Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 508984 (CVE-2014-0190)

Summary: <dev-qt/qtgui-4.8.5-r2 : NULL pointer dereference in GIF image handler (CVE-2014-0190)
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: normal    
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://www.openwall.com/lists/oss-security/2014/04/28/1
Whiteboard: A3 [glsa]
Package list:
Runtime testing required: ---

Description Agostino Sarubbo gentoo-dev 2014-04-28 15:34:38 UTC
From ${URL} :

CVE-2014-0190 describes a NULL pointer dereference flaw in the GIF image 
handler in QtGui. This could cause applications using that library to crash.

Upstream announcement and patches:

http://lists.qt-project.org/pipermail/announce/2014-April/000045.html



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Davide Pesavento gentoo-dev 2014-05-28 01:15:33 UTC
=dev-qt/qtgui-4.8.5-r2 has the patch.

  28 May 2014; Davide Pesavento <pesa@gentoo.org>
  +files/qtgui-4.8.5-dont-crash-on-broken-GIF-images.patch,
  +qtgui-4.8.5-r2.ebuild:
  Apply patch for security bug #508984. Add missing deps.

Please proceed with stabilization.
Comment 2 Sergey Popov gentoo-dev 2014-05-28 13:11:16 UTC
Arches, please test and mark stable 

=dev-qt/qtgui-4.8.5-r2

Target keywords: alpha amd64 arm hppa ia64 ppc ppc64 sparc x86
Comment 3 Jeroen Roovers (RETIRED) gentoo-dev 2014-05-28 15:38:08 UTC
Stable for HPPA.
Comment 4 Tobias Klausmann (RETIRED) gentoo-dev 2014-05-28 17:59:10 UTC
Stable on alpha.
Comment 5 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-05-28 18:04:56 UTC
amd64 stable
Comment 6 Mikle Kolyada (RETIRED) archtester Gentoo Infrastructure gentoo-dev Security 2014-05-28 19:51:21 UTC
x86 stable
Comment 7 boxcars 2014-05-30 20:21:13 UTC
(In reply to Mikle Kolyada from comment #5)
> amd64 stable

After syncing my tree today (30 May), it looks like stabilizations have been reverted, and portage wants to downgrade me to -r1.

KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86 ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~x64-solaris ~x86-solaris"
Comment 8 Davide Pesavento gentoo-dev 2014-05-30 20:31:53 UTC
(In reply to boxcars from comment #7)
> (In reply to Mikle Kolyada from comment #5)
> > amd64 stable
> 
> After syncing my tree today (30 May), it looks like stabilizations have been
> reverted, and portage wants to downgrade me to -r1.
> 
> KEYWORDS="~alpha ~amd64 ~arm ~hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc ~x86
> ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~amd64-linux ~x86-linux ~ppc-macos
> ~x64-macos ~x86-macos ~x64-solaris ~x86-solaris"

Looks good in cvs...

KEYWORDS="alpha amd64 ~arm hppa ~ia64 ~mips ~ppc ~ppc64 ~sparc x86 ~amd64-fbsd ~x86-fbsd ~x86-freebsd ~amd64-linux ~x86-linux ~ppc-macos ~x64-macos ~x86-macos ~x64-solaris ~x86-solaris"

You're probably syncing from an outdated mirror. If you're using the rotation, sync again.
Comment 9 boxcars 2014-05-30 20:44:24 UTC
(In reply to Davide Pesavento from comment #8)
> You're probably syncing from an outdated mirror. If you're using the
> rotation, sync again.

Re-synced and all is well.  Thanks, and sorry for the noise.
Comment 10 Markus Meier gentoo-dev 2014-06-01 12:58:13 UTC
arm stable
Comment 11 Agostino Sarubbo gentoo-dev 2014-06-08 10:42:20 UTC
ia64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2014-06-08 10:45:58 UTC
ppc64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2014-06-08 10:49:17 UTC
ppc stable
Comment 14 Agostino Sarubbo gentoo-dev 2014-06-08 10:51:53 UTC
sparc stable.

Maintainer(s), please cleanup.
Security, please add it to the existing request, or file a new one.
Comment 15 Davide Pesavento gentoo-dev 2014-06-08 13:33:12 UTC
Vulnerable version removed. All done for qt@
Comment 16 Yury German Gentoo Infrastructure gentoo-dev 2014-06-09 13:59:17 UTC
Arches and Maintainer(s), Thank you for your work.

New GLSA Request filed.
Comment 17 GLSAMaker/CVETool Bot gentoo-dev 2014-12-13 19:18:17 UTC
This issue was resolved and addressed in
 GLSA 201412-25 at http://security.gentoo.org/glsa/glsa-201412-25.xml
by GLSA coordinator Sean Amoss (ackle).