Merge PR "[AUTO-CHERRYPICK] [AutoPR- Security] Patch qt5-qtbase for CVE-2025-66293 [HIGH] - branch main" #15319

CBL-Mariner-Bot · azurelinux-security · Kanishk-Bansal · web-flow · commit 9641ccf7938f · 2025-12-16T14:45:42.000-08:00
Co-authored-by: Azure Linux Security Servicing Account &lt;azurelinux-security@microsoft.com&gt;
Co-authored-by: Kanishk Bansal &lt;103916909+Kanishk-Bansal@users.noreply.github.com&gt;
Co-authored-by: Archana Shettigar &lt;v-shettigara@microsoft.com&gt;
diff --git a/SPECS/qt5-qtbase/CVE-2025-66293.patch b/SPECS/qt5-qtbase/CVE-2025-66293.patch
@@ -0,0 +1,125 @@
+From 788a624d7387a758ffd5c7ab010f1870dea753a1 Mon Sep 17 00:00:00 2001
+From: Cosmin Truta <ctruta@gmail.com>
+Date: Sat, 29 Nov 2025 00:39:16 +0200
+Subject: [PATCH] Fix an out-of-bounds read in `png_image_read_composite`
+
+Add a defensive bounds check before calling PNG_sRGB_FROM_LINEAR to
+prevent reading up to 506 entries (1012 bytes) past `png_sRGB_base[]`.
+
+For palette images with gamma, `png_init_read_transformations`
+clears PNG_COMPOSE after compositing on the palette, but it leaves
+PNG_FLAG_OPTIMIZE_ALPHA set. The simplified API then calls
+`png_image_read_composite` with sRGB data (not linear premultiplied),
+causing the index to reach 1017. (The maximum valid index is 511.)
+
+NOTE:
+This is a defensive fix that addresses the security issue (out-of-bounds
+read) but *NOT* the correctness issue (wrong output). When the clamp
+triggers, the affected pixels are clamped to white instead of the
+correct composited color. Valid PNG images may render incorrectly with
+the simplified API.
+
+TODO:
+We already know the root cause is a flag synchronization error.
+For palette images with gamma, `png_init_read_transformations`
+clears PNG_COMPOSE but leaves PNG_FLAG_OPTIMIZE_ALPHA set, causing
+`png_image_read_composite` to misinterpret sRGB data as linear
+premultiplied. However, we have yet to implement an architectural fix
+that requires coordinating the simplified API with the transformation
+pipeline.
+
+Reported-by: flyfish101 <flyfish101@users.noreply.github.com>
+Upstream Reference: https://github.com/pnggroup/libpng/commit/788a624d7387a758ffd5c7ab010f1870dea753a1.patch & https://github.com/pnggroup/libpng/commit/a05a48b756de63e3234ea6b3b938b8f5f862484a.patch
+
+---
+ src/3rdparty/libpng/pngread.c  | 54 +++++++++++++++++++++++++++++-----
+ src/3rdparty/libpng/pngrtran.c |  1 +
+ 2 files changed, 47 insertions(+), 8 deletions(-)
+
+diff --git a/src/3rdparty/libpng/pngread.c b/src/3rdparty/libpng/pngread.c
+index 07a39df6..85958188 100644
+--- a/src/3rdparty/libpng/pngread.c
++++ b/src/3rdparty/libpng/pngread.c
+@@ -3296,6 +3296,7 @@ png_image_read_composite(png_voidp argument)
+       ptrdiff_t    step_row = display->row_bytes;
+       unsigned int channels =
+           (image->format & PNG_FORMAT_FLAG_COLOR) != 0 ? 3 : 1;
++      int optimize_alpha = (png_ptr->flags & PNG_FLAG_OPTIMIZE_ALPHA) != 0;
+       int pass;
+ 
+       for (pass = 0; pass < passes; ++pass)
+@@ -3504,14 +3505,51 @@ png_image_read_background(png_voidp argument)
+ 
+                            if (alpha < 255) /* else just use component */
+                            {
+-                              /* Since PNG_OPTIMIZED_ALPHA was not set it is
+-                               * necessary to invert the sRGB transfer
+-                               * function and multiply the alpha out.
+-                               */
+-                              component = png_sRGB_table[component] * alpha;
+-                              component += png_sRGB_table[outrow[0]] *
+-                                 (255-alpha);
+-                              component = PNG_sRGB_FROM_LINEAR(component);
++			      if (optimize_alpha != 0)
++			      {
++				/* This is PNG_OPTIMIZED_ALPHA, the component value
++				 * is a linear 8-bit value.  Combine this with the
++				 * current outrow[c] value which is sRGB encoded.
++				 * Arithmetic here is 16-bits to preserve the output
++				 * values correctly.
++				 */
++				 component *= 257*255; /* =65535 */
++				 component += (255-alpha)*png_sRGB_table[outrow[c]];
++
++				 /* Clamp to the valid range to defend against
++				 * unforeseen cases where the data might be sRGB
++				 * instead of linear premultiplied.
++				 * (Belt-and-suspenders for GitHub Issue #764.)
++				 */
++
++				 if (component > 255*65535)
++				   component = 255*65535;
++
++				 /* So 'component' is scaled by 255*65535 and is
++				 * therefore appropriate for the sRGB-to-linear
++				 * conversion table.  Clamp to the valid range
++				 * as a defensive measure against an internal
++				 * libpng bug where the data is sRGB rather than
++				 * linear premultiplied.
++				 */
++				  if (component > 255*65535)
++					component = 255*65535;
++				 component = PNG_sRGB_FROM_LINEAR(component);
++			       }
++			       else
++			       {
++				 /* Compositing was already done on the palette
++				 * entries.  The data is sRGB premultiplied on black.
++				 * Composite with the background in sRGB space.
++				 * This is not gamma-correct, but matches what was
++				 * done to the palette.
++				 */
++				 png_uint_32 background = outrow[c];
++				 component += ((255-alpha) * background + 127) / 255;
++				 if (component > 255)
++					component = 255;
++				 }
++
+                            }
+ 
+                            outrow[0] = (png_byte)component;
+diff --git a/src/3rdparty/libpng/pngrtran.c b/src/3rdparty/libpng/pngrtran.c
+index 1526123e..e329a715 100644
+--- a/src/3rdparty/libpng/pngrtran.c
++++ b/src/3rdparty/libpng/pngrtran.c
+@@ -1720,6 +1720,7 @@ png_init_read_transformations(png_structrp png_ptr)
+              * transformations elsewhere.
+              */
+             png_ptr->transformations &= ~(PNG_COMPOSE | PNG_GAMMA);
++	    png_ptr->flags &= ~PNG_FLAG_OPTIMIZE_ALPHA;
+          } /* color_type == PNG_COLOR_TYPE_PALETTE */
+ 
+          /* if (png_ptr->background_gamma_type!=PNG_BACKGROUND_GAMMA_UNKNOWN) */
+-- 
+2.45.4
+
diff --git a/SPECS/qt5-qtbase/qt5-qtbase.spec b/SPECS/qt5-qtbase/qt5-qtbase.spec
@@ -33,7 +33,7 @@
 Name:         qt5-qtbase
 Summary:      Qt5 - QtBase components
 Version:      5.12.11
-Release:      18%{?dist}
+Release:      19%{?dist}
 # See LICENSE.GPL3-EXCEPT.txt, for exception details
 License:      GFDL AND LGPLv3 AND GPLv2 AND GPLv3 with exceptions AND QT License Agreement 4.0
 Vendor:       Microsoft Corporation
@@ -170,6 +170,7 @@ Patch95: CVE-2023-34410.patch
 Patch96: CVE-2025-30348.patch
 Patch97: CVE-2025-6558.patch
 Patch98: CVE-2025-5455.patch
+Patch99: CVE-2025-66293.patch
 
 # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires.
 # Those themes are there for platform integration. If the required libraries are
@@ -779,6 +780,9 @@ fi
 %{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QXdgDesktopPortalThemePlugin.cmake
 
 %changelog
+* Mon Dec 08 2025 Azure Linux Security Servicing Account <azurelinux-security@microsoft.com> - 5.12.11-19
+- Patch for CVE-2025-66293
+
 * Fri Jul 25 2025 Akhila Guruju <v-guakhila@microsoft.com> - 5.12.11-18
 - Patch CVE-2025-5455
 
