192472 2007-09-14 00:24 0000 x11-libs/qt convertToUnicode Off-by-one Buffer overflow (CVE-2007-4137) 2007-10-25 22:13:23 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://trolltech.com/company/newsroom/announcements/press.2007-09-03.7564032119 A2 [glsa] P2 major --- 192134 1 rbu@gentoo.org security@gentoo.org christian.korff@gmail.com kde@gentoo.org mips@gentoo.org qt@gentoo.org sebastian_ml@gmx.net rbu@gentoo.org 2007-09-14 00:24:30 0000 Dirk Mueller (KDE) discovered an Off-by-one Buffer overflow that could lead to the execution of arbitrary code or denial of service for Qt applications using malicious unicode input. All versions in portage are affected. Patches here: Qt3: http://dist.trolltech.com/developer/download/175791_3.diff Qt4: http://dist.trolltech.com/developer/download/175791_4.diff Upstream will release these patches as part of their next maintenance release. rbu@gentoo.org 2007-09-14 00:26:34 0000 Setting whiteboard and cc'ing maintainers. qt, please provide a updated ebuilds. keytoaster@gentoo.org 2007-09-14 16:06:02 0000 CC'ing kde herd as per Philantrop's request. caleb@gentoo.org 2007-09-14 16:50:09 0000 my vote is to patch qt3 and qt4 and directly bump to stable without having to call in the arch teams. there's nothing intrusive about these patches whatsoever that would necessitate needing the arch teams to need to test. does anyone object to that? philantrop@gentoo.org 2007-09-14 17:26:49 0000 (In reply to comment #3) > does anyone object to that? May I say that I *agree* with your suggestion instead? ;) py@gentoo.org 2007-09-14 20:35:44 0000 given the content of the patchs, I agree too. rbu@gentoo.org 2007-09-14 21:04:10 0000 Quoting Dirk Mueller who discovered this: It is not exploitable with Qt 4.x or above because there is an additional QChar(0) being allocated in QString, however it is still a bug there, as the array returned by utf16() etc is no longer terminated properly. So this needs fixing for Qt3, but not necessarily for Qt4. If we do a stable bump, fixing it for Qt4 too doesn't cost too much either though. caleb@gentoo.org 2007-09-14 21:31:06 0000 ok, I've added qt-3.3.8-r4 and qt-4.3.1-r1 applying both of these patches ppc is the only non-stable arch we need for 4.3.1-r1. mips is unstable for 3.3.8-r*, but we haven't heard from them in years so I doubt notifying of them of this is going to help. rbu@gentoo.org 2007-09-14 21:50:17 0000 (In reply to comment #7) > ppc is the only non-stable arch we need for 4.3.1-r1. mips is unstable for > 3.3.8-r*, but we haven't heard from them in years so I doubt notifying of them > of this is going to help. Thanks a lot for taking care so fast. I'll leave a comment at bug 192134 for ppc. mips, please stabilize qt-3.3.8-r4 if appropriate. rbu@gentoo.org 2007-09-14 21:52:25 0000 (ugh) rbu@gentoo.org 2007-09-15 10:45:49 0000 All arches but mips are stable. This is ready for a GLSA. sebastian_ml@gmx.net 2007-09-15 11:06:27 0000 Anyone checked whether these patches collide with the utf8-bug patches? I'm wondering because they do work on the same code snippet. Regards Sebastian caleb@gentoo.org 2007-09-15 11:21:29 0000 they both apply properly on my machine christian.korff@gmail.com 2007-09-15 18:28:04 0000 Will there be also a patch for 3.3.4? I depend on 3.3.4 since qt 3.3.8 and Gentoo hardened have some problems. see bug #175996 for a description. So I would very happy for a supported 3.3.4 ebuild. rbu@gentoo.org 2007-09-16 04:02:08 0000 (In reply to comment #13) > Will there be also a patch for 3.3.4? That version is also unfixed for bug 172746 and bug 185446, so we either do this right or not at all. Besides that, it's the decision of the qt herd / the hardened people. caleb@gentoo.org 2007-09-25 13:02:13 0000 I'm leaving it open to the hardened folks. Any patching that needs to be done to 3.3.4 is fine by me. falco@gentoo.org 2007-10-25 22:13:23 0000 GLSA 200710-28 - sorry for the dealy