Summary: | <dev-qt/qtnetwork-5.15.9-r3, <dev-qt/qtbase-6.5.1: incorrect certificate validation | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | John Helmert III <ajak> |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | RESOLVED FIXED | ||
Severity: | minor | CC: | qt |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=907120 https://invent.kde.org/qt/qt/qtbase/-/merge_requests/259 |
||
Whiteboard: | A4 [noglsa] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 907047, 909313 | ||
Bug Blocks: |
Description
John Helmert III
2023-06-09 04:28:03 UTC
CVE-2023-33285 (https://codereview.qt-project.org/c/qt/qtbase/+/477644): An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=524acfede1f643d6c8d7ff0c96e977cb2cd18378 commit 524acfede1f643d6c8d7ff0c96e977cb2cd18378 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2023-06-10 09:31:26 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2023-06-10 09:32:58 +0000 dev-qt/qtnetwork: Fix CVE-2023-34410 CVE-2023-33285 already fixed in dev-qt/qtnetwork-5.15.9-r2. Bug: https://bugs.gentoo.org/908085 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> .../files/qtnetwork-5.15.9-CVE-2023-34410.patch | 113 +++++++++++++++++++++ dev-qt/qtnetwork/qtnetwork-5.15.9-r3.ebuild | 81 +++++++++++++++ 2 files changed, 194 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d0556a48018dd0028b52b044b14349ae8b97046f commit d0556a48018dd0028b52b044b14349ae8b97046f Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2023-07-13 07:35:58 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2023-07-13 08:42:04 +0000 dev-qt/qtnetwork: drop 5.15.9 Bug: https://bugs.gentoo.org/908085 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> dev-qt/qtnetwork/Manifest | 2 - .../files/qtnetwork-5.15.9-CVE-2023-32762.patch | 39 ------- .../files/qtnetwork-5.15.9-CVE-2023-34410.patch | 113 --------------------- ....15.9-QDnsLookup-dont-overflow-the-buffer.patch | 103 ------------------- .../qtnetwork-5.15.9-libproxy-0.5-pkgconfig.patch | 32 ------ dev-qt/qtnetwork/qtnetwork-5.15.9-r2.ebuild | 80 --------------- dev-qt/qtnetwork/qtnetwork-5.15.9-r3.ebuild | 81 --------------- dev-qt/qtnetwork/qtnetwork-5.15.9.ebuild | 74 -------------- 8 files changed, 524 deletions(-) What are the accurate fixed versions, then? Was qtbase ever affected in Gentoo? For qtbase, CVE-2023-33285 patch for 6.5.0 was added 2023-06-0, and 6.5.1 was added with the CVE-2023-34410 patch on 2023-06-10, with 6.5.0 being removed shortly after. Fixing summary accordingly then. Makes sense, thank you! All done then. |