CVE-2024-25580: A recently reported potential buffer overflow issue in Qt’s KTX’s image handling has been assigned the CVE id CVE-2024-25580. An issue was discovered in Qt from 5.12.0 through 5.15.17, 6.x before 6.2.12, 6.3.x through 6.5.x before 6.5.5, and 6.6.x before 6.6.2. With a specifically crafted KTX image file it is possible that the application reading it could cause an overflow and subsequently a crash. Fixed qtbase-6.6.2 is already in-tree (pending stable), qtgui will need: https://download.qt.io/official_releases/qt/5.15/CVE-2024-25580-qtbase-5.15.diff
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=a08e969a19e21838d80d19de94cb1e1108bd6122 commit a08e969a19e21838d80d19de94cb1e1108bd6122 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2024-02-15 13:02:50 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2024-02-15 15:24:32 +0000 dev-qt/qtgui: Fix CVE-2024-25580 See also: https://www.qt.io/blog/security-advisory-potential-buffer-overflow-when-reading-ktx-images https://lists.qt-project.org/pipermail/announce/2024-February/000472.html Bug: https://bugs.gentoo.org/924647 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> .../qtgui/files/qtgui-5.15.12-CVE-2024-25580.patch | 228 +++++++++++++++++++++ dev-qt/qtgui/qtgui-5.15.12-r2.ebuild | 182 ++++++++++++++++ 2 files changed, 410 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=514d99778ba7f072139e9e2ef3c38536aa4652cd commit 514d99778ba7f072139e9e2ef3c38536aa4652cd Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2024-02-17 15:47:50 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2024-02-17 16:57:21 +0000 dev-qt/qtgui: drop 5.15.12, 5.15.12-r1 Bug: https://bugs.gentoo.org/924647 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> dev-qt/qtgui/Manifest | 1 - dev-qt/qtgui/qtgui-5.15.12-r1.ebuild | 180 ----------------------------------- dev-qt/qtgui/qtgui-5.15.12.ebuild | 180 ----------------------------------- 3 files changed, 361 deletions(-)
Thanks all!
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=58047cd926f489846619d7cbbd0bbdcf2d31fa94 commit 58047cd926f489846619d7cbbd0bbdcf2d31fa94 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2024-02-22 04:55:52 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2024-02-22 06:14:24 +0000 dev-qt/qtbase: drop vulnerable 6.6.1-r4 Bug: https://bugs.gentoo.org/924647 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> dev-qt/qtbase/Manifest | 2 - .../qtbase/files/qtbase-6.6.1-CVE-2023-51714.patch | 55 ---- dev-qt/qtbase/qtbase-6.6.1-r4.ebuild | 363 --------------------- 3 files changed, 420 deletions(-)
