932337 – (CVE-2024-36048) <dev-qt/qtnetworkauth-5.15.14:5, <dev-qt/qtnetworkauth-6.7.1:6: badly seeded PRNG may result in guessable values (CVE-2024-36048)

Bug 932337 (CVE-2024-36048) - <dev-qt/qtnetworkauth-5.15.14:5, <dev-qt/qtnetworkauth-6.7.1:6: badly seeded PRNG may result in guessable values (CVE-2024-36048)

Summary: <dev-qt/qtnetworkauth-5.15.14:5, <dev-qt/qtnetworkauth-6.7.1:6: badly seeded ...

Status:	CONFIRMED

Alias:	CVE-2024-36048

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:	https://www.qt.io/blog/security-advis...
Whiteboard:	B4 [glsa?]
Keywords:

Depends on:	qt-6.7.1-stable qt-5.15.14-stable
Blocks:
	Show dependency tree

Reported:	2024-05-21 06:39 UTC by Ionen Wolkens
Modified:	2024-06-09 07:51 UTC (History)
CC List:	1 user (show)

See Also:	https://invent.kde.org/qt/qt/qtnetworkauth/-/merge_requests/1
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Ionen Wolkens gentoo-dev

2024-05-21 06:39:50 UTC

Release notes for Qt 6.7.1[1] mention having fixed CVE-2024-36048, but Qt has not done a blog post about it (yet) that I can see so have little details beside the CVE's description:

    QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values.

And what seems to be the fix[2] for 6.7.1.

6.7.1 is already in-tree, pending stable in ~2 weeks or so if nothing comes up.

5.15.x still needs fixing (figure it may wait until Qt does a blog post w/ patches unless want to try to use 6.7.1's fix).

[1] https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.7.1/release-note.md
[2] https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560317

Comment 1 Larry the Git Cow gentoo-dev

2024-05-30 12:52:39 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f41d46c1ea1b4ebb6fccbdc95f126d9420a1237f

commit f41d46c1ea1b4ebb6fccbdc95f126d9420a1237f
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2024-05-30 10:20:16 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2024-05-30 12:34:27 +0000

    dev-qt/qtnetworkauth: add 5.15.14
    
    Bug: https://bugs.gentoo.org/932337
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-qt/qtnetworkauth/Manifest                     |  2 ++
 dev-qt/qtnetworkauth/qtnetworkauth-5.15.14.ebuild | 29 +++++++++++++++++++++++
 2 files changed, 31 insertions(+)

Comment 2 Andreas Sturmlechner gentoo-dev

2024-06-06 16:44:26 UTC

dev-qt/qtnetworkauth-5.15.13 cleanup done.

Comment 3 Larry the Git Cow gentoo-dev

2024-06-08 13:41:08 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ed44f01c4e1b665df660a49429e5ac71780cc969

commit ed44f01c4e1b665df660a49429e5ac71780cc969
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2024-06-08 05:40:42 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2024-06-08 13:39:33 +0000

    dev-qt/qtnetworkauth: drop 6.7.0
    
    All done wrt bug #932337
    
    Bug: https://bugs.gentoo.org/932337
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 dev-qt/qtnetworkauth/Manifest                   |  1 -
 dev-qt/qtnetworkauth/qtnetworkauth-6.7.0.ebuild | 15 ---------------
 2 files changed, 16 deletions(-)