From ${URL} : Title: DoS vulnerability in the BMP image handler Risk Rating: Low CVE: CVE-2015-0295 Platforms: All Modules: QtBase Versions: All versions before 5.5 Author: Richard J. Moore <rich at kde.org> Date: 22 February 2015 Overview -------- The builtin BMP decoder in QtGui prior to Qt 5.5 contained a bug that would lead to a divsion by zero when loading certain corrupt BMP files. This in turn would cause the application loading these hand crafted BMPs to crash. Details ------- It is possible to construct BMP files such that when calculating the masks required to extract the colour components a division by zero occurred. Impact ------ An application loading the malicious BMP file will crash. Workaround ---------- None Solution -------- Upgrade to Qt 5.5 once released or apply the patches below: For Qt 5.0 to 5.4: https://codereview.qt-project.org/106929 For Qt 4.8: https://codereview.qt-project.org/107108 @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
So let me understand... every crash is a security vulnerability now? A division-by-zero is not exploitable by itself afaik.
(In reply to Davide Pesavento from comment #1) > So let me understand... every crash is a security vulnerability now? A > division-by-zero is not exploitable by itself afaik. It is if it is not caught and as such crashes: resulting in Denial of Service.
So every externally triggerable crash is a DoS?
(In reply to Davide Pesavento from comment #3) > So every externally triggerable crash is a DoS? Basically yes, although it would in some circumstances depend on the security properties stated by the upstream. I haven't looked into this bug too closely but I imagine it is caused due to a CWE-20: Improper Input Validation.
In overlay. https://gitweb.gentoo.org/proj/qt.git/commit/?id=04813ef4c2153cb4e91af61b48561f15909527c8
4.8.{5,6} need patching too -> git fetch https://codereview.qt-project.org/qt/qt refs/changes/08/107108/4 && git format-patch -1 --stdout FETCH_HEAD You can revbump both in tree and stabilize 4.8.5-r4
Thanks, fixed in CVS. + 17 Mar 2015; Michael Palimaka <kensington@gentoo.org> + +files/qtgui-5.4.1-CVE-2015-0295.patch, +qtgui-5.4.1-r1.ebuild, + -qtgui-5.4.1.ebuild: + Backport patch from upstream to solve CVE-2015-0295 wrt bug #541972.
Thanks Davide, 4.8 done too. + 17 Mar 2015; Michael Palimaka <kensington@gentoo.org> + +files/qtgui-4.8.5-CVE-2015-0295.patch, +qtgui-4.8.5-r4.ebuild, + +qtgui-4.8.6-r2.ebuild, -qtgui-4.8.6-r1.ebuild: + Backport patch from upstream to solve CVE-2015-0295 wrt bug #541972. Arch teams, please test and stabilise dev-qt/qtgui-4.8.5-r4. Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86".
amd64 stable
x86 done.
Stable for HPPA.
ia64 stable
ppc stable
ppc64 stable
arm stable
CVE-2015-0295 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0295): The BMP decoder in QtGui in QT before 5.5 does not properly calculate the masks used to extract the color components, which allows remote attackers to cause a denial of service (divide-by-zero and crash) via a crafted BMP file.
sparc stable
alpha stable. Maintainer(s), please cleanup. Security, please vote.
+ 30 Mar 2015; Michael Palimaka <kensington@gentoo.org> -qtgui-4.8.5-r3.ebuild: + Remove old.
Arches and Maintainer(s), Thank you for your work. GLSA Vote: Yes
GLSA Vote: No
GLSA vote: no. Closing as [noglsa]
