Bug 530238 (qt-4.8.6-stable)

Summary:	Qt 4.8.6-r1 stable request (CVE-2015-1860)
Product:	Gentoo Linux	Reporter:	Michał Górny <mgorny>
Component:	[OLD] Keywording and Stabilization	Assignee:	Qt Bug Alias <qt>
Status:	RESOLVED FIXED
Severity:	normal	CC:	anton.wd, bgo, cirilloblu, cschieli, debotux, dirk.olmes, genzilla, kiselev.sg, martijn.schmidt, multilib+disabled, newchief, powerman-asdf, sven.koehler, t-mo, wasundwarum
Priority:	Normal	Keywords:	STABLEREQ
Version:	unspecified
Hardware:	All
OS:	Linux
See Also:	https://bugs.gentoo.org/show_bug.cgi?id=543334
Whiteboard:
Package list:		Runtime testing required:	---
Bug Depends on:	524924, 529196, 529398, 532422, 532510, 545106, 545142, 547350, 547998, 548622
Bug Blocks:	525254, 543326, 546174

Description Michał Górny archtester

2014-11-23 20:48:23 UTC

Probably quite early but we should start thinking about it. Or dropping stable keywords from the only multilib revdep :).

Comment 1 Davide Pesavento gentoo-dev

2014-11-23 21:51:33 UTC

(In reply to Michał Górny from comment #0)
> Or dropping stable keywords from the only multilib revdep :).

What are you talking about?

Comment 2 Michał Górny archtester

2014-11-23 22:02:45 UTC

(In reply to Davide Pesavento from comment #1)
> (In reply to Michał Górny from comment #0)
> > Or dropping stable keywords from the only multilib revdep :).
> 
> What are you talking about?

games-kids/crayon-physics is the only stable thing needing multilib Qt4. We can either stabilize Qt4 or drop stable keywords from it to make way for no-emul-linux-x86 stable systems.

Comment 3 Davide Pesavento gentoo-dev

2014-11-23 22:19:31 UTC

It's clearly too early to stabilize 4.8.6-r1, plus there are known regressions.
Please drop that package to ~arch. It should have never gone stable anyway.

Comment 4 Michał Górny archtester

2014-11-23 22:47:19 UTC

(In reply to Davide Pesavento from comment #3)
> It's clearly too early to stabilize 4.8.6-r1, plus there are known
> regressions.
> Please drop that package to ~arch. It should have never gone stable anyway.

Just to be clear, it went stable using emul-linux-x86-qtlibs.

Comment 5 Davide Pesavento gentoo-dev

2015-03-30 10:56:04 UTC

*** Bug 545026 has been marked as a duplicate of this bug. ***

Comment 6 Alexandre Rostovtsev (RETIRED) gentoo-dev

2015-03-30 21:23:35 UTC

*** Bug 545098 has been marked as a duplicate of this bug. ***

Comment 7 Alexandre Rostovtsev (RETIRED) gentoo-dev

2015-03-30 21:26:41 UTC

*** Bug 545100 has been marked as a duplicate of this bug. ***

Comment 8 Davide Pesavento gentoo-dev

2015-03-30 21:46:59 UTC

I think at this point it's better to CC arches and proceed with the stabilization.

Comment 9 Ben de Groot (RETIRED) gentoo-dev

2015-05-10 12:42:26 UTC

Arches, please test and mark stable:

dev-qt/assistant-4.8.6-r1
dev-qt/designer-4.8.6-r1
dev-qt/linguist-4.8.6-r1
dev-qt/pixeltool-4.8.6-r1
dev-qt/qdbusviewer-4.8.6-r1
dev-qt/qt3support-4.8.6-r1
dev-qt/qtbearer-4.8.6-r1
dev-qt/qtcore-4.8.6-r2
dev-qt/qtdbus-4.8.6-r1
dev-qt/qtdeclarative-4.8.6-r1
dev-qt/qtdemo-4.8.6-r1
dev-qt/qtgui-4.8.6-r4
dev-qt/qthelp-4.8.6-r3
dev-qt/qtmultimedia-4.8.6-r1
dev-qt/qtopengl-4.8.6-r1
dev-qt/qtopenvg-4.8.6-r1
dev-qt/qtphonon-4.8.6-r1
dev-qt/qtscript-4.8.6-r2
dev-qt/qtsql-4.8.6-r1
dev-qt/qtsvg-4.8.6-r1
dev-qt/qttest-4.8.6-r1
dev-qt/qttranslations-4.8.6-r1
dev-qt/qtwebkit-4.8.6-r1
dev-qt/qtxmlpatterns-4.8.6-r1

Some ebuilds have not been keyworded on certain minor arches, so on those arches the specific ebuilds can be skipped.

Comment 10 Ben de Groot (RETIRED) gentoo-dev

2015-05-10 13:02:04 UTC

Note that 4.8.6-r1 is especially important for amd64, because it introduces eclass-based multilib, and has multiple related fixes.

Other arches may opt to wait until 4.8.7, which is expected to be released next week, and for which we will file a stable request within a month after release.

Comment 11 Mikle Kolyada (RETIRED) archtester

2015-05-11 13:56:52 UTC

(In reply to Ben de Groot from comment #9)
> Arches, please test and mark stable:
> 
> dev-qt/assistant-4.8.6-r1
> dev-qt/designer-4.8.6-r1
> dev-qt/linguist-4.8.6-r1
> dev-qt/pixeltool-4.8.6-r1
> dev-qt/qdbusviewer-4.8.6-r1
> dev-qt/qt3support-4.8.6-r1
> dev-qt/qtbearer-4.8.6-r1
> dev-qt/qtcore-4.8.6-r2
> dev-qt/qtdbus-4.8.6-r1
> dev-qt/qtdeclarative-4.8.6-r1
> dev-qt/qtdemo-4.8.6-r1
> dev-qt/qtgui-4.8.6-r4
> dev-qt/qthelp-4.8.6-r3
> dev-qt/qtmultimedia-4.8.6-r1
> dev-qt/qtopengl-4.8.6-r1
> dev-qt/qtopenvg-4.8.6-r1
> dev-qt/qtphonon-4.8.6-r1
> dev-qt/qtscript-4.8.6-r2
> dev-qt/qtsql-4.8.6-r1
> dev-qt/qtsvg-4.8.6-r1
> dev-qt/qttest-4.8.6-r1
> dev-qt/qttranslations-4.8.6-r1
> dev-qt/qtwebkit-4.8.6-r1
> dev-qt/qtxmlpatterns-4.8.6-r1
> 
> Some ebuilds have not been keyworded on certain minor arches, so on those
> arches the specific ebuilds can be skipped.

++ dev-qt/qtchooser

Comment 12 Mikle Kolyada (RETIRED) archtester

2015-05-11 15:03:29 UTC

amd64 stable

Comment 13 Mikle Kolyada (RETIRED) archtester

2015-05-15 12:59:03 UTC

x86 stable

Comment 14 Jeroen Roovers (RETIRED) gentoo-dev

2015-05-16 10:12:05 UTC

Stable for HPPA PPC64.

Comment 15 Pacho Ramos gentoo-dev

2015-05-16 11:35:33 UTC

ppc stable

Comment 16 GLSAMaker/CVETool Bot gentoo-dev

2015-05-16 23:07:49 UTC

CVE-2015-1860 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1860):
  Multiple buffer overflows in the QtBase module in Qt before 4.8.7 and 5.x
  before 5.4.2 allow remote attackers to cause a denial of service and
  possibly execute arbitrary code via a crafted GIF image.

Comment 17 Markus Meier gentoo-dev

2015-05-30 11:07:48 UTC

arm stable

Comment 18 Tobias Klausmann (RETIRED) gentoo-dev

2015-07-05 21:17:57 UTC

Stable on alpha. Removed associated mask.

Comment 19 Mikle Kolyada (RETIRED) archtester

2015-08-06 14:03:36 UTC

ia64 stable

Comment 20 Mikle Kolyada (RETIRED) archtester

2015-10-18 09:42:15 UTC

sparc stable.

Comment 21 Davide Pesavento gentoo-dev

2015-10-18 20:34:57 UTC

Awesome, that was the last arch therefore we can finally close this bug.

Removal of the vulnerable version(s) will be handled in bug 546174.