Bug 185446

Comment 1 Sune Kloppenborg Jeppesen (RETIRED) 2007-07-15 19:35:33 UTC

Created attachment 124945 [details, diff]
CVE-2007-3388.diff

Patch for issue reported by Tracey Parry of Portcullis Computer Security Ltd.

Comment 2 Sune Kloppenborg Jeppesen (RETIRED) 2007-07-15 19:37:05 UTC

Created attachment 124947 [details, diff]
format-warnings.diff

Reported by Dirk Mueller.

Comment 3 Sune Kloppenborg Jeppesen (RETIRED) 2007-07-15 19:40:36 UTC

Caleb please advise. Do NOT commit anything yet. Instead you can attach updated ebuilds to this bug for prestable testing if needed.

Comment 4 Caleb Tennis (RETIRED) 2007-07-15 20:06:27 UTC

both patches look mostly harmless to me.  99% of them just affect debugging output, which shouldn't matter to anyone really.  The very last line on the format-warning.diff seems to affect reverseable layouts, which might cause an impact to someone who uses a right-to-left language, but I don't have any way to test that particular feature.

In short: the patches look completely fine to me.

Comment 5 Sune Kloppenborg Jeppesen (RETIRED) 2007-07-15 20:25:34 UTC

Thx Caleb. Do you want prestable arch testing or should we just wait until the issues go public?

Comment 6 Caleb Tennis (RETIRED) 2007-07-15 20:44:56 UTC

I don't see any fixes in here that would affect any arches at all, really, so I think we're okay to wait.

Comment 7 Caleb Tennis (RETIRED) 2007-07-16 11:26:11 UTC

also, since qt-4.3.0 is ready for a stablization request for the arches anyway, we can just tie these patches with a normal stablization request.  I'm not sure if these will work against the qt-4.2 series, but it may not be necessary to even worry about that.

Comment 8 Sune Kloppenborg Jeppesen (RETIRED) 2007-07-16 19:38:00 UTC

The initial report for CVE-2007-3388 said to affect qt-3 only. So I guess we're going directly to stable on qt-3 once the release date is reached?

Comment 9 Caleb Tennis (RETIRED) 2007-07-16 20:05:08 UTC

oh, didn't realize it was qt3 only.  in any case, no problem going straight to stable with the patches.

Comment 10 Sune Kloppenborg Jeppesen (RETIRED) 2007-07-22 08:08:40 UTC

Created attachment 125619 [details, diff]
qt_patch.diff

Upstream patch.

Comment 11 Sune Kloppenborg Jeppesen (RETIRED) 2007-07-29 21:00:05 UTC

Caleb, did you see any public information about this yet? Disclosure date should have been friday, I wonder wether it was postponed.

Comment 12 Pierre-Yves Rofes (RETIRED) 2007-08-02 18:19:44 UTC

*** Bug 187465 has been marked as a duplicate of this bug. ***

Comment 13 Pierre-Yves Rofes (RETIRED) 2007-08-02 18:25:46 UTC

this is public now, sorry for the delay.
Arches, please test and mark stable:
qt-3.3.8-r3  and qt-4.3.0-r1 (target "alpha amd64 hppa ia64 mips ppc ppc64 sparc x86 ~x86-fbsd"

Comment 14 Markus Rothe (RETIRED) 2007-08-02 18:34:37 UTC

ppc64 stable

Comment 15 Lars Wendler (Polynomial-C) (RETIRED) 2007-08-02 20:38:09 UTC

How about updating the qt.eclass as well when you throw a new qt ebuild into portage?

Currently I get circular dependency errors when updating world because 3.3.8-r3 is not listed in the QT3VERSIONS variable of qt.eclass...

Comment 16 Lars Wendler (Polynomial-C) (RETIRED) 2007-08-02 20:43:22 UTC

Of course I mean qt3.eclass.

Comment 17 Christian Faulhammer (RETIRED) 2007-08-02 21:19:46 UTC

x86 stable and qt3.eclass has been fixed by carlo, thanks.

Comment 18 Thomas Anderson (tanderson) (RETIRED) 2007-08-03 00:00:49 UTC

====amd64====

All looks good here. Building kdelibs against qt-3.3.8-r3 works fine.
Is there anything additional to test so that I know that the vulnerability itself is fixed?

Portage 2.1.2.9 (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.5-r4, 2.6.20-gentoo-r7 x86_64)
=================================================================
System uname: 2.6.20-gentoo-r7 x86_64 unknown
Gentoo Base System release 1.12.9
Timestamp of tree: Thu, 02 Aug 2007 19:01:01 +0000
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.23b
virtual/os-headers:  2.6.21
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=athlon64 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=athlon64 -O2 -pipe"
DISTDIR="/distfiles"
FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict sandbox sfperms strict test userpriv"
GENTOO_MIRRORS="http://mirrors.acm.cs.rpi.edu/gentoo/ http://distfiles.gentoo.org/"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/overlay"
SYNC="rsync://kv80/gentoo-portage"
USE="X acl aiglx aim amd64 berkdb bitmap-fonts branding cli cracklib crypt cups dri fortran gdbm gpm gtk iconv imap ipv6 isdnlog libg++ midi mmx mpeg3 mudflap ncurses nls nptl nptlonly nvidia opengl openmp pam pcre perl pppd python qt3 readline reflection session sockets spl sqlite3 sse sse2 ssl tcpd test truetype-fonts type1-fonts unicode vim xcomposite xine xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="nvidia"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, LINGUAS, PORTAGE_COMPRESS, PORTAGE_COMPRESS_FLAGS, PORTAGE_RSYNC_EXTRA_OPTS

Comment 19 Tristan Heaven (RETIRED) 2007-08-03 03:57:37 UTC

/usr/portage/x11-libs/qt/qt-4.3.0-r1.ebuild: line 122: epatch/usr/portage/x11-libs/qt/files/0185-fix-format-strings.diff: No such file or directory

Try again.

Comment 20 Jakub Moc (RETIRED) 2007-08-03 07:34:17 UTC

Yeah, Bug 187552... No point in stabilizing this ATM, plus it will IMO require another revbump because users silently failed to get the right patch for this issue w/ 4.3.0-r1 :(

Comment 21 Gustavo Zacarias (RETIRED) 2007-08-03 13:43:20 UTC

sparc stable.

Comment 22 Carsten Lohrke (RETIRED) 2007-08-03 23:45:04 UTC

Sorry for the typo guys, please do qt-3.3.8-r3 (if you didn't already) and qt-4.3.0-r2.

Comment 23 Tobias Scherbaum (RETIRED) 2007-08-04 10:17:12 UTC

ppc stable

Comment 24 Raúl Porcel (RETIRED) 2007-08-05 14:42:26 UTC

alpha/ia64/x86 stable

Comment 25 Gustavo Zacarias (RETIRED) 2007-08-06 12:49:20 UTC

sparc stable.

Comment 26 Steve Dibb (RETIRED) 2007-08-12 14:51:52 UTC

amd64 stable

Comment 27 Jeroen Roovers (RETIRED) 2007-08-15 14:24:29 UTC

Both stable for HPPA.

Comment 28 Raphael Marichez (Falco) (RETIRED) 2007-08-22 22:42:19 UTC

GLSA 200708-16, sorry for the delay