| Summary: | <dev-qt/qtgui-5.15.2-r10: Out of bounds write (CVE-2021-38593) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Sam James <sam> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | ajak, qt |
| Priority: | Normal | Keywords: | PullRequest, UPSTREAM |
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: |
https://invent.kde.org/qt/backports-tracker/-/issues/1049 https://invent.kde.org/qt/backports-tracker/-/issues/259 https://invent.kde.org/qt/backports-tracker/-/issues/1024 https://invent.kde.org/qt/qt/qtbase/-/merge_requests/47 https://github.com/gentoo/gentoo/pull/22039 |
||
| Whiteboard: | A3 [glsa+] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 806797 | ||
| Bug Blocks: | |||
|
Description
Sam James
2021-08-16 00:34:45 UTC
Original oss-fuzz bug: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35566 Qt commit: https://github.com/qt/qtbase/commit/6b400e3147dcfd8cc3a393ace1bd118c93762e0c KDE patches: https://invent.kde.org/qt/qt/qtbase/-/commit/6b400e3147dcfd8cc3a393ace1bd118c93762e0c then https://invent.kde.org/qt/qt/qtbase/-/commit/84aba80944a2e1c3058d7a1372e0e66676411884 Also depends on: https://invent.kde.org/qt/backports-tracker/-/issues/259 Patches merged upstream. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f01973dc8dbe0b64096e2467f9063976700e1884 commit f01973dc8dbe0b64096e2467f9063976700e1884 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2021-08-15 22:27:19 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2021-08-25 14:35:48 +0000 dev-qt/qtgui: 5.15.2-r10 version bump at KDE c2ea67ec - EAPI-8 - Fix CVE-2021-38593 See also: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35566 https://invent.kde.org/qt/qt/qtbase/-/merge_requests/47 Bug: https://bugs.gentoo.org/808531 Closes: https://bugs.gentoo.org/807871 Package-Manager: Portage-3.0.22, Repoman-3.0.3 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> dev-qt/qtgui/Manifest | 1 + dev-qt/qtgui/qtgui-5.15.2-r10.ebuild | 185 +++++++++++++++++++++++++++++++++++ 2 files changed, 186 insertions(+) Please cleanup The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b8fe578396ad2fa99ec407cc27cada67d85217b9 commit b8fe578396ad2fa99ec407cc27cada67d85217b9 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2021-10-17 00:37:32 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2021-10-17 00:40:25 +0000 dev-qt/qtgui: Drop vulnerable 5.15.2-r2 Bug: https://bugs.gentoo.org/808531 Package-Manager: Portage-3.0.28, Repoman-3.0.3 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> dev-qt/qtgui/Manifest | 2 - .../files/qtgui-5.15.2-bogus-xcb-util-dep.patch | 72 -------- dev-qt/qtgui/qtgui-5.15.2-r2.ebuild | 190 --------------------- 3 files changed, 264 deletions(-) This cleanup happened, btw. (In reply to Andreas Sturmlechner from comment #7) > This cleanup happened, btw. Yes, that's why 'cleanup' is no longer in the whiteboard The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=bf99e106687f9b6e6a78ef119c0842d716e4bf86 commit bf99e106687f9b6e6a78ef119c0842d716e4bf86 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2024-02-03 06:19:26 +0000 Commit: John Helmert III <ajak@gentoo.org> CommitDate: 2024-02-03 06:23:18 +0000 [ GLSA 202402-03 ] QtGui: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/808531 Bug: https://bugs.gentoo.org/907119 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: John Helmert III <ajak@gentoo.org> glsa-202402-03.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 44 insertions(+) |