1berry/qtbase
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Mark QTimeZone as security-critical:

Browse Source 
- qtimezonelocale.cpp: matchOffsetFormat() and findLongNamePrefix()
  dereference potentially untrusted string.
- qtimezoneprivate.cpp: findUtcOffsetPrefix() accesses untrusted string
  data.
- qtimezoneprivate_tz.cpp: loadTzTimeZones() parses POSIX
  zone-descriptor format.

Fixes: QTBUG-135197
Change-Id: Ib5ec53ad8210bd872b06be8b1f71459f8b48b2ab
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
This commit is contained in:
Magdalena Stojek 2025-05-06 16:11:22 +02:00
parent 0de9b81a8c
commit 8b67e93694
3 changed files with 3 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

1
src/corelib/time/qtimezonelocale.cpp
View File

@ -1,5 +1,6 @@
// Copyright (C) 2024 The Qt Company Ltd.
// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
// Qt-Security score:critical reason:data-parser
#include <private/qtimezonelocale_p.h>
#include <private/qtimezoneprivate_p.h>

2
src/corelib/time/qtimezoneprivate.cpp
View File

@ -1,7 +1,7 @@
// Copyright (C) 2022 The Qt Company Ltd.
// Copyright (C) 2013 John Layt <jlayt@kde.org>
// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
// Qt-Security score:critical reason:data-parser
#include "qtimezone.h"
#include "qtimezoneprivate_p.h"

1
src/corelib/time/qtimezoneprivate_tz.cpp
View File

@ -2,6 +2,7 @@
// Copyright (C) 2019 Crimson AS <info@crimson.no>
// Copyright (C) 2013 John Layt <jlayt@kde.org>
// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
// Qt-Security score:critical reason:data-parser
#include "qtimezone.h"
#include "qtimezoneprivate_p.h"