gentoo auto-resync : 08:04:2025 - 08:43:11

3 files changed, 189 insertions, 0 deletions

diff --git a/dev-qt/qtxml/Manifest b/dev-qt/qtxml/Manifest
index e6e6c7631c16..5a5942212ed5 100644
--- a/dev-qt/qtxml/Manifest
+++ b/dev-qt/qtxml/Manifest
@@ -1,5 +1,7 @@
+AUX qtxml-5.15.16-CVE-2025-30348.patch 6107 BLAKE2B 8ab8bc0dfd9adacfec736259cf88519f12eb9dfae815838b4cf2e73e20854885f724081488194768a958d4646b6fdadf6cfa9fd28b652bfb5108af729a430043 SHA512 a351976aca39e5b52a2acad8c8a59df49584b73e3d591b18c68125f2bb96debfdbb5954502c59043be03f21e062fcb0956f84e6680ab0f8cfa1e2d967c428b6d
 DIST qtbase-5.15-gentoo-patchset-6.tar.xz 8288 BLAKE2B ad9695a528345dd3b8e9ce72b7bdfe8f744f16685a567bbc7862ba6c28e5a426260cb0b73e2573cb3a6f16f1785786898ffb44c90f5d75354b97e5756c7573db SHA512 97bc4d5375e1750a5578439ff320ee2e5e929df1dafe56b4e86f2de8ad26c91dc4002e45ad75d9f936347d49b9f54c0c42f8fc2cb7dfd4f54bf08a210b3bc720
 DIST qtbase-5.15.16-gentoo-kde-1.tar.xz 319504 BLAKE2B 52675483f6be19a3efbddbe68335ee575852859137c51ca9e7cc219740a3529d270cb2af085eee8de1964c2171eab4f0c64b79c03f1bac453a4829748aff528d SHA512 0a38ce02b563f79364f3559fda4d4e13092ee79b820fb780db10e40af3bac158ee139e1a216f4de3c986eacbd933965e7ed8c261de7a65d487981887aed840dd
 DIST qtbase-everywhere-opensource-src-5.15.16.tar.xz 51392072 BLAKE2B f7f83f18f91200350eff4d2d8d56769b537540290434a1c434d7c891b0b533d5a77000b5a670228a947d74c21f131f207b31aeb96f1f2ec867bbf608202c99b0 SHA512 190581c7df9763c2550466f884784d6f38817a087ab44fe57b99c1d1ac2ea3bae94ced8a6d0873a7999e523d63831d135cd7407812c8814ac4ef957840b7058e
+EBUILD qtxml-5.15.16-r1.ebuild 577 BLAKE2B ec72b4f7286695b89dac79b40fa3a57733abeb8dceacec62c7f416c021387d14f4b936952bed4b6101c6944372a54ffef72c28213ca95983c27eb62d57d53b78 SHA512 ee473c62ad18931c65dbc891497a0dbc52c7ff859a5a1cef41a2f0188dd4e3bf51c6ec89ea8430a173685ec2af34b359c65e5824562977bf951a052d2e416eca
 EBUILD qtxml-5.15.16.ebuild 518 BLAKE2B 2979e881a3265cafba7cdbdc45c580ef3042fc750a651c94c337e12bbbc7f0522af803e4a8809b384fbf95781c6eddf7c1386f7e92251551b10ac926dc2e75cd SHA512 cd27ee2daf078ff32b06800d4e723874f3828b1045e254e5db6e564a9c598a1613a5a88ea77b5129938862037a34cd4ed5925ac781016d3b90767004e6edb7e3
 MISC metadata.xml 482 BLAKE2B 651a49dc4a07f5e5a9c21990868e666d98acdea7d7b0b2c0e4c98eafc3da72c803d380e4abda30f33250f7bbd7654df713833ccdddcb975cbad6f92e488f643b SHA512 192c670abd7da29645513bf1d9297d942efdc49f5cf170861e7689fda47f51daa47f10c7c81c3b045366e0259179c6839ff7747197c9d792e8d0fd1a5818973e
diff --git a/dev-qt/qtxml/files/qtxml-5.15.16-CVE-2025-30348.patch b/dev-qt/qtxml/files/qtxml-5.15.16-CVE-2025-30348.patch
new file mode 100644
index 000000000000..bbc001a77d40
--- /dev/null
+++ b/dev-qt/qtxml/files/qtxml-5.15.16-CVE-2025-30348.patch
@@ -0,0 +1,156 @@
+From 16918c1df3e709df2a97281e3825d94c84edb668 Mon Sep 17 00:00:00 2001
+From: Christian Ehrlicher <ch.ehrlicher@gmx.de>
+Date: Tue, 06 Aug 2024 22:39:44 +0200
+Subject: [PATCH] XML/QDom: speedup encodeText()
+
+The code copied the whole string, then replaced parts inline, at
+the cost of relocating everything beyond, at each replacement.
+Instead, copy character by character (in chunks where possible)
+and append replacements as we skip what they replace.
+
+Manual conflict resolution for 6.5:
+- This is a manual cherry-pick. The original change was only
+  picked to 6.8, but the quadratic behavior is present in Qt 5, too.
+- Changed Task-number to Fixes: because this is the real fix;
+  the QString change, 315210de916d060c044c01e53ff249d676122b1b,
+  was unrelated to the original QTBUG-127549.
+
+Manual conflcit resolution for 5.15:
+- Kept/re-added QTextCodec::canEncode() check
+- Ported from Qt 6 to 5, to wit:
+  - qsizetype -> int
+  - QStringView::first/sliced(n) -> left/mid(n)
+    (these functions are clearly called in-range, so the widened
+    contract of the Qt 5 functions doesn't matter)
+- Ported from C++17- and C++14-isms to C++11:
+  - replaced polymorphic lambda with a normal one (this requires
+    rewriting the !canEncode() branch to use QByteArray/QLatin1String
+    instead of QString)
+- As a drive-by, corrected the indentation of the case labels to
+  horizontally align existing code (and follow Qt style)
+
+Fixes: QTBUG-127549
+Change-Id: I368482859ed0c4127f1eec2919183711b5488ada
+Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
+(cherry picked from commit 2ce08e3671b8d18b0284447e5908ce15e6e8f80f)
+Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
+(cherry picked from commit 225e235cf966a44af23dbe9aaaa2fd20ab6430ee)
+Reviewed-by: Fabian Kosmale <fabian.kosmale@qt.io>
+(cherry picked from commit 905a5bd421efff6a1d90b6140500d134d32ca745)
+---
+
+diff --git a/src/xml/dom/qdom.cpp b/src/xml/dom/qdom.cpp
+index 872221c..bf70477 100644
+--- a/src/xml/dom/qdom.cpp
++++ b/src/xml/dom/qdom.cpp
+@@ -3676,59 +3676,67 @@
+     const QTextCodec *const codec = s.codec();
+     Q_ASSERT(codec);
+ #endif
+-    QString retval(str);
+-    int len = retval.length();
+-    int i = 0;
++    QString retval;
++    int start = 0;
++    auto appendToOutput = [&](int cur, QLatin1String replacement)
++    {
++        if (start < cur) {
++            retval.reserve(str.size() + replacement.size());
++            retval.append(QStringView(str).left(cur).mid(start));
++        }
++        // Skip over str[cur], replaced by replacement
++        start = cur + 1;
++        retval.append(replacement);
++    };
+ 
+-    while (i < len) {
+-        const QChar ati(retval.at(i));
+-
+-        if (ati == QLatin1Char('<')) {
+-            retval.replace(i, 1, QLatin1String("&lt;"));
+-            len += 3;
+-            i += 4;
+-        } else if (encodeQuotes && (ati == QLatin1Char('"'))) {
+-            retval.replace(i, 1, QLatin1String("&quot;"));
+-            len += 5;
+-            i += 6;
+-        } else if (ati == QLatin1Char('&')) {
+-            retval.replace(i, 1, QLatin1String("&amp;"));
+-            len += 4;
+-            i += 5;
+-        } else if (ati == QLatin1Char('>') && i >= 2 && retval[i - 1] == QLatin1Char(']') && retval[i - 2] == QLatin1Char(']')) {
+-            retval.replace(i, 1, QLatin1String("&gt;"));
+-            len += 3;
+-            i += 4;
+-        } else if (performAVN &&
+-                   (ati == QChar(0xA) ||
+-                    ati == QChar(0xD) ||
+-                    ati == QChar(0x9))) {
+-            const QString replacement(QLatin1String("&#x") + QString::number(ati.unicode(), 16) + QLatin1Char(';'));
+-            retval.replace(i, 1, replacement);
+-            i += replacement.length();
+-            len += replacement.length() - 1;
+-        } else if (encodeEOLs && ati == QChar(0xD)) {
+-            retval.replace(i, 1, QLatin1String("&#xd;")); // Replace a single 0xD with a ref for 0xD
+-            len += 4;
+-            i += 5;
+-        } else {
++    const int len = str.size();
++    for (int cur = 0; cur < len; ++cur) {
++        switch (const char16_t ati = str[cur].unicode()) {
++        case u'<':
++            appendToOutput(cur, QLatin1String("&lt;"));
++            break;
++        case u'"':
++            if (encodeQuotes)
++                appendToOutput(cur, QLatin1String("&quot;"));
++            break;
++        case u'&':
++            appendToOutput(cur, QLatin1String("&amp;"));
++            break;
++        case u'>':
++            if (cur >= 2 && str[cur - 1] == u']' && str[cur - 2] == u']')
++                appendToOutput(cur, QLatin1String("&gt;"));
++            break;
++        case u'\r':
++            if (performAVN || encodeEOLs)
++                appendToOutput(cur, QLatin1String("&#xd;"));    // \r == 0x0d
++            break;
++        case u'\n':
++            if (performAVN)
++                appendToOutput(cur, QLatin1String("&#xa;"));    // \n == 0x0a
++            break;
++        case u'\t':
++            if (performAVN)
++                appendToOutput(cur, QLatin1String("&#x9;"));    // \t == 0x09
++            break;
++        default:
+ #if QT_CONFIG(textcodec)
+             if(codec->canEncode(ati))
+-                ++i;
++                ; // continue
+             else
+ #endif
+             {
+                 // We have to use a character reference to get it through.
+-                const ushort codepoint(ati.unicode());
+-                const QString replacement(QLatin1String("&#x") + QString::number(codepoint, 16) + QLatin1Char(';'));
+-                retval.replace(i, 1, replacement);
+-                i += replacement.length();
+-                len += replacement.length() - 1;
++                const QByteArray replacement = "&#x" + QByteArray::number(uint{ati}, 16) + ';';
++                appendToOutput(cur, QLatin1String{replacement});
+             }
++            break;
+         }
+     }
+-
+-    return retval;
++    if (start > 0) {
++        retval.append(QStringView(str).left(len).mid(start));
++        return retval;
++    }
++    return str;
+ }
+ 
+ void QDomAttrPrivate::save(QTextStream& s, int, int) const
diff --git a/dev-qt/qtxml/qtxml-5.15.16-r1.ebuild b/dev-qt/qtxml/qtxml-5.15.16-r1.ebuild
new file mode 100644
index 000000000000..d94919409abc
--- /dev/null
+++ b/dev-qt/qtxml/qtxml-5.15.16-r1.ebuild
@@ -0,0 +1,31 @@
+# Copyright 1999-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+if [[ ${PV} != *9999* ]]; then
+	QT5_KDEPATCHSET_REV=1
+	KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~loong ~ppc ~ppc64 ~riscv ~x86"
+fi
+
+QT5_MODULE="qtbase"
+inherit qt5-build
+
+DESCRIPTION="Implementation of SAX and DOM for the Qt5 framework"
+
+IUSE=""
+
+RDEPEND="=dev-qt/qtcore-${QT5_PV}*:5="
+DEPEND="${RDEPEND}
+	test? ( =dev-qt/qtnetwork-${QT5_PV}* )
+"
+
+QT5_TARGET_SUBDIRS=(
+	src/xml
+)
+
+QT5_GENTOO_PRIVATE_CONFIG=(
+	:xml
+)
+
+PATCHES=( "${FILESDIR}/${P}-CVE-2025-30348.patch" )