diff --git a/depends/packages/qt.mk b/depends/packages/qt.mk index e34945c49b59..6c8eb44984f2 100644 --- a/depends/packages/qt.mk +++ b/depends/packages/qt.mk @@ -1,9 +1,9 @@ package=qt -$(package)_version=5.15.16 +$(package)_version=5.15.18 $(package)_download_path=https://download.qt.io/archive/qt/5.15/$($(package)_version)/submodules $(package)_suffix=everywhere-opensource-src-$($(package)_version).tar.xz $(package)_file_name=qtbase-$($(package)_suffix) -$(package)_sha256_hash=b04815058c18058b6ba837206756a2c87d1391f07a0dcb0dd314f970fd041592 +$(package)_sha256_hash=7b632550ea1048fc10c741e46e2e3b093e5ca94dfa6209e9e0848800e247023b $(package)_linux_dependencies=freetype fontconfig libxcb libxkbcommon libxcb_util libxcb_util_render libxcb_util_keysyms libxcb_util_image libxcb_util_wm $(package)_qt_libs=corelib network widgets gui plugins testlib $(package)_linguist_tools = lrelease lupdate lconvert @@ -20,16 +20,18 @@ $(package)_patches += rcc_hardcode_timestamp.patch $(package)_patches += duplicate_lcqpafonts.patch $(package)_patches += guix_cross_lib_path.patch $(package)_patches += memory_resource.patch -$(package)_patches += clang_18_libpng.patch $(package)_patches += utc_from_string_no_optimize.patch $(package)_patches += windows_lto.patch $(package)_patches += darwin_no_libm.patch +$(package)_patches += CVE-2025-4211-qtbase-5.15.patch +$(package)_patches += CVE-2025-5455-qtbase-5.15.patch +$(package)_patches += CVE-2025-30348-qtbase-5.15.patch $(package)_qttranslations_file_name=qttranslations-$($(package)_suffix) -$(package)_qttranslations_sha256_hash=415dbbb82a75dfc9a7be969e743bee54c0e6867be37bce4cf8f03da39f20112a +$(package)_qttranslations_sha256_hash=e5625757913caf66a9d702ba102ae92cb165d8dde17759b6de9fdea84a1f857f $(package)_qttools_file_name=qttools-$($(package)_suffix) -$(package)_qttools_sha256_hash=1cab11887faca54af59f4995ee435c9ad98d194e9e6889c846692c8b6815fc1c +$(package)_qttools_sha256_hash=931e0969d9f9d8f233e5e9bf9db0cea9ce9914d49982f1795fe6191010113568 $(package)_extra_sources = $($(package)_qttranslations_file_name) $(package)_extra_sources += $($(package)_qttools_file_name) @@ -247,13 +249,15 @@ define $(package)_preprocess_cmds patch -p1 -i $($(package)_patch_dir)/qtbase-moc-ignore-gcc-macro.patch && \ patch -p1 -i $($(package)_patch_dir)/memory_resource.patch && \ patch -p1 -i $($(package)_patch_dir)/no_warnings_for_symbols.patch && \ - patch -p1 -i $($(package)_patch_dir)/clang_18_libpng.patch && \ patch -p1 -i $($(package)_patch_dir)/rcc_hardcode_timestamp.patch && \ patch -p1 -i $($(package)_patch_dir)/duplicate_lcqpafonts.patch && \ patch -p1 -i $($(package)_patch_dir)/utc_from_string_no_optimize.patch && \ patch -p1 -i $($(package)_patch_dir)/guix_cross_lib_path.patch && \ patch -p1 -i $($(package)_patch_dir)/windows_lto.patch && \ patch -p1 -i $($(package)_patch_dir)/darwin_no_libm.patch && \ + patch -p1 -i $($(package)_patch_dir)/CVE-2025-4211-qtbase-5.15.patch && \ + patch -p1 -i $($(package)_patch_dir)/CVE-2025-5455-qtbase-5.15.patch && \ + patch -p1 -i $($(package)_patch_dir)/CVE-2025-30348-qtbase-5.15.patch && \ mkdir -p qtbase/mkspecs/macx-clang-linux &&\ cp -f qtbase/mkspecs/macx-clang/qplatformdefs.h qtbase/mkspecs/macx-clang-linux/ &&\ cp -f $($(package)_patch_dir)/mac-qmake.conf qtbase/mkspecs/macx-clang-linux/qmake.conf && \ diff --git a/depends/patches/qt/CVE-2025-30348-qtbase-5.15.patch b/depends/patches/qt/CVE-2025-30348-qtbase-5.15.patch new file mode 100644 index 000000000000..b13574f3ba27 --- /dev/null +++ b/depends/patches/qt/CVE-2025-30348-qtbase-5.15.patch @@ -0,0 +1,156 @@ +From 16918c1df3e709df2a97281e3825d94c84edb668 Mon Sep 17 00:00:00 2001 +From: Christian Ehrlicher +Date: Tue, 06 Aug 2024 22:39:44 +0200 +Subject: [PATCH] XML/QDom: speedup encodeText() + +The code copied the whole string, then replaced parts inline, at +the cost of relocating everything beyond, at each replacement. +Instead, copy character by character (in chunks where possible) +and append replacements as we skip what they replace. + +Manual conflict resolution for 6.5: +- This is a manual cherry-pick. The original change was only + picked to 6.8, but the quadratic behavior is present in Qt 5, too. +- Changed Task-number to Fixes: because this is the real fix; + the QString change, 315210de916d060c044c01e53ff249d676122b1b, + was unrelated to the original QTBUG-127549. + +Manual conflcit resolution for 5.15: +- Kept/re-added QTextCodec::canEncode() check +- Ported from Qt 6 to 5, to wit: + - qsizetype -> int + - QStringView::first/sliced(n) -> left/mid(n) + (these functions are clearly called in-range, so the widened + contract of the Qt 5 functions doesn't matter) +- Ported from C++17- and C++14-isms to C++11: + - replaced polymorphic lambda with a normal one (this requires + rewriting the !canEncode() branch to use QByteArray/QLatin1String + instead of QString) +- As a drive-by, corrected the indentation of the case labels to + horizontally align existing code (and follow Qt style) + +Fixes: QTBUG-127549 +Change-Id: I368482859ed0c4127f1eec2919183711b5488ada +Reviewed-by: Edward Welbourne +(cherry picked from commit 2ce08e3671b8d18b0284447e5908ce15e6e8f80f) +Reviewed-by: Qt Cherry-pick Bot +(cherry picked from commit 225e235cf966a44af23dbe9aaaa2fd20ab6430ee) +Reviewed-by: Fabian Kosmale +(cherry picked from commit 905a5bd421efff6a1d90b6140500d134d32ca745) +--- + +diff --git a/qtbase/src/xml/dom/qdom.cpp b/qtbase/src/xml/dom/qdom.cpp +index 872221c..bf70477 100644 +--- a/qtbase/src/xml/dom/qdom.cpp ++++ b/qtbase/src/xml/dom/qdom.cpp +@@ -3676,59 +3676,67 @@ + const QTextCodec *const codec = s.codec(); + Q_ASSERT(codec); + #endif +- QString retval(str); +- int len = retval.length(); +- int i = 0; ++ QString retval; ++ int start = 0; ++ auto appendToOutput = [&](int cur, QLatin1String replacement) ++ { ++ if (start < cur) { ++ retval.reserve(str.size() + replacement.size()); ++ retval.append(QStringView(str).left(cur).mid(start)); ++ } ++ // Skip over str[cur], replaced by replacement ++ start = cur + 1; ++ retval.append(replacement); ++ }; + +- while (i < len) { +- const QChar ati(retval.at(i)); +- +- if (ati == QLatin1Char('<')) { +- retval.replace(i, 1, QLatin1String("<")); +- len += 3; +- i += 4; +- } else if (encodeQuotes && (ati == QLatin1Char('"'))) { +- retval.replace(i, 1, QLatin1String(""")); +- len += 5; +- i += 6; +- } else if (ati == QLatin1Char('&')) { +- retval.replace(i, 1, QLatin1String("&")); +- len += 4; +- i += 5; +- } else if (ati == QLatin1Char('>') && i >= 2 && retval[i - 1] == QLatin1Char(']') && retval[i - 2] == QLatin1Char(']')) { +- retval.replace(i, 1, QLatin1String(">")); +- len += 3; +- i += 4; +- } else if (performAVN && +- (ati == QChar(0xA) || +- ati == QChar(0xD) || +- ati == QChar(0x9))) { +- const QString replacement(QLatin1String("&#x") + QString::number(ati.unicode(), 16) + QLatin1Char(';')); +- retval.replace(i, 1, replacement); +- i += replacement.length(); +- len += replacement.length() - 1; +- } else if (encodeEOLs && ati == QChar(0xD)) { +- retval.replace(i, 1, QLatin1String(" ")); // Replace a single 0xD with a ref for 0xD +- len += 4; +- i += 5; +- } else { ++ const int len = str.size(); ++ for (int cur = 0; cur < len; ++cur) { ++ switch (const char16_t ati = str[cur].unicode()) { ++ case u'<': ++ appendToOutput(cur, QLatin1String("<")); ++ break; ++ case u'"': ++ if (encodeQuotes) ++ appendToOutput(cur, QLatin1String(""")); ++ break; ++ case u'&': ++ appendToOutput(cur, QLatin1String("&")); ++ break; ++ case u'>': ++ if (cur >= 2 && str[cur - 1] == u']' && str[cur - 2] == u']') ++ appendToOutput(cur, QLatin1String(">")); ++ break; ++ case u'\r': ++ if (performAVN || encodeEOLs) ++ appendToOutput(cur, QLatin1String(" ")); // \r == 0x0d ++ break; ++ case u'\n': ++ if (performAVN) ++ appendToOutput(cur, QLatin1String(" ")); // \n == 0x0a ++ break; ++ case u'\t': ++ if (performAVN) ++ appendToOutput(cur, QLatin1String(" ")); // \t == 0x09 ++ break; ++ default: + #if QT_CONFIG(textcodec) + if(codec->canEncode(ati)) +- ++i; ++ ; // continue + else + #endif + { + // We have to use a character reference to get it through. +- const ushort codepoint(ati.unicode()); +- const QString replacement(QLatin1String("&#x") + QString::number(codepoint, 16) + QLatin1Char(';')); +- retval.replace(i, 1, replacement); +- i += replacement.length(); +- len += replacement.length() - 1; ++ const QByteArray replacement = "&#x" + QByteArray::number(uint{ati}, 16) + ';'; ++ appendToOutput(cur, QLatin1String{replacement}); + } ++ break; + } + } +- +- return retval; ++ if (start > 0) { ++ retval.append(QStringView(str).left(len).mid(start)); ++ return retval; ++ } ++ return str; + } + + void QDomAttrPrivate::save(QTextStream& s, int, int) const diff --git a/depends/patches/qt/CVE-2025-4211-qtbase-5.15.patch b/depends/patches/qt/CVE-2025-4211-qtbase-5.15.patch new file mode 100644 index 000000000000..0682ed28b61c --- /dev/null +++ b/depends/patches/qt/CVE-2025-4211-qtbase-5.15.patch @@ -0,0 +1,61 @@ +From 3d20cd0105c2ae06605c5078e7675e200f1a001a Mon Sep 17 00:00:00 2001 +From: MÃ¥rten Nordheim +Date: Mon, 17 Mar 2025 14:22:11 +0100 +Subject: [PATCH] QFileSystemEngine/Win: Use GetTempPath2 when available + +Because the documentation for GetTempPath nows says apps should call +GetTempPath2.[0] + +Starting with Windows 11[1], and recently Windows 10[2], +GetTempPath2 was added. The difference being that elevated +processes are returned a different directory. Usually +'C:\Windows\SystemTemp'. + +Currently temporary files of an elevated process may be placed in a +world write-able location. GetTempPath2, by default, but can be +overridden, places it in a directory that's only accessible by SYSTEM +and administrators. + +[0] https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-gettemppathw#remarks +[1] https://learn.microsoft.com/en-us/windows/win32/api/fileapi/nf-fileapi-gettemppath2w +(Minimum supported client - Windows 11 Build 22000) +[2] https://blogs.windows.com/windows-insider/2025/03/13/releasing-windows-10-build-19045-5674-to-the-release-preview-channel/ +(This update enables system processes to store temporary files ...) + +[ChangeLog][QtCore][Important Behavior Changes] On +Windows, generating temporary directories for processes with elevated +privileges may now return a different path with a stricter +set of permissions. Please consult Microsoft's documentation from when +they made the same change for the .NET framework: +https://support.microsoft.com/en-us/topic/gettemppath-changes-in-windows-february-cumulative-update-preview-4cc631fb-9d97-4118-ab6d-f643cd0a7259 + +Change-Id: I5caf11151fb2f711bbc5599231f140598b3c9d03 +Reviewed-by: Marc Mutz +(cherry picked from commit 69633bcb58e681bac5bff3744e5a2352788dc36c) +Reviewed-by: Qt Cherry-pick Bot +(cherry picked from commit 6a684a53b371ec483b27bf243af24819be63f85f) +(cherry picked from commit bbeccc0c22e520f46f0b33e281fa5ac85ac9c727) +(cherry picked from commit 59d7eb9bbb4f13cccbd9323fd995a8c108b56e60) +--- + +diff --git a/qtbase/src/corelib/io/qfilesystemengine_win.cpp b/qtbase/src/corelib/io/qfilesystemengine_win.cpp +index 75c661f..37a400f 100644 +--- a/qtbase/src/corelib/io/qfilesystemengine_win.cpp ++++ b/qtbase/src/corelib/io/qfilesystemengine_win.cpp +@@ -1390,7 +1390,15 @@ + QString ret; + #ifndef Q_OS_WINRT + wchar_t tempPath[MAX_PATH]; +- const DWORD len = GetTempPath(MAX_PATH, tempPath); ++ using GetTempPathPrototype = DWORD (WINAPI *)(DWORD, LPWSTR); ++ // We try to resolve GetTempPath2 and use that, otherwise fall back to GetTempPath: ++ static GetTempPathPrototype getTempPathW = []() { ++ const HMODULE kernel32 = GetModuleHandleW(L"kernel32.dll"); ++ if (auto *func = QFunctionPointer(GetProcAddress(kernel32, "GetTempPath2W"))) ++ return GetTempPathPrototype(func); ++ return GetTempPath; ++ }(); ++ const DWORD len = getTempPathW(MAX_PATH, tempPath); + if (len) { // GetTempPath() can return short names, expand. + wchar_t longTempPath[MAX_PATH]; + const DWORD longLen = GetLongPathName(tempPath, longTempPath, MAX_PATH); diff --git a/depends/patches/qt/CVE-2025-5455-qtbase-5.15.patch b/depends/patches/qt/CVE-2025-5455-qtbase-5.15.patch new file mode 100644 index 000000000000..352be5e20266 --- /dev/null +++ b/depends/patches/qt/CVE-2025-5455-qtbase-5.15.patch @@ -0,0 +1,20 @@ +diff --git a/qtbase/src/corelib/io/qdataurl.cpp b/qtbase/src/corelib/io/qdataurl.cpp +index f14d399301f..83e59e3ac00 100644 +--- a/qtbase/src/corelib/io/qdataurl.cpp ++++ b/qtbase/src/corelib/io/qdataurl.cpp +@@ -76,10 +76,11 @@ Q_CORE_EXPORT bool qDecodeDataUrl(const QUrl &uri, QString &mimeType, QByteArray + } + + if (data.toLower().startsWith("charset")) { +- int i = 7; // strlen("charset") +- while (data.at(i) == ' ') +- ++i; +- if (data.at(i) == '=') ++ int prefixSize = 7; // strlen("charset") ++ QLatin1String copy(data.constData() + prefixSize, data.size() - prefixSize); ++ while (copy.startsWith(QLatin1String(" "))) ++ copy = copy.mid(1); ++ if (copy.startsWith(QLatin1String("="))) + data.prepend("text/plain;"); + } + diff --git a/depends/patches/qt/clang_18_libpng.patch b/depends/patches/qt/clang_18_libpng.patch deleted file mode 100644 index e807905b321a..000000000000 --- a/depends/patches/qt/clang_18_libpng.patch +++ /dev/null @@ -1,40 +0,0 @@ -fix Qt macOS build with Clang 18 - - See: - https://github.com/pnggroup/libpng/commit/893b8113f04d408cc6177c6de19c9889a48faa24. - - In a similar manner as zlib (madler/zlib#895), - libpng contains a header configuration that's no longer valid and - hasn't been exercised for the macOS target. - - - The target OS conditional macros are misused. Specifically - `TARGET_OS_MAC` covers all Apple targets, including iOS, and it - should not be checked with `#if defined` as they would always be - defined (to either 1 or 0) on Apple platforms. - - `#include ` no longer works for the macOS target and results - in a compilation failure. macOS ships all required functions in - `math.h`, and clients should use `math.h` instead. - ---- a/qtbase/src/3rdparty/libpng/pngpriv.h -+++ b/qtbase/src/3rdparty/libpng/pngpriv.h -@@ -514,18 +514,8 @@ - */ - # include - --# if (defined(__MWERKS__) && defined(macintosh)) || defined(applec) || \ -- defined(THINK_C) || defined(__SC__) || defined(TARGET_OS_MAC) -- /* We need to check that hasn't already been included earlier -- * as it seems it doesn't agree with , yet we should really use -- * if possible. -- */ --# if !defined(__MATH_H__) && !defined(__MATH_H) && !defined(__cmath__) --# include --# endif --# else --# include --# endif -+# include -+ - # if defined(_AMIGA) && defined(__SASC) && defined(_M68881) - /* Amiga SAS/C: We must include builtin FPU functions when compiling using - * MATH=68881 diff --git a/doc/dependencies.md b/doc/dependencies.md index 62bce5999fa1..6a55eaba416e 100644 --- a/doc/dependencies.md +++ b/doc/dependencies.md @@ -33,7 +33,7 @@ You can find installation instructions in the `build-*.md` file for your platfor | [Fontconfig](../depends/packages/fontconfig.mk) | [link](https://www.freedesktop.org/wiki/Software/fontconfig/) | [2.12.6](https://github.com/bitcoin/bitcoin/pull/23495) | 2.6 | Yes | | [FreeType](../depends/packages/freetype.mk) | [link](https://freetype.org) | [2.11.0](https://github.com/bitcoin/bitcoin/commit/01544dd78ccc0b0474571da854e27adef97137fb) | 2.3.0 | Yes | | [qrencode](../depends/packages/qrencode.mk) | [link](https://fukuchi.org/works/qrencode/) | [4.1.1](https://github.com/bitcoin/bitcoin/pull/27312) | | No | -| [Qt](../depends/packages/qt.mk) | [link](https://download.qt.io/official_releases/qt/) | [5.15.16](https://github.com/bitcoin/bitcoin/pull/30774) | [5.11.3](https://github.com/bitcoin/bitcoin/pull/24132) | No | +| [Qt](../depends/packages/qt.mk) | [link](https://download.qt.io/official_releases/qt/) | [5.15.18](https://github.com/dashpay/dash/pull/6949) | [5.11.3](https://github.com/bitcoin/bitcoin/pull/24132) | No | ### Networking | Dependency | Releases | Version used | Minimum required | Runtime |