Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 546174 (CVE-2015-1858, CVE-2015-1859, CVE-2015-1860)

Summary: <dev-qt/qtgui-{4.8.6-r4,5.4.1-r2}: multiple vulnerabilities in image format handling (CVE-2015-{1858,1859,1860})
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: qt
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
Whiteboard: B3 [glsa cve]
Package list:
Runtime testing required: ---
Bug Depends on: 530238    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2015-04-10 12:43:16 UTC
From https://bugzilla.redhat.com/show_bug.cgi?id=1210675:

Fuzzing test revealed that for certain malformed gif files, the handler would segfault.

Upstream fix: https://codereview.qt-project.org/#/c/108248/



From https://bugzilla.redhat.com/show_bug.cgi?id=1210674:

Fuzzing test revealed that for certain malformed ico files, the handler would segfault.

Upstream fix: https://codereview.qt-project.org/#/c/108312/



From https://bugzilla.redhat.com/show_bug.cgi?id=1210673:

Fuzzing test revealed that for certain malformed bmp files, the handler would segfault.

Upstream fix: https://codereview.qt-project.org/#/c/108312/


@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Davide Pesavento gentoo-dev 2015-04-13 10:05:45 UTC
Upstream announcement: http://lists.qt-project.org/pipermail/announce/2015-April/000067.html
Comment 2 Ben de Groot (RETIRED) gentoo-dev 2015-04-13 10:09:14 UTC
Are we waiting for the next release, or shall we apply the patches?
Comment 3 Davide Pesavento gentoo-dev 2015-04-13 10:18:59 UTC
(In reply to Ben de Groot from comment #2)
> Are we waiting for the next release, or shall we apply the patches?

I have no strong preference either way. Both 4.8.7 and 5.4.2 releases are quite close. Personally I'd apply the patches to 4.8.5 and 4.8.6 (and stabilize the former), but I'd wait for the 5.4.2 release. But please feel free to proceed in whichever way you prefer as I don't have time to do it myself.
Comment 4 Ben de Groot (RETIRED) gentoo-dev 2015-05-07 08:51:53 UTC
+  07 May 2015; Ben de Groot <yngwin@gentoo.org>
+  +files/qtgui-4.8.6-CVE-2015-1858.patch,
+  +files/qtgui-4.8.6-CVE-2015-1860.patch, +qtgui-4.8.6-r4.ebuild:
+  Apply upstream patches for bug #546174. Fixes CVE-2015-1858, CVE-2015-1859,
+  CVE-2015-1860.

This commit fixes it for Qt4. This is a candidate for stabilization in bug #530238. For Qt5 this will be fixed in the upcoming 5.4.2 release.
Comment 5 Michael Palimaka (kensington) gentoo-dev 2015-05-16 18:54:12 UTC
Qt 5 is taken care of too.

+  16 May 2015; Michael Palimaka <kensington@gentoo.org>
+  +files/qtgui-5.4.1-CVE-2015-1858-1859.patch,
+  +files/qtgui-5.4.1-CVE-2015-1860.patch, +qtgui-5.4.1-r2.ebuild,
+  -qtgui-5.4.1-r1.ebuild:
+  Backport patches from upstream to solve CVE-2015-1858, CVE-2015-1859, and
+  CVE-2015-1860 wrt bug #546174.
Comment 6 GLSAMaker/CVETool Bot gentoo-dev 2015-05-16 23:10:03 UTC
CVE-2015-1860 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1860):
  Multiple buffer overflows in the QtBase module in Qt before 4.8.7 and 5.x
  before 5.4.2 allow remote attackers to cause a denial of service and
  possibly execute arbitrary code via a crafted GIF image.
Comment 7 Ben de Groot (RETIRED) gentoo-dev 2015-05-17 00:31:39 UTC
(In reply to Michael Palimaka (kensington) from comment #5)
> Qt 5 is taken care of too.

Since there hasn't been a stable Qt5 version yet, no further action is needed from the Qt team.
(except removing 4.8.5 after bug 530238 is taken care of)
Comment 8 GLSAMaker/CVETool Bot gentoo-dev 2015-06-20 17:18:00 UTC
CVE-2015-1859 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1859):
  Multiple buffer overflows in the QtBase module in Qt before 4.8.7 and 5.x
  before 5.4.2 allow remote attackers to cause a denial of service and
  possibly execute arbitrary code via a crafted ICO image.

CVE-2015-1858 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1858):
  Multiple buffer overflows in the QtBase module in Qt before 4.8.7 and 5.x
  before 5.4.2 allow remote attackers to cause a denial of service and
  possibly execute arbitrary code via a crafted BMP image.
Comment 9 Michael Palimaka (kensington) gentoo-dev 2015-10-31 14:46:23 UTC
Affected Qt 4 versions have been removed as well, so no tree versions are affected now.

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2f38ee0ac7e073edbf0018b93b78e035081ff595
Comment 10 Kristian Fiskerstrand (RETIRED) gentoo-dev 2015-10-31 14:49:03 UTC
GLSA Vote: No
Comment 11 Stefan Behte (RETIRED) gentoo-dev Security 2015-11-09 22:01:10 UTC
Vote: YES.
Comment 12 Yury German Gentoo Infrastructure gentoo-dev 2015-12-31 05:00:01 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: Yes
New GLSA Request filed.
Comment 13 GLSAMaker/CVETool Bot gentoo-dev 2016-03-12 12:30:25 UTC
This issue was resolved and addressed in
 GLSA 201603-10 at https://security.gentoo.org/glsa/201603-10
by GLSA coordinator Kristian Fiskerstrand (K_F).