensical as an overflow protection, because if
+name.size() + value.size() overflows, the result will exactly _not_
+be > max() - 32, because UB will have happened.
+
+To be fixed in a follow-up commit.
+
+As a drive-by, add parentheses around the RHS.
+
+Pick-to: 6.7 6.6 6.5 6.2 5.15
+Change-Id: I35ce598884c37c51b74756b3bd2734b9aad63c09
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+
+Upstream: https://github.com/qt/qtbase/commit/658607a34ead214fbacbc2cca44915655c318ea9
+[Thomas: needed to backport fix for
+https://security-tracker.debian.org/tracker/CVE-2023-51714]
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+---
+ src/network/access/http2/hpacktable.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/network/access/http2/hpacktable.cpp b/src/network/access/http2/hpacktable.cpp
+index 0b69ee86a9b..34da5594e2b 100644
+--- a/src/network/access/http2/hpacktable.cpp
++++ b/src/network/access/http2/hpacktable.cpp
+@@ -27,7 +27,7 @@ HeaderSize entry_size(QByteArrayView name, QByteArrayView value)
+ // 32 octets of overhead."
+
+ const unsigned sum = unsigned(name.size() + value.size());
+- if (std::numeric_limits<unsigned>::max() - 32 < sum)
++ if (sum > (std::numeric_limits<unsigned>::max() - 32))
+ return HeaderSize();
+ return HeaderSize(true, quint32(sum + 32));
+ }
+--
+2.46.0
+
new file mode 100644
@@ -0,0 +1,48 @@
+From 01348087ee851f1781a27e7ce8a1ed0bda5441fe Mon Sep 17 00:00:00 2001
+From: Marc Mutz <marc.mutz@qt.io>
+Date: Tue, 12 Dec 2023 22:08:07 +0100
+Subject: [PATCH] HPack: fix incorrect integer overflow check
+
+This code never worked:
+
+For the comparison with max() - 32 to trigger, on 32-bit platforms (or
+Qt 5) signed interger overflow would have had to happen in the
+addition of the two sizes. The compiler can therefore remove the
+overflow check as dead code.
+
+On Qt 6 and 64-bit platforms, the signed integer addition would be
+very unlikely to overflow, but the following truncation to uint32
+would yield the correct result only in a narrow 32-value window just
+below UINT_MAX, if even that.
+
+Fix by using the proper tool, qAddOverflow.
+
+Pick-to: 6.7 6.6 6.5 6.2 5.15
+Change-Id: I7599f2e75ff7f488077b0c60b81022591005661c
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+
+Fixes: https://security-tracker.debian.org/tracker/CVE-2023-51714
+Upstream: https://github.com/qt/qtbase/commit/ee5da1f2eaf8932aeca02ffea6e4c618585e29e3
+Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com>
+---
+ src/network/access/http2/hpacktable.cpp | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/network/access/http2/hpacktable.cpp b/src/network/access/http2/hpacktable.cpp
+index 34da5594e2b..f20ec92d4c5 100644
+--- a/src/network/access/http2/hpacktable.cpp
++++ b/src/network/access/http2/hpacktable.cpp
+@@ -26,7 +26,9 @@ HeaderSize entry_size(QByteArrayView name, QByteArrayView value)
+ // for counting the number of references to the name and value would have
+ // 32 octets of overhead."
+
+- const unsigned sum = unsigned(name.size() + value.size());
++ size_t sum;
++ if (qAddOverflow(size_t(name.size()), size_t(value.size()), &sum))
++ return HeaderSize();
+ if (sum > (std::numeric_limits<unsigned>::max() - 32))
+ return HeaderSize();
+ return HeaderSize(true, quint32(sum + 32));
+--
+2.46.0
+
@@ -17,6 +17,8 @@ QT6BASE_IGNORE_CVES += CVE-2023-32762
QT6BASE_IGNORE_CVES += CVE-2023-32763
# 0009-QXmlStreamReader-Raise-error-on-unexpected-tokens.patch
QT6BASE_IGNORE_CVES += CVE-2023-38197
+# 0011-HPack-fix-incorrect-integer-overflow-check.patch
+QT6BASE_IGNORE_CVES += CVE-2023-38197
QT6BASE_CMAKE_BACKEND = ninja
This commit backports upstream patches that are needed to fix CVE-2023-51714. The second one is the actual CVE fix, the first one is needed to only backporting the second patch in a reasonable way. Signed-off-by: Thomas Petazzoni <thomas.petazzoni@bootlin.com> --- Only applicable to 2024.02.x, since >= 2024.05 use a Qt6 version that already has the fix. --- .../0010-HPack-fix-a-Yoda-Condition.patch | 43 +++++++++++++++++ ...fix-incorrect-integer-overflow-check.patch | 48 +++++++++++++++++++ package/qt6/qt6base/qt6base.mk | 2 + 3 files changed, 93 insertions(+) create mode 100644 package/qt6/qt6base/0010-HPack-fix-a-Yoda-Condition.patch create mode 100644 package/qt6/qt6base/0011-HPack-fix-incorrect-integer-overflow-check.patch