Summary: | <dev-qt/qtcore-4.7.4-r1: Insecure Library Loading and Buffer Overflow Vulnerabilities (CVE-2011-3193) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | ||
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://secunia.com/advisories/41537/ | ||
Whiteboard: | B2 [glsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 390963 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2011-09-22 15:21:52 UTC
@qt I've omitted the status because 4.7.4 is in tree, but i don't know if you want stabilize all 4.7.4 qt packages now or simply patch the current. Since qt 4.7.4 is ready for stabilization and after talked with Davide(pesa) on irc, I add this bug as a blocker for the qt-stabilization tracker ( bug 390963 ). We fast stabilize asap after the patch on bug 384089 will be applied Unless I am mistaken, we should depend on qt-4.7.4 not block it. Please do correct me if I have it wrong. tnx. Thanks, everyone. GLSA request filed. Thank you all. Affected version removed from tree. Removing qt from CC, nothing to do here for us anymore. CVE-2011-3193 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2011-3193): Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file. This issue was resolved and addressed in GLSA 201311-14 at http://security.gentoo.org/glsa/glsa-201311-14.xml by GLSA coordinator Sergey Popov (pinkbyte). |