Summary: | <dev-qt/qtgui-5.14.2: Use-after-free in QTextMarkdownImporter (CVE-2020-12267) | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | normal | CC: | bkohler, qt |
Priority: | Normal | Flags: | nattka:
sanity-check-
|
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=720172 https://bugs.gentoo.org/show_bug.cgi?id=716992 https://bugs.gentoo.org/show_bug.cgi?id=723414 |
||
Whiteboard: | A3 [glsa+ cve] | ||
Package list: |
dev-qt/assistant-5.14.2 amd64 arm64 x86
dev-qt/designer-5.14.2 amd64 arm64 ppc x86
dev-qt/linguist-5.14.2 amd64 arm64 x86
dev-qt/linguist-tools-5.14.2 amd64 arm64 ppc x86
dev-qt/pixeltool-5.14.2 amd64 arm64 x86
dev-qt/qdbus-5.14.2 amd64 arm64 ppc x86
dev-qt/qdbusviewer-5.14.2 amd64 arm64 x86
dev-qt/qdoc-5.14.2 amd64 arm64 x86
dev-qt/qt3d-5.14.2 amd64 arm64 x86
dev-qt/qtbluetooth-5.14.2 amd64 arm64 x86
dev-qt/qtcharts-5.14.2 amd64 arm64 x86
dev-qt/qtconcurrent-5.14.2 amd64 arm64 ppc x86
dev-qt/qtcore-5.14.2 amd64 arm64 ppc x86
dev-qt/qtdatavis3d-5.14.2 amd64 arm64 x86
dev-qt/qtdbus-5.14.2 amd64 arm64 ppc x86
dev-qt/qtdeclarative-5.14.2-r2 amd64 arm arm64 ppc ppc64 x86
dev-qt/qtdiag-5.14.2 amd64 x86
dev-qt/qt-docs-5.14.2_p202003291239 amd64 arm64 x86
dev-qt/qtgamepad-5.14.2 amd64 arm64 x86
dev-qt/qtgraphicaleffects-5.14.2 amd64 arm64 ppc x86
dev-qt/qtgui-5.14.2 amd64 arm64 ppc x86
dev-qt/qthelp-5.14.2 amd64 arm64 ppc x86
dev-qt/qtimageformats-5.14.2 amd64 arm64 x86
dev-qt/qtlocation-5.14.2 amd64 arm64 x86
dev-qt/qtmultimedia-5.14.2 amd64 arm64 ppc x86
dev-qt/qtnetwork-5.14.2 amd64 arm64 ppc x86
dev-qt/qtnetworkauth-5.14.2 amd64 arm64 x86
dev-qt/qtopengl-5.14.2 amd64 arm64 ppc x86
dev-qt/qtpaths-5.14.2 amd64 arm64 ppc x86
dev-qt/qtpositioning-5.14.2 amd64 arm64 ppc x86
dev-qt/qtprintsupport-5.14.2 amd64 arm64 ppc x86
dev-qt/qtquickcontrols2-5.14.2 amd64 arm64 x86
dev-qt/qtquickcontrols-5.14.2 amd64 arm64 ppc x86
dev-qt/qtscript-5.14.2 amd64 arm64 ppc x86
dev-qt/qtscxml-5.14.2 amd64 arm64 x86
dev-qt/qtsensors-5.14.2 amd64 arm64 x86
dev-qt/qtserialport-5.14.2 amd64 arm64 ppc x86
dev-qt/qtspeech-5.14.2 amd64 arm64 x86
dev-qt/qtsql-5.14.2 amd64 arm64 ppc x86
dev-qt/qtsvg-5.14.2 amd64 arm64 ppc x86
dev-qt/qttest-5.14.2 amd64 arm64 ppc x86
dev-qt/qttranslations-5.14.2 amd64 arm64 ppc x86
dev-qt/qtvirtualkeyboard-5.14.2 amd64 arm64 x86
dev-qt/qtwayland-5.14.2 amd64 arm64 ppc x86
dev-qt/qtwebchannel-5.14.2 amd64 arm64 x86
dev-qt/qtwebengine-5.14.2 amd64 arm64 x86
dev-qt/qtwebsockets-5.14.2 amd64 arm64 x86
dev-qt/qtwidgets-5.14.2 amd64 arm64 ppc x86
dev-qt/qtx11extras-5.14.2 amd64 arm64 ppc x86
dev-qt/qtxml-5.14.2 amd64 arm64 ppc x86
dev-qt/qtxmlpatterns-5.14.2 amd64 arm64 ppc x86
kde-apps/dolphin-19.12.3-r1 amd64 arm64 x86
|
Runtime testing required: | --- |
Bug Depends on: | |||
Bug Blocks: | 716822, 721452 |
Description
GLSAMaker/CVETool Bot
2020-04-27 04:51:21 UTC
*** Bug 716992 has been marked as a duplicate of this bug. *** First-time stabilisations: dev-qt/qtdiag-5.14.2 amd64 x86 (see bug 718754) dev-qt/qtcharts-5.14.2 amd64 arm64 x86 (for kuserfeedback, used by plasma-workspace) Any objections? (In reply to Andreas Sturmlechner from comment #2) > First-time stabilisations: > > dev-qt/qtdiag-5.14.2 amd64 x86 (see bug 718754) > dev-qt/qtcharts-5.14.2 amd64 arm64 x86 (for kuserfeedback, used by > plasma-workspace) > > Any objections? Sounds good to me. Reason for the regression with horizontal scrollbars appearing when they shouldn't (https://bugs.kde.org/show_bug.cgi?id=419514) was identified as commit a82b1b27 in qtdeclarative, that is still to be fixed before we add arches. Adding arm and ppc64 ahead of the pack, no stable keyword on qtwebengine so no coordination required. Sanity check failed:
> dev-qt/qtwebview-5.14.2
> depend arm stable profile default/linux/arm/17.0 (19 total)
> ~dev-qt/qtwebengine-5.14.2
> depend arm dev profile default/linux/arm/17.0/armv4 (35 total)
> ~dev-qt/qtwebengine-5.14.2
> rdepend arm stable profile default/linux/arm/17.0 (19 total)
> ~dev-qt/qtwebengine-5.14.2
> rdepend arm dev profile default/linux/arm/17.0/armv4 (35 total)
> ~dev-qt/qtwebengine-5.14.2
Cleanup some stray entries that should not be in package list. All sanity-check issues have been resolved Adding kde-apps/dolphin-19.12.3-r1 which has a fix specifically for Qt 5.14.2, commit 99ec5f37. arm stable ppc64 stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Thanks ago, but other arches are not there yet. ;) *** Bug 718754 has been marked as a duplicate of this bug. *** Bumping dev-qt/qtdeclarative-5.14.2-r1 for a UI fix. Arches please stabilise. If at all possible, please stabilise at the same time with: bug 720172 bug 723414 bug 716822 bug 723404 amd64 stable x86 stable arm64 stable ppc64 stable ppc stable The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bc400dc11d5dae40db820619210e49adff1f4306 commit bc400dc11d5dae40db820619210e49adff1f4306 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-05-30 20:06:48 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-05-30 20:46:00 +0000 dev-qt: Drop Qt 5.14.1 and vulnerable dev-qt/qtgui Bug: https://bugs.gentoo.org/719732 Package-Manager: Portage-2.3.100, Repoman-2.3.22 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> dev-qt/assistant/Manifest | 1 - dev-qt/assistant/assistant-5.14.1.ebuild | 55 ------ dev-qt/designer/Manifest | 1 - dev-qt/designer/designer-5.14.1.ebuild | 57 ------- dev-qt/linguist-tools/Manifest | 1 - dev-qt/linguist-tools/linguist-tools-5.14.1.ebuild | 35 ---- dev-qt/linguist/Manifest | 1 - dev-qt/linguist/linguist-5.14.1.ebuild | 48 ------ dev-qt/pixeltool/Manifest | 1 - dev-qt/pixeltool/pixeltool-5.14.1.ebuild | 25 --- dev-qt/qdbus/Manifest | 1 - dev-qt/qdbus/qdbus-5.14.1.ebuild | 25 --- dev-qt/qdbusviewer/Manifest | 1 - dev-qt/qdbusviewer/qdbusviewer-5.14.1.ebuild | 45 ----- dev-qt/qdoc/Manifest | 1 - dev-qt/qdoc/qdoc-5.14.1.ebuild | 40 ----- dev-qt/qt-docs/Manifest | 54 ------ dev-qt/qt-docs/qt-docs-5.14.1_p202001241012.ebuild | 89 ---------- dev-qt/qt3d/Manifest | 1 - dev-qt/qt3d/qt3d-5.14.1-r1.ebuild | 34 ---- dev-qt/qtbluetooth/Manifest | 1 - .../files/qtbluetooth-5.14.1-errno.patch | 25 --- dev-qt/qtbluetooth/qtbluetooth-5.14.1.ebuild | 35 ---- dev-qt/qtcharts/Manifest | 1 - dev-qt/qtcharts/qtcharts-5.14.1.ebuild | 29 ---- dev-qt/qtconcurrent/Manifest | 1 - dev-qt/qtconcurrent/qtconcurrent-5.14.1.ebuild | 23 --- dev-qt/qtcore/Manifest | 1 - dev-qt/qtcore/qtcore-5.14.1-r1.ebuild | 85 ---------- dev-qt/qtdatavis3d/Manifest | 1 - dev-qt/qtdatavis3d/qtdatavis3d-5.14.1-r1.ebuild | 31 ---- dev-qt/qtdbus/Manifest | 1 - dev-qt/qtdbus/qtdbus-5.14.1.ebuild | 43 ----- dev-qt/qtdeclarative/Manifest | 1 - .../qtdeclarative/qtdeclarative-5.14.1-r2.ebuild | 53 ------ dev-qt/qtdiag/Manifest | 1 - dev-qt/qtdiag/qtdiag-5.14.1.ebuild | 36 ---- dev-qt/qtgamepad/Manifest | 1 - dev-qt/qtgamepad/qtgamepad-5.14.1.ebuild | 35 ---- dev-qt/qtgraphicaleffects/Manifest | 1 - .../qtgraphicaleffects-5.14.1.ebuild | 21 --- dev-qt/qtgui/Manifest | 1 - dev-qt/qtgui/qtgui-5.14.1-r4.ebuild | 184 --------------------- dev-qt/qthelp/Manifest | 1 - dev-qt/qthelp/qthelp-5.14.1.ebuild | 29 ---- dev-qt/qtimageformats/Manifest | 1 - dev-qt/qtimageformats/qtimageformats-5.14.1.ebuild | 30 ---- dev-qt/qtlocation/Manifest | 1 - dev-qt/qtlocation/qtlocation-5.14.1.ebuild | 45 ----- dev-qt/qtmultimedia/Manifest | 1 - dev-qt/qtmultimedia/qtmultimedia-5.14.1-r1.ebuild | 68 -------- dev-qt/qtnetwork/Manifest | 1 - dev-qt/qtnetwork/qtnetwork-5.14.1.ebuild | 60 ------- dev-qt/qtnetworkauth/Manifest | 1 - dev-qt/qtnetworkauth/qtnetworkauth-5.14.1.ebuild | 20 --- dev-qt/qtopengl/Manifest | 1 - dev-qt/qtopengl/qtopengl-5.14.1-r1.ebuild | 34 ---- dev-qt/qtpaths/Manifest | 1 - dev-qt/qtpaths/qtpaths-5.14.1.ebuild | 23 --- dev-qt/qtplugininfo/Manifest | 1 - dev-qt/qtplugininfo/qtplugininfo-5.14.1.ebuild | 23 --- dev-qt/qtpositioning/Manifest | 1 - dev-qt/qtpositioning/qtpositioning-5.14.1.ebuild | 40 ----- dev-qt/qtprintsupport/Manifest | 1 - .../qtprintsupport/qtprintsupport-5.14.1-r1.ebuild | 42 ----- dev-qt/qtquickcontrols/Manifest | 1 - .../qtquickcontrols/qtquickcontrols-5.14.1.ebuild | 32 ---- dev-qt/qtquickcontrols2/Manifest | 1 - .../qtquickcontrols2-5.14.1.ebuild | 30 ---- dev-qt/qtscript/Manifest | 1 - dev-qt/qtscript/qtscript-5.14.1.ebuild | 36 ---- dev-qt/qtscxml/Manifest | 1 - dev-qt/qtscxml/qtscxml-5.14.1.ebuild | 19 --- dev-qt/qtsensors/Manifest | 1 - dev-qt/qtsensors/qtsensors-5.14.1.ebuild | 28 ---- dev-qt/qtserialbus/Manifest | 1 - dev-qt/qtserialbus/qtserialbus-5.14.1.ebuild | 20 --- dev-qt/qtserialport/Manifest | 1 - dev-qt/qtserialport/qtserialport-5.14.1.ebuild | 27 --- dev-qt/qtspeech/Manifest | 1 - dev-qt/qtspeech/qtspeech-5.14.1.ebuild | 20 --- dev-qt/qtsql/Manifest | 1 - dev-qt/qtsql/qtsql-5.14.1.ebuild | 55 ------ dev-qt/qtsvg/Manifest | 1 - dev-qt/qtsvg/qtsvg-5.14.1.ebuild | 23 --- dev-qt/qttest/Manifest | 1 - dev-qt/qttest/qttest-5.14.1.ebuild | 33 ---- dev-qt/qttranslations/Manifest | 1 - dev-qt/qttranslations/qttranslations-5.14.1.ebuild | 19 --- dev-qt/qtvirtualkeyboard/Manifest | 1 - .../qtvirtualkeyboard-5.14.1.ebuild | 43 ----- dev-qt/qtwayland/Manifest | 1 - dev-qt/qtwayland/qtwayland-5.14.1-r3.ebuild | 45 ----- dev-qt/qtwebchannel/Manifest | 1 - dev-qt/qtwebchannel/qtwebchannel-5.14.1.ebuild | 26 --- dev-qt/qtwebengine/Manifest | 1 - .../qtwebengine-5.14.1-detect-ninja-1.10.patch | 27 --- dev-qt/qtwebengine/qtwebengine-5.14.1.ebuild | 130 --------------- dev-qt/qtwebsockets/Manifest | 1 - dev-qt/qtwebsockets/qtwebsockets-5.14.1.ebuild | 27 --- dev-qt/qtwebview/Manifest | 1 - dev-qt/qtwebview/qtwebview-5.14.1.ebuild | 21 --- dev-qt/qtwidgets/Manifest | 1 - dev-qt/qtwidgets/qtwidgets-5.14.1-r1.ebuild | 57 ------- dev-qt/qtx11extras/Manifest | 1 - dev-qt/qtx11extras/qtx11extras-5.14.1.ebuild | 22 --- dev-qt/qtxml/Manifest | 1 - dev-qt/qtxml/qtxml-5.14.1.ebuild | 29 ---- dev-qt/qtxmlpatterns/Manifest | 1 - dev-qt/qtxmlpatterns/qtxmlpatterns-5.14.1.ebuild | 30 ---- 110 files changed, 2373 deletions(-) arm stable. Maintainer(s), please cleanup. Security, please add it to the existing request, or file a new one. Cleanup was done already. arm was only re-added for a fix revbump. (In reply to Andreas Sturmlechner from comment #23) > Cleanup was done already. arm was only re-added for a fix revbump. excellent, thanks! Unable to check for sanity:
> no match for package: dev-qt/qtdeclarative-5.14.2-r2
This issue was resolved and addressed in GLSA 202007-38 at https://security.gentoo.org/glsa/202007-38 by GLSA coordinator Sam James (sam_c). |