"... Several format string flaws were found in Qt error message handling. If an application linked against Qt created an error message from user supplied data in a certain way, it could lead to a denial of service or possibly allow the execution of arbitrary code. (CVE-2007-3388) ..." from https://rhn.redhat.com/errata/RHSA-2007-0721.html Trolltech advisory: http://trolltech.com/company/newsroom/announcements/press.2007-07-27.7503755960 patch: http://dist.trolltech.com/developer/download/170529.diff thanks.
To quote Dirk Müller from the KDE packager list: In case you've missed it: I've added a patch for Qt4 as well to qt-copy. While TT claims that none of those are exploitable, I disagree and believe that some of them are indeed possible to exploit (though only in uninteresting ways as far as I investigated). so qt-3.3.8-r3 and qt-4.3.0-r1 are in cvs now. Please go for it arch teams.
I thought there was already an open bug on this... Anyway, arch teams note that the patch only modifies some debugging output statments via qWarning calls, so this should have absolutely no impact on stability whatsoever.
(In reply to comment #2) > I thought there was already an open bug on this... There is - once again restricted!? The issue was on the packager list on monday and in the public for at least 30 hours, so I thought you did not have the time and went ahead. :)
you're right, I didn't, so it's no problem. :) I just seem to remember it being a dupe.
*** This bug has been marked as a duplicate of bug 185446 ***