|Summary:||x11-libs/qt convertToUnicode Off-by-one Buffer overflow (CVE-2007-4137)|
|Product:||Gentoo Security||Reporter:||Robert Buchholz (RETIRED) <rbu>|
|Component:||Vulnerabilities||Assignee:||Gentoo Security <security>|
|Severity:||major||CC:||christian.korff, kde, qt, sebastian_ml|
|Package list:||Runtime testing required:||---|
|Bug Depends on:||192134|
Description Robert Buchholz (RETIRED) 2007-09-14 00:24:30 UTC
Dirk Mueller (KDE) discovered an Off-by-one Buffer overflow that could lead to the execution of arbitrary code or denial of service for Qt applications using malicious unicode input. All versions in portage are affected. Patches here: Qt3: http://dist.trolltech.com/developer/download/175791_3.diff Qt4: http://dist.trolltech.com/developer/download/175791_4.diff Upstream will release these patches as part of their next maintenance release.
Comment 1 Robert Buchholz (RETIRED) 2007-09-14 00:26:34 UTC
Setting whiteboard and cc'ing maintainers. qt, please provide a updated ebuilds.
Comment 2 Tobias Heinlein (RETIRED) 2007-09-14 16:06:02 UTC
CC'ing kde herd as per Philantrop's request.
Comment 3 Caleb Tennis (RETIRED) 2007-09-14 16:50:09 UTC
my vote is to patch qt3 and qt4 and directly bump to stable without having to call in the arch teams. there's nothing intrusive about these patches whatsoever that would necessitate needing the arch teams to need to test. does anyone object to that?
Comment 4 Wulf Krueger (RETIRED) 2007-09-14 17:26:49 UTC
(In reply to comment #3) > does anyone object to that? May I say that I *agree* with your suggestion instead? ;)
Comment 5 Pierre-Yves Rofes (RETIRED) 2007-09-14 20:35:44 UTC
given the content of the patchs, I agree too.
Comment 6 Robert Buchholz (RETIRED) 2007-09-14 21:04:10 UTC
Quoting Dirk Mueller who discovered this: It is not exploitable with Qt 4.x or above because there is an additional QChar(0) being allocated in QString, however it is still a bug there, as the array returned by utf16() etc is no longer terminated properly. So this needs fixing for Qt3, but not necessarily for Qt4. If we do a stable bump, fixing it for Qt4 too doesn't cost too much either though.
Comment 7 Caleb Tennis (RETIRED) 2007-09-14 21:31:06 UTC
ok, I've added qt-3.3.8-r4 and qt-4.3.1-r1 applying both of these patches ppc is the only non-stable arch we need for 4.3.1-r1. mips is unstable for 3.3.8-r*, but we haven't heard from them in years so I doubt notifying of them of this is going to help.
Comment 8 Robert Buchholz (RETIRED) 2007-09-14 21:50:17 UTC
(In reply to comment #7) > ppc is the only non-stable arch we need for 4.3.1-r1. mips is unstable for > 3.3.8-r*, but we haven't heard from them in years so I doubt notifying of them > of this is going to help. Thanks a lot for taking care so fast. I'll leave a comment at bug 192134 for ppc. mips, please stabilize qt-3.3.8-r4 if appropriate.
Comment 9 Robert Buchholz (RETIRED) 2007-09-14 21:52:25 UTC
Comment 10 Robert Buchholz (RETIRED) 2007-09-15 10:45:49 UTC
All arches but mips are stable. This is ready for a GLSA.
Comment 11 Sebastian 2007-09-15 11:06:27 UTC
Anyone checked whether these patches collide with the utf8-bug patches? I'm wondering because they do work on the same code snippet. Regards Sebastian
Comment 12 Caleb Tennis (RETIRED) 2007-09-15 11:21:29 UTC
they both apply properly on my machine
Comment 13 Christian Korff 2007-09-15 18:28:04 UTC
Will there be also a patch for 3.3.4? I depend on 3.3.4 since qt 3.3.8 and Gentoo hardened have some problems. see bug #175996 for a description. So I would very happy for a supported 3.3.4 ebuild.
Comment 14 Robert Buchholz (RETIRED) 2007-09-16 04:02:08 UTC
(In reply to comment #13) > Will there be also a patch for 3.3.4? That version is also unfixed for bug 172746 and bug 185446, so we either do this right or not at all. Besides that, it's the decision of the qt herd / the hardened people.
Comment 15 Caleb Tennis (RETIRED) 2007-09-25 13:02:13 UTC
I'm leaving it open to the hardened folks. Any patching that needs to be done to 3.3.4 is fine by me.
Comment 16 Raphael Marichez (Falco) (RETIRED) 2007-10-25 22:13:23 UTC
GLSA 200710-28 - sorry for the dealy