Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 932337 (CVE-2024-36048) - <dev-qt/qtnetworkauth-5.15.14:5, <dev-qt/qtnetworkauth-6.7.1:6: badly seeded PRNG may result in guessable values (CVE-2024-36048)
Summary: <dev-qt/qtnetworkauth-5.15.14:5, <dev-qt/qtnetworkauth-6.7.1:6: badly seeded ...
Status: CONFIRMED
Alias: CVE-2024-36048
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://www.qt.io/blog/security-advis...
Whiteboard: B4 [glsa?]
Keywords:
Depends on: qt-6.7.1-stable qt-5.15.14-stable
Blocks:
  Show dependency tree
 
Reported: 2024-05-21 06:39 UTC by Ionen Wolkens
Modified: 2024-06-09 07:51 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ionen Wolkens gentoo-dev 2024-05-21 06:39:50 UTC
Release notes for Qt 6.7.1[1] mention having fixed CVE-2024-36048, but Qt has not done a blog post about it (yet) that I can see so have little details beside the CVE's description:

    QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values.

And what seems to be the fix[2] for 6.7.1.

6.7.1 is already in-tree, pending stable in ~2 weeks or so if nothing comes up.

5.15.x still needs fixing (figure it may wait until Qt does a blog post w/ patches unless want to try to use 6.7.1's fix).

[1] https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.7.1/release-note.md
[2] https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560317
Comment 1 Larry the Git Cow gentoo-dev 2024-05-30 12:52:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f41d46c1ea1b4ebb6fccbdc95f126d9420a1237f

commit f41d46c1ea1b4ebb6fccbdc95f126d9420a1237f
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2024-05-30 10:20:16 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2024-05-30 12:34:27 +0000

    dev-qt/qtnetworkauth: add 5.15.14
    
    Bug: https://bugs.gentoo.org/932337
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-qt/qtnetworkauth/Manifest                     |  2 ++
 dev-qt/qtnetworkauth/qtnetworkauth-5.15.14.ebuild | 29 +++++++++++++++++++++++
 2 files changed, 31 insertions(+)
Comment 2 Andreas Sturmlechner gentoo-dev 2024-06-06 16:44:26 UTC
dev-qt/qtnetworkauth-5.15.13 cleanup done.
Comment 3 Larry the Git Cow gentoo-dev 2024-06-08 13:41:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ed44f01c4e1b665df660a49429e5ac71780cc969

commit ed44f01c4e1b665df660a49429e5ac71780cc969
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2024-06-08 05:40:42 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2024-06-08 13:39:33 +0000

    dev-qt/qtnetworkauth: drop 6.7.0
    
    All done wrt bug #932337
    
    Bug: https://bugs.gentoo.org/932337
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 dev-qt/qtnetworkauth/Manifest                   |  1 -
 dev-qt/qtnetworkauth/qtnetworkauth-6.7.0.ebuild | 15 ---------------
 2 files changed, 16 deletions(-)