Summary: | <dev-qt/qtgui-{4.8.6-r4,5.4.1-r2}: multiple vulnerabilities in image format handling (CVE-2015-{1858,1859,1860}) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | qt |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
Whiteboard: | B3 [glsa cve] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 530238 | ||
Bug Blocks: |
Description
Agostino Sarubbo
2015-04-10 12:43:16 UTC
Upstream announcement: http://lists.qt-project.org/pipermail/announce/2015-April/000067.html Are we waiting for the next release, or shall we apply the patches? (In reply to Ben de Groot from comment #2) > Are we waiting for the next release, or shall we apply the patches? I have no strong preference either way. Both 4.8.7 and 5.4.2 releases are quite close. Personally I'd apply the patches to 4.8.5 and 4.8.6 (and stabilize the former), but I'd wait for the 5.4.2 release. But please feel free to proceed in whichever way you prefer as I don't have time to do it myself. + 07 May 2015; Ben de Groot <yngwin@gentoo.org> + +files/qtgui-4.8.6-CVE-2015-1858.patch, + +files/qtgui-4.8.6-CVE-2015-1860.patch, +qtgui-4.8.6-r4.ebuild: + Apply upstream patches for bug #546174. Fixes CVE-2015-1858, CVE-2015-1859, + CVE-2015-1860. This commit fixes it for Qt4. This is a candidate for stabilization in bug #530238. For Qt5 this will be fixed in the upcoming 5.4.2 release. Qt 5 is taken care of too. + 16 May 2015; Michael Palimaka <kensington@gentoo.org> + +files/qtgui-5.4.1-CVE-2015-1858-1859.patch, + +files/qtgui-5.4.1-CVE-2015-1860.patch, +qtgui-5.4.1-r2.ebuild, + -qtgui-5.4.1-r1.ebuild: + Backport patches from upstream to solve CVE-2015-1858, CVE-2015-1859, and + CVE-2015-1860 wrt bug #546174. CVE-2015-1860 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1860): Multiple buffer overflows in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted GIF image. (In reply to Michael Palimaka (kensington) from comment #5) > Qt 5 is taken care of too. Since there hasn't been a stable Qt5 version yet, no further action is needed from the Qt team. (except removing 4.8.5 after bug 530238 is taken care of) CVE-2015-1859 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1859): Multiple buffer overflows in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted ICO image. CVE-2015-1858 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1858): Multiple buffer overflows in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted BMP image. Affected Qt 4 versions have been removed as well, so no tree versions are affected now. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2f38ee0ac7e073edbf0018b93b78e035081ff595 GLSA Vote: No Vote: YES. Arches and Maintainer(s), Thank you for your work. GLSA Vote: Yes New GLSA Request filed. This issue was resolved and addressed in GLSA 201603-10 at https://security.gentoo.org/glsa/201603-10 by GLSA coordinator Kristian Fiskerstrand (K_F). |