gentoo auto-resync : 23:01:2025 - 06:45:02

4 files changed, 301 insertions, 0 deletions

diff --git a/dev-qt/Manifest.gz b/dev-qt/Manifest.gz
index a42ba3ab15fc..023281031570 100644
--- a/dev-qt/Manifest.gz
+++ b/dev-qt/Manifest.gz
diff --git a/dev-qt/qtconnectivity/Manifest b/dev-qt/qtconnectivity/Manifest
index 5e21d4f92671..5540bf72ce19 100644
--- a/dev-qt/qtconnectivity/Manifest
+++ b/dev-qt/qtconnectivity/Manifest
@@ -1,4 +1,6 @@
+AUX qtconnectivity-6.8.1-CVE-2025-23050.patch 7780 BLAKE2B edda2d15f8f22ccc590a0fabfa75925be68dcbbc664dabb95780f508ed08e241cc59b4cb2e762e90a6ad3568cc9de1036d3cc98ef9e17e90e463dc7eb4fbca87 SHA512 34b2ff2cf0189d140c576546629e83ac08ffcc3b5aa729fe7d224f2554f5f8e48d03dbe4d136cce3b933495774ee83650f6cdd03fc01de7a3d0c5f567e64e380
 DIST qtconnectivity-everywhere-src-6.8.1.tar.xz 1067952 BLAKE2B d0c1dbc863dbd12041321248f9256d63f03ecf919ac7c60f3e3e87dd4102fa9063dbb3b0896e3f168713e4dd7eccf2deb62109bea39ba8425184aaf9c019dee1 SHA512 61933f37210323cd912ec677322002557dae308228e390f692beb88374f328b2791e3448b14256a570de741ef6f3e935261ab90cfd3ae22725a8919bd304a8fb
+EBUILD qtconnectivity-6.8.1-r1.ebuild 1954 BLAKE2B 487882763965557fedf6500ff6acf58112c2fdfcd2520362cb72ecdf623269ff7d3ad0b59a6daa8ff82209f1a68c196b6219020dd55187ab46cf463758b1e51e SHA512 4c32f899386b3cbec5ac8eb5f576599a5a3e2d79bfc56f0b35c124d9513c47a722ad4f3682923bf1ac4327f11a80660f53995044be50dd73e11aed4cbb18ac6b
 EBUILD qtconnectivity-6.8.1.ebuild 1894 BLAKE2B 995bad45d193ab840b660e2f0544a00850ae3b1b414ba1f8283c82d97f6232dca22d9c1ca48a2be6428cac91b7ade69479f2cfb527c4f228c55e205b63d96eea SHA512 298bafe9a334b5a5d53afe831af35286e834f01afb199baa32ff540f5ff5f51594744757c7d7a75a8fb7ded80d522ed51703e0909c3bb17ace711849a0f804de
 EBUILD qtconnectivity-6.8.9999.ebuild 1900 BLAKE2B 793c75a1ad6163c68f41ac12cc4878a490126ac48197de40fb644df49e95299af53f32cd8a734dc2873f2d21528c787c92352db01ea5395ba646312976b517c4 SHA512 8ce94f9e5d17a0a5052e8c7fa84aba0924a275184e6c3630f1a48d13c44abf1980664eafed9e2718ab6553ad110b84ab5ced95a8ef21532fd34d3e3fcebf01fd
 EBUILD qtconnectivity-6.9.9999.ebuild 1900 BLAKE2B 793c75a1ad6163c68f41ac12cc4878a490126ac48197de40fb644df49e95299af53f32cd8a734dc2873f2d21528c787c92352db01ea5395ba646312976b517c4 SHA512 8ce94f9e5d17a0a5052e8c7fa84aba0924a275184e6c3630f1a48d13c44abf1980664eafed9e2718ab6553ad110b84ab5ced95a8ef21532fd34d3e3fcebf01fd
diff --git a/dev-qt/qtconnectivity/files/qtconnectivity-6.8.1-CVE-2025-23050.patch b/dev-qt/qtconnectivity/files/qtconnectivity-6.8.1-CVE-2025-23050.patch
new file mode 100644
index 000000000000..832807a9bb80
--- /dev/null
+++ b/dev-qt/qtconnectivity/files/qtconnectivity-6.8.1-CVE-2025-23050.patch
@@ -0,0 +1,210 @@
+https://bugs.gentoo.org/948573
+https://www.qt.io/blog/security-advisory-qlowenergycontroller-on-linux
+https://codereview.qt-project.org/c/qt/qtconnectivity/+/617004
+From: Ivan Solovev <ivan.solovev@qt.io>
+Date: Thu, 02 Jan 2025 16:48:49 +0100
+Subject: [PATCH] QLowEnergyControllerPrivateBluez: guard against malformed replies
+
+The QLowEnergyControllerPrivateBluez::l2cpReadyRead() slot reads the
+data from a Bluetooth L2CAP socket and then tries to process it
+according to ATT protocol specs.
+
+However, the code was missing length and sanity checks at some
+codepaths in processUnsolicitedReply() and processReply() helper
+methods, simply relying on the data to be in the proper format.
+
+This patch adds some minimal checks to make sure that we do not read
+past the end of the received array and do not divide by zero.
+
+This problem was originally pointed out by Marc Mutz in an unrelated
+patch.
+--- a/src/bluetooth/qlowenergycontroller_bluez.cpp
++++ b/src/bluetooth/qlowenergycontroller_bluez.cpp
+@@ -64,14 +64,15 @@
+ 
+ const int maxPrepareQueueSize = 1024;
+ 
+-static void dumpErrorInformation(const QByteArray &response)
++/* returns false if the format is incorrect */
++static bool dumpErrorInformation(const QByteArray &response)
+ {
+     const char *data = response.constData();
+     if (response.size() != 5
+         || (static_cast<QBluezConst::AttCommand>(data[0])
+             != QBluezConst::AttCommand::ATT_OP_ERROR_RESPONSE)) {
+         qCWarning(QT_BT_BLUEZ) << QLatin1String("Not a valid error response");
+-        return;
++        return false;
+     }
+ 
+     QBluezConst::AttCommand lastCommand = static_cast<QBluezConst::AttCommand>(data[1]);
+@@ -126,6 +127,8 @@
+ 
+     qCDebug(QT_BT_BLUEZ) << "Error:" << errorCode << "Error description:" << errorString
+                          << "last command:" << lastCommand << "handle:" << handle;
++
++    return true;
+ }
+ 
+ static int getUuidSize(const QBluetoothUuid &uuid)
+@@ -903,6 +906,7 @@
+ {
+     Q_ASSERT(charData);
+     Q_ASSERT(data);
++    Q_ASSERT(elementLength >= 5);
+ 
+     QLowEnergyHandle attributeHandle = bt_get_le16(&data[0]);
+     charData->properties =
+@@ -912,7 +916,7 @@
+     // Bluetooth LE data comes as little endian
+     if (elementLength == 7) // 16 bit uuid
+         charData->uuid = QBluetoothUuid(bt_get_le16(&data[5]));
+-    else
++    else if (elementLength == 21) // 128 bit uuid
+         charData->uuid = QUuid::fromBytes(&data[5], QSysInfo::LittleEndian);
+ 
+     qCDebug(QT_BT_BLUEZ) << "Found handle:" << Qt::hex << attributeHandle
+@@ -929,6 +933,7 @@
+ {
+     Q_ASSERT(foundServices);
+     Q_ASSERT(data);
++    Q_ASSERT(elementLength >= 6);
+ 
+     QLowEnergyHandle attributeHandle = bt_get_le16(&data[0]);
+ 
+@@ -938,9 +943,14 @@
+     // data[2] -> included service start handle
+     // data[4] -> included service end handle
+ 
++    // TODO: Spec v. 5.3, Vol. 3, Part G, 4.5.1 mentions that only
++    // 16-bit UUID can be returned here. If the UUID is 128-bit,
++    // then it is omitted from the response, and should be requested
++    // separately with the ATT_READ_REQ command.
++
+     if (elementLength == 8) //16 bit uuid
+         foundServices->append(QBluetoothUuid(bt_get_le16(&data[6])));
+-    else
++    else if (elementLength == 22) // 128 bit uuid
+         foundServices->append(QUuid::fromBytes(&data[6], QSysInfo::LittleEndian));
+ 
+     qCDebug(QT_BT_BLUEZ) << "Found included service: " << Qt::hex
+@@ -949,17 +959,29 @@
+     return attributeHandle;
+ }
+ 
++Q_DECL_COLD_FUNCTION
++static void reportMalformedData(QBluezConst::AttCommand cmd, const QByteArray &response)
++{
++    qCDebug(QT_BT_BLUEZ, "%s malformed data: %s", qt_getEnumName(cmd),
++            response.toHex().constData());
++}
++
+ void QLowEnergyControllerPrivateBluez::processReply(
+         const Request &request, const QByteArray &response)
+ {
+     Q_Q(QLowEnergyController);
+ 
++    // We already have an isEmpty() check at the only calling site that reads
++    // incoming data, so Q_ASSERT is enough.
++    Q_ASSERT(!response.isEmpty());
++
+     QBluezConst::AttCommand command = static_cast<QBluezConst::AttCommand>(response.constData()[0]);
+ 
+     bool isErrorResponse = false;
+     // if error occurred 2. byte is previous request type
+     if (command == QBluezConst::AttCommand::ATT_OP_ERROR_RESPONSE) {
+-        dumpErrorInformation(response);
++        if (!dumpErrorInformation(response))
++            return;
+         command = static_cast<QBluezConst::AttCommand>(response.constData()[1]);
+         isErrorResponse = true;
+     }
+@@ -972,6 +994,10 @@
+         if (isErrorResponse) {
+             mtuSize = ATT_DEFAULT_LE_MTU;
+         } else {
++            if (response.size() < 3) {
++                reportMalformedData(command, response);
++                break;
++            }
+             const char *data = response.constData();
+             quint16 mtu = bt_get_le16(&data[1]);
+             mtuSize = mtu;
+@@ -1000,8 +1026,15 @@
+             break;
+         }
+ 
++        // response[1] == elementLength. According to the spec it should be
++        // at least 4 bytes. See Spec v5.3, Vol 3, Part F, 3.4.4.10
++        if (response.size() < 2 || response[1] < 4) {
++            reportMalformedData(command, response);
++            break;
++        }
++
+         QLowEnergyHandle start = 0, end = 0;
+-        const quint16 elementLength = response.constData()[1];
++        const quint16 elementLength = response.constData()[1]; // value checked above
+         const quint16 numElements = (response.size() - 2) / elementLength;
+         quint16 offset = 2;
+         const char *data = response.constData();
+@@ -1077,16 +1110,25 @@
+         }
+ 
+         /* packet format:
+-         * if GATT_CHARACTERISTIC discovery
++         * if GATT_CHARACTERISTIC discovery (Spec 5.3, Vol. 3, Part G, 4.6)
+          *      <opcode><elementLength>
+          *          [<handle><property><charHandle><uuid>]+
++         * The minimum elementLength is 7 bytes (uuid is always included)
+          *
+-         * if GATT_INCLUDE discovery
++         * if GATT_INCLUDE discovery (Spec 5.3, Vol. 3, Part G, 4.5.1)
+          *      <opcode><elementLength>
+          *          [<handle><startHandle_included><endHandle_included><uuid>]+
++         *  The minimum elementLength is 6 bytes (uuid can be omitted).
+          *
+          *  The uuid can be 16 or 128 bit.
+          */
++
++        const quint8 minimumElementLength = attributeType == GATT_CHARACTERISTIC ? 7 : 6;
++        if (response.size() < 2 || response[1] < minimumElementLength) {
++            reportMalformedData(command, response);
++            break;
++        }
++
+         QLowEnergyHandle lastHandle;
+         const quint16 elementLength = response.constData()[1];
+         const quint16 numElements = (response.size() - 2) / elementLength;
+@@ -1283,6 +1325,12 @@
+             break;
+         }
+ 
++        // Spec 5.3, Vol. 3, Part F, 3.4.3.2
++        if (response.size() < 6) {
++            reportMalformedData(command, response);
++            break;
++        }
++
+         const quint8 format = response[1];
+         quint16 elementLength;
+         switch (format) {
+@@ -1720,9 +1768,18 @@
+ 
+ void QLowEnergyControllerPrivateBluez::processUnsolicitedReply(const QByteArray &payload)
+ {
++    Q_ASSERT(!payload.isEmpty());
++
+     const char *data = payload.constData();
+-    bool isNotification = (static_cast<QBluezConst::AttCommand>(data[0])
++    const auto command = static_cast<QBluezConst::AttCommand>(data[0]);
++    bool isNotification = (command
+                            == QBluezConst::AttCommand::ATT_OP_HANDLE_VAL_NOTIFICATION);
++
++    if (payload.size() < 3) {
++        reportMalformedData(command, payload);
++        return;
++    }
++
+     const QLowEnergyHandle changedHandle = bt_get_le16(&data[1]);
+ 
+     if (QT_BT_BLUEZ().isDebugEnabled()) {
diff --git a/dev-qt/qtconnectivity/qtconnectivity-6.8.1-r1.ebuild b/dev-qt/qtconnectivity/qtconnectivity-6.8.1-r1.ebuild
new file mode 100644
index 000000000000..c0d52a25dace
--- /dev/null
+++ b/dev-qt/qtconnectivity/qtconnectivity-6.8.1-r1.ebuild
@@ -0,0 +1,89 @@
+# Copyright 2023-2025 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit qt6-build
+
+DESCRIPTION="Bluetooth and NFC support library for the Qt6 framework"
+
+if [[ ${QT6_BUILD_TYPE} == release ]]; then
+	KEYWORDS="~amd64 ~arm ~arm64 ~loong ~ppc ~ppc64 ~riscv ~x86"
+fi
+
+IUSE="+bluetooth neard nfc smartcard"
+REQUIRED_USE="
+	|| ( bluetooth nfc )
+	nfc? ( ?? ( neard smartcard ) )
+"
+
+DEPEND="
+	~dev-qt/qtbase-${PV}:6[network]
+	bluetooth? (
+		~dev-qt/qtbase-${PV}:6[dbus]
+		net-wireless/bluez:=
+	)
+	nfc? (
+		neard? ( ~dev-qt/qtbase-${PV}:6[dbus] )
+		smartcard? ( sys-apps/pcsc-lite )
+	)
+"
+RDEPEND="
+	${DEPEND}
+	nfc? (
+		neard? ( net-wireless/neard )
+	)
+"
+
+PATCHES=(
+	"${FILESDIR}"/${P}-CVE-2025-23050.patch
+)
+
+CMAKE_SKIP_TESTS=(
+	# most hardware tests are auto-skipped, but some still misbehave
+	# if bluez/hardware is available (generally tests here may not be
+	# very relevant without hardware, lists may need to be extended)
+	tst_qbluetoothdevicediscoveryagent #936485
+	tst_qbluetoothlocaldevice
+	tst_qbluetoothserver
+	tst_qbluetoothservicediscoveryagent
+	tst_qbluetoothserviceinfo
+	tst_qlowenergycontroller
+)
+
+src_prepare() {
+	qt6-build_src_prepare
+
+	use bluetooth ||
+		sed -i '/add_subdirectory(bluetooth)/d' src/CMakeLists.txt || die
+	use nfc ||
+		sed -i '/add_subdirectory(nfc)/d' src/CMakeLists.txt || die
+}
+
+src_configure() {
+	local mycmakeargs=(
+		$(usev nfc "
+			$(qt_feature neard)
+			$(qt_feature smartcard pcsclite)
+		")
+	)
+
+	qt6-build_src_configure
+}
+
+src_install() {
+	qt6-build_src_install
+
+	# broken (unnecessary) symlink due to add_app() being used over add_tool()
+	use !bluetooth || rm -- "${ED}"/usr/bin/sdpscanner6 || die
+
+	if use test; then
+		local delete=( # sigh
+			"${D}${QT6_BINDIR}"/bluetoothtestdevice
+			"${D}${QT6_BINDIR}"/bttestui
+			"${D}${QT6_BINDIR}"/qlecontroller-server
+		)
+		# using -f given not tracking which tests may be skipped or not
+		rm -f -- "${delete[@]}" || die
+	fi
+}