| Summary: | <dev-qt/qtcore-4.8.5-r1 : QXmlSimpleReader XML Entity Expansion Denial of Service Vulnerability (CVE-2013-4549) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | minor | CC: | mihais23 |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | http://secunia.com/advisories/56008/ | ||
| Whiteboard: | B3 [glsa] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 491138 | ||
| Bug Blocks: | |||
There is a patch, submitted in Qt's gerrit for 4.8 branch @pesa: as i undestand we will wait for upstream approval, huh? (In reply to Sergey Popov from comment #1) > There is a patch, submitted in Qt's gerrit for 4.8 branch > > @pesa: as i undestand we will wait for upstream approval, huh? I don't know what you're talking about. The fix for 4.8 (https://codereview.qt-project.org/71010) has already been approved and merged upstream. (In reply to Davide Pesavento from comment #2) > (In reply to Sergey Popov from comment #1) > > There is a patch, submitted in Qt's gerrit for 4.8 branch > > > > @pesa: as i undestand we will wait for upstream approval, huh? > > I don't know what you're talking about. The fix for 4.8 > (https://codereview.qt-project.org/71010) has already been approved and > merged upstream. Meh, just get lost with Gerrit :-) So, will we roll out new revision? I think we have to backport both cecceb0cdd87482124a73ecf537f3445d68be13e and 512a1ce0698d370c313bb561bbf078935fa0342e from the 4.8 branch *qtcore-4.8.5-r1 (28 Dec 2013) 28 Dec 2013; Davide Pesavento <pesa@gentoo.org> +files/CVE-2013-4549-01-disallow-deep-or-widely-nested-entity-refs.patch, +files/CVE-2013-4549-02-fully-expand-entities.patch, +qtcore-4.8.5-r1.ebuild: Apply upstream patches for CVE-2013-4549. Since build is in tree, changing whiteboard to ebuild. Maintainer(s), please drop the vulnerable versions when you have enough testing done. Sorry my mistake... should of been Maintaners please advise when ready for stabilization Ready for stabilization. Please note that alpha/ia64/sparc have to stabilize all other 4.8.5 packages too (see bug 488536) Moved all unresolved dependencies from bug #488536 to this one Arches, please test and mark stable =dev-qt/qtcore-4.8.5-r1 Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86 amd64 stable x86 stable Stable for HPPA. ppc stable ppc64 stable arm stable sparc stable alpha stable ia64 stable. Maintainer(s), please cleanup. Security, please vote. (In reply to Agostino Sarubbo from comment #18) > Maintainer(s), please cleanup. Cleanup done. Thanks for your work, arches GLSA vote: yes GLSA vote: yes. glsa request filed. This issue was resolved and addressed in GLSA 201403-04 at http://security.gentoo.org/glsa/glsa-201403-04.xml by GLSA coordinator Mikle Kolyada (Zlogene). |
From ${URL} : Description A vulnerability has been reported in Qt, which can be exploited by malicious people to cause a DoS (Denial of Service) in an application using the library. The vulnerability is caused due to an error within the QXmlSimpleReader class when parsing XML entities and can be exploited to e.g. exhaust resources via a specially crafted XML document including external entity references. The vulnerability is reported in versions prior to 5.2. Solution: Update to version 5.2 or apply patches. Provided and/or discovered by: The vendor credits Florian Weimer, Red Hat Security Team. Original Advisory: http://lists.qt-project.org/pipermail/announce/2013-December/000036.html @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.