Mandrake released the following:
Mandrake released the following: Problem Description: Chris Evans discovered a heap-based overflow in the QT library when handling 8-bit RLE encoded BMP files. This vulnerability could allow for the compromise of the account used to view or browse malicious BMP files. On subsequent investigation, it was also found that the handlers for XPM, GIF, and JPEG image types were also faulty. These problems affect all applications that use QT to handle image files, such as QT-based image viewers, the Konqueror web browser, and others.
Not much info yet. kde please verify wether 3.3.3 solves this problem? I'm not sure that the lines below from the Changelog fixes this problem: - QImage Included fix for buffer overflow in libPNG. Fixed bug that made copy constructor not copy the entire image. Allow XPM images with colors that have more than one word in the name. Fixed crash when trying to load a corrupt/invalid BMP image. Fixed crash when trying to load a corrupt/invalid GIF image. Fixed crash when trying to load a JPEG image that is too big. Fixed bug that caused dotsPerMeter() to be ignored when saving JPEG images.
Yes it is the libpng issue. Arch teams, please mark stable.
Please clarify what needs to be marked stable.
I know nothing of this bug, nor do I know if 3.3.3 has the fix for it. I've heard nothing from the Qt developers on the matter. Also, my recommendation to the arches is to not just blindly bump this to stable as we don't know enough if 3.3.3 introduces any "regressions" yet from 3.3.2, particularly to KDE.
Sorry Caleb, but I went ahead for x86 already. Chris Evans discovered vulnerabilities in libpng lately (http://secunia.com/advisories/12219/) and I guess this is just part of what he found.
Back to ebuild status and uncc'ing arches. It's not entirely clear what Mandrake patched but it appears that qt 3.3.3 contains security fixes. Caleb will you look into this? If qt 3.3.2 is vulnerable to the libpng issue we need to bump to 3.3.3 or a patched version.
It's the libpng bug + several bugs in QT itself. Affected are BMP, XPM and JPEG.
Created attachment 37737 [details, diff] Patch ripped from Suse's SRPM Applies against 3.3.2 with a few offsets. Not compile tested.
*** Bug 60902 has been marked as a duplicate of this bug. ***
Hi, what needs to be marked stable? Pieter
If qt-3.3.3 turns out to have the fixes, it can go stable on ppc. I've tested it.
Qt-3.3.3 has the fixes, but there's still Caleb's veto, because Trolltech didn't announced anything yet.
they didnt announce it but if you review the changelog as noted in Bug 60902: http://www.trolltech.com/developer/changes/changes-3.3.3.html it, at the very least, mentions the libpng bug
qt-3.3.3 looks good on sparc, but i'll wait for caleb/weeve's take on this one.
The bump to stable is fine with me - I just wanted to make sure that people understand that there have been instances before where upgrading to a new minor version of Qt caused problems with KDE installations which required a re-emerge of kde - and a lot of end user griping :)
Okie dokie, sparc stable then.
stable on ppc
stable on ppc64
stable on amd64
hppa stable
Stable on alpha.
This is ready for GLSA. Security please draft.
GLSA drafted. Security team, please review.
GLSA 200408-20.
Stable on mips.