1. Forum
  2. Usenet
  3. LINUX.DEBIAN.BUGS.DIST

  • Bug#1109508: unblock: qt6-base/6.8.2+dfsg-9

    From Patrick Franz@21:1/5 to All on Sat Jul 19 11:50:02 2025
    XPost: linux.debian.devel.release

    This is a multi-part MIME message sent by reportbug.


    Package: release.debian.org
    Severity: normal
    X-Debbugs-Cc: [email protected], [email protected]
    Control: affects -1 + src:qt6-base
    User: [email protected]
    Usertags: unblock

    Dear Release Team,

    please unblock package qt6-base.

    [ Reason ]
    This patch fixes CVE-2025-5992.
    Technically, it's 2 patches. The first one is not needed to fix the CVE itself, but without it, the patch for fixing the CVE cannot be applied and would have to be rewritten. As a small bonus, the first patch also fixes a bug by correctly applying a formula.

    [ Impact ]
    Specifically crafted ICC profiles can cause a denial of service.

    [ Tests ]
    Both patches are taken directly from upstream where they have been part of
    Qt's LTS branch. There they have gone through their usual upstream QA.
    No specific tests in Debian have been done.

    [ Risks ]
    I deem the risks for these 2 patches to be low. They are fairly simple,
    have been taken directly from upstream's LTS branch and gone through
    their usual QA.

    [ Checklist ]
    [x] all changes are documented in the d/changelog
    [x] I reviewed all changes and I approve them
    [x] attach debdiff against the package in testing

    unblock qt6-base/6.8.2+dfsg-9

    diff -Nru qt6-base-6.8.2+dfsg/debian/changelog qt6-base-6.8.2+dfsg/debian/changelog
    --- qt6-base-6.8.2+dfsg/debian/changelog 2025-06-29 23:52:49.000000000 +0200
    +++ qt6-base-6.8.2+dfsg/debian/changelog 2025-07-18 15:28:20.000000000 +0200
    @@ -1,3 +1,12 @@
    +qt6-base (6.8.2+dfsg-9) unstable; urgency=medium
    +
    + [ Patrick Franz ]
    + * Backport patch to fix the PQ EOTF formula for BT.2100. This patch is
    + needed to make the patch for CVE-2025-5992 applicable.
    + * Backport patch to fix CVE-2025-5992 (Closes: #1109299).
    +
    + -- Patrick Franz <[email protected]> Fri, 18 Jul 2025 15:28:20 +0200
    +
    qt6-base (6.8.2+dfsg-8) unstable; urgency=medium

    [ Patrick Franz ]
    diff -Nru qt6-base-6.8.2+dfsg/debian/patches/series qt6-base-6.8.2+dfsg/debian/patches/series
    --- qt6-base-6.8.2+dfsg/debian/patches/series 2025-06-29 23:47:49.000000000 +0200
    +++ qt6-base-6.8.2+dfsg/debian/patches/series 2025-07-18 15:26:54.000000000 +0200
    @@ -1,3 +1,7 @@
    +# fixed in 6.8.4/6.9.2
    +upstream_QColorTransferGeneric_fix_BT2100PQEOTF.patch +upstream_cve-2025-5992_input_range_qcolortransformation.diff