Bug 192472 - x11-libs/qt convertToUnicode Off-by-one Buffer overflow (CVE-2007-4137)
Bug#: 192472 Product:  Gentoo Security Version: unspecified Platform: All
OS/Version: Linux Status: RESOLVED Severity: major Priority: P2
Resolution: FIXED Assigned To: security@gentoo.org Reported By: rbu@gentoo.org
Component: Vulnerabilities
URL:  http://trolltech.com/company/newsroom/announcements/press.2007-09-03.7564032119
Summary: x11-libs/qt convertToUnicode Off-by-one Buffer overflow (CVE-2007-4137)
Keywords:  
Status Whiteboard: A2 [glsa]
Opened: 2007-09-14 00:24 0000
Description:   Opened: 2007-09-14 00:24 0000 
Dirk Mueller (KDE) discovered an Off-by-one Buffer overflow that could lead to
the execution of arbitrary code or denial of service for Qt applications using
malicious unicode input.

All versions in portage are affected. Patches here:
Qt3: http://dist.trolltech.com/developer/download/175791_3.diff
Qt4: http://dist.trolltech.com/developer/download/175791_4.diff

Upstream will release these patches as part of their next maintenance release.

------- Comment #1 From Robert Buchholz 2007-09-14 00:26:34 0000 ------- 
Setting whiteboard and cc'ing maintainers.

qt, please provide a updated ebuilds.

------- Comment #2 From Tobias Heinlein 2007-09-14 16:06:02 0000 ------- 
CC'ing kde herd as per Philantrop's request.

------- Comment #3 From Caleb Tennis 2007-09-14 16:50:09 0000 ------- 
my vote is to patch qt3 and qt4 and directly bump to stable without having to
call in the arch teams.  there's nothing intrusive about these patches
whatsoever that would necessitate needing the arch teams to need to test.

does anyone object to that?

------- Comment #4 From Wulf Krueger (RETIRED) 2007-09-14 17:26:49 0000 ------- 
(In reply to comment #3)
> does anyone object to that?

May I say that I *agree* with your suggestion instead? ;)

------- Comment #5 From Pierre-Yves Rofes 2007-09-14 20:35:44 0000 ------- 
given the content of the patchs, I agree too.

------- Comment #6 From Robert Buchholz 2007-09-14 21:04:10 0000 ------- 
Quoting Dirk Mueller who discovered this:
    It is not exploitable with Qt 4.x or above because there is an  
    additional QChar(0) being allocated in QString, however it is still a  
    bug there, as the array returned by utf16() etc is no longer  
    terminated properly.

So this needs fixing for Qt3, but not necessarily for Qt4. If we do a stable
bump, fixing it for Qt4 too doesn't cost too much either though.

------- Comment #7 From Caleb Tennis 2007-09-14 21:31:06 0000 ------- 
ok, I've added qt-3.3.8-r4 and qt-4.3.1-r1 applying both of these patches

ppc is the only non-stable arch we need for 4.3.1-r1.  mips is unstable for
3.3.8-r*, but we haven't heard from them in years so I doubt notifying of them
of this is going to help.

------- Comment #8 From Robert Buchholz 2007-09-14 21:50:17 0000 ------- 
(In reply to comment #7)
> ppc is the only non-stable arch we need for 4.3.1-r1.  mips is unstable for
> 3.3.8-r*, but we haven't heard from them in years so I doubt notifying of them
> of this is going to help.

Thanks a lot for taking care so fast.

I'll leave a comment at bug 192134 for ppc.
mips, please stabilize qt-3.3.8-r4 if appropriate.

------- Comment #9 From Robert Buchholz 2007-09-14 21:52:25 0000 ------- 
(ugh)

------- Comment #10 From Robert Buchholz 2007-09-15 10:45:49 0000 ------- 
All arches but mips are stable. This is ready for a GLSA.

------- Comment #11 From Sebastian 2007-09-15 11:06:27 0000 ------- 
Anyone checked whether these patches collide with the utf8-bug patches? I'm
wondering because they do work on the same code snippet.

Regards
Sebastian

------- Comment #12 From Caleb Tennis 2007-09-15 11:21:29 0000 ------- 
they both apply properly on my machine

------- Comment #13 From Christian Korff 2007-09-15 18:28:04 0000 ------- 
Will there be also a patch for 3.3.4?

I depend on 3.3.4 since qt 3.3.8 and Gentoo hardened have some problems. see
bug #175996 for a description. So I would very happy for a supported 3.3.4
ebuild.

------- Comment #14 From Robert Buchholz 2007-09-16 04:02:08 0000 ------- 
(In reply to comment #13)
> Will there be also a patch for 3.3.4?

That version is also unfixed for bug 172746 and bug 185446, so we either do
this right or not at all.
Besides that, it's the decision of the qt herd / the hardened people.

------- Comment #15 From Caleb Tennis 2007-09-25 13:02:13 0000 ------- 
I'm leaving it open to the hardened folks.  Any patching that needs to be done
to 3.3.4 is fine by me.

------- Comment #16 From Raphael Marichez 2007-10-25 22:13:23 0000 ------- 
GLSA 200710-28 - sorry for the dealy