Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 948573 (CVE-2025-23050) - dev-qt/qtbluetooth:5, <dev-qt/qtconnectivity-6.8.1-r1:6: read past the end of the buffer and division by zero errors in QLowEnergyController
Summary: dev-qt/qtbluetooth:5, <dev-qt/qtconnectivity-6.8.1-r1:6: read past the end of...
Status: CONFIRMED
Alias: CVE-2025-23050
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://www.qt.io/blog/security-advis...
Whiteboard: B2 [glsa?]
Keywords: PullRequest
Depends on: 948593
Blocks:
  Show dependency tree
 
Reported: 2025-01-22 09:50 UTC by Ionen Wolkens
Modified: 2025-03-20 20:38 UTC (History)
3 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Ionen Wolkens gentoo-dev 2025-01-22 09:50:55 UTC
CVE-2025-23050:
QLowEnergyController on Linux has a BlueZ DBus and a Bluetooth Kernel API backend. When using the Bluetooth Kernel API backend of QLowEnergyController, QtBluetooth creates a Bluetooth L2CAP socket to establish a connection with an external Bluetooth Low Energy device. After that, the external device can send malformed Bluetooth ATT commands to trigger read past the end of the buffer and division by zero errors. The problem is relevant for both central and peripheral roles.
Comment 1 Larry the Git Cow gentoo-dev 2025-01-22 09:55:16 UTC
The bug has been closed via the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=90489eceafb66c962bd4f1b48624756590b9a234

commit 90489eceafb66c962bd4f1b48624756590b9a234
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2025-01-22 09:51:51 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2025-01-22 09:54:31 +0000

    dev-qt/qtconnectivity: fix CVE-2025-23050
    
    Considered waiting for 6.8.2 given release date is "tomorrow",
    but odds are it'll be delayed and it'll let us stabilize this
    separately either way.
    
    Closes: https://bugs.gentoo.org/948573
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 .../qtconnectivity-6.8.1-CVE-2025-23050.patch      | 210 +++++++++++++++++++++
 .../qtconnectivity/qtconnectivity-6.8.1-r1.ebuild  |  89 +++++++++
 2 files changed, 299 insertions(+)
Comment 2 Larry the Git Cow gentoo-dev 2025-01-22 23:52:27 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=29c9a13aced01abfb2f9de90554940d0f7323b29

commit 29c9a13aced01abfb2f9de90554940d0f7323b29
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2025-01-22 17:11:26 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2025-01-22 23:51:48 +0000

    profiles: Mask dev-qt/qtbluetooth:5 for removal
    
    Bug: https://bugs.gentoo.org/948573
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 profiles/package.mask | 4 ++++
 1 file changed, 4 insertions(+)
Comment 3 Larry the Git Cow gentoo-dev 2025-01-27 23:38:43 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c419842ec21a5915270825e2664e4421d30e8f69

commit c419842ec21a5915270825e2664e4421d30e8f69
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2025-01-27 23:37:14 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2025-01-27 23:37:38 +0000

    dev-qt/qtconnectivity: drop 6.8.1
    
    Bug: https://bugs.gentoo.org/948573
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 dev-qt/qtconnectivity/qtconnectivity-6.8.1.ebuild | 85 -----------------------
 1 file changed, 85 deletions(-)
Comment 4 Rick Harris 2025-02-08 12:28:31 UTC
I might've missed some important URL detailing this but since the previous version has been deleted and the new version hard masked...

What's the upgrade/use alternative for those already using bluetooth on Plasma in the meantime?

Boot into a different OS/distro/desktop until Gentoo catches up?

Hard unmask?

Thanks :)
Comment 5 Andreas Sturmlechner gentoo-dev 2025-02-08 17:29:26 UTC
Input not understood at all.
Comment 6 Ionen Wolkens gentoo-dev 2025-02-09 05:42:01 UTC
(In reply to Rick Harris from comment #4)
> I might've missed some important URL detailing this but since the previous
> version has been deleted and the new version hard masked...
dev-qt/qtconnectivity:6 with USE=bluetooth is the new one and it's not masked
Comment 7 Ionen Wolkens gentoo-dev 2025-02-09 05:44:04 UTC
(In reply to Ionen Wolkens from comment #6)
> (In reply to Rick Harris from comment #4)
> > I might've missed some important URL detailing this but since the previous
> > version has been deleted and the new version hard masked...
> dev-qt/qtconnectivity:6 with USE=bluetooth is the new one and it's not masked
...and as the topic says, the vulnerability is fixed in qtconnectivity-6.8.1-r1 (stable) and 6.8.2 (~testing)
Comment 8 Rick Harris 2025-02-10 06:12:41 UTC
Apologies, thanks for clarification, am a bit slow of late :p
Comment 9 Larry the Git Cow gentoo-dev 2025-02-22 14:33:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b530de433dbb89776c5874f6ad1ca5a0c2dc47f5

commit b530de433dbb89776c5874f6ad1ca5a0c2dc47f5
Author:     Arthur Zamarin <arthurzam@gentoo.org>
AuthorDate: 2025-02-22 14:33:12 +0000
Commit:     Arthur Zamarin <arthurzam@gentoo.org>
CommitDate: 2025-02-22 14:33:12 +0000

    dev-qt/qtbluetooth: treeclean
    
    Bug: https://bugs.gentoo.org/948573
    Closes: https://bugs.gentoo.org/853064 (pkgremoved)
    Signed-off-by: Arthur Zamarin <arthurzam@gentoo.org>

 dev-qt/qtbluetooth/Manifest                   |  2 --
 dev-qt/qtbluetooth/metadata.xml               | 20 ----------------
 dev-qt/qtbluetooth/qtbluetooth-5.15.16.ebuild | 34 ---------------------------
 profiles/package.mask                         |  4 ----
 4 files changed, 60 deletions(-)