Bug 906465 (CVE-2023-32573)

Summary:	<dev-qt/qtsvg-5.15.9-r1: Uninitialized variable usage in m_unitsPerEm
Product:	Gentoo Security	Reporter:	Sam James <sam>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	IN_PROGRESS ---
Severity:	normal	CC:	qt
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://invent.kde.org/qt/qt/qtsvg/-/commit/837b5163e17edbd3a9f098e9a1ab73febab419b4
Whiteboard:	?? [glsa?]
Package list:		Runtime testing required:	---
Bug Depends on:	905842
Bug Blocks:

Description Sam James archtester

2023-05-15 19:21:30 UTC

"In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled."

Comment 1 Sam James archtester

2023-05-15 19:21:56 UTC

Stable bug is done so only really need qt@ to confirm this is the same bug fixed in 5.15.9-r1.

Comment 2 Andreas Sturmlechner gentoo-dev

2023-05-18 15:29:11 UTC

That's what that commit appeared to do.

Comment 3 Andreas Sturmlechner gentoo-dev

2023-05-23 21:03:10 UTC

See also:
https://www.qt.io/blog/security-advisory-qt-svg
https://download.qt.io/official_releases/qt/5.15/CVE-2023-32573-qtsvg-5.15.diff