Bug 911790 (CVE-2023-37369, CVE-2023-38197)

Summary:	<dev-qt/qtcore-5.15.10-r1, <dev-qt/qtbase-6.5.2: potential buffer overflow issue in QXmlStreamReader
Product:	Gentoo Security	Reporter:	Andreas Sturmlechner <asturm>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	CONFIRMED ---
Severity:	normal	CC:	ionen, qt
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	B2 [glsa?]
Package list:		Runtime testing required:	---
Bug Depends on:	911791
Bug Blocks:

Description Andreas Sturmlechner gentoo-dev

2023-08-05 22:54:52 UTC

"A recently reported potential buffer overflow issue in QXmlStreamReader has been assigned the CVE id CVE-2023-37369

When given specifically crafted data then QXmlStreamReader can end up causing a buffer overflow and subsequently a crash."

https://www.qt.io/blog/security-advisory-qxmlstreamreader (fixed in qtbase-6.5.2)


"A recently reported potential buffer overflow issue in QXmlStreamReader has been assigned the CVE id CVE-2023-38197.

QXmlStreamReader can freeze or get out of memory on recursive entity expansion, with DTD tokens in XML body."

https://www.qt.io/blog/security-advisory-qxmlstreamreader-1 (fixed in qtbase-6.5.3)

Comment 1 Larry the Git Cow gentoo-dev

2023-08-05 23:00:35 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d67ecfdb7d124b05a2af89478dd6eff099eabd0e

commit d67ecfdb7d124b05a2af89478dd6eff099eabd0e
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2023-08-05 22:38:13 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2023-08-05 23:00:08 +0000

    dev-qt/qtcore: Bump to QT5_KDEPATCHSET_REV=2
    
    Ahmad Samir (2):
          QXmlStreamReader: change fastScanName() to take a Value*
          QXmlStreamReader: make fastScanName() indicate parsing status to callers
    
    Axel Spoerl (1):
          QXmlStreamReader: Raise error on unexpected tokens
    
    Friedemann Kleint (1):
          Fix typo in QXmlStreamReader error message
    
    Marc Mutz (2):
          QLogging: DRY isFatal(QtMsgType)
          Make sure we don't count down past 0 QT_FATAL_CRITICALS
    
    Volker Krause (1):
          Fix Croatia's currency
    
    See also:
    https://www.qt.io/blog/security-advisory-qxmlstreamreader
    https://www.qt.io/blog/security-advisory-qxmlstreamreader-1
    
    Bug: https://bugs.gentoo.org/911790
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-qt/qtcore/Manifest                 |   1 +
 dev-qt/qtcore/qtcore-5.15.10-r1.ebuild | 120 +++++++++++++++++++++++++++++++++
 2 files changed, 121 insertions(+)

Comment 2 Ionen Wolkens gentoo-dev

2023-08-05 23:13:01 UTC

wrt qtbase, our qtbase-6.5.2 was added from the start with:

PATCHES=( "${FILESDIR}/${PN}-6.5.2-CVE-2023-38197.patch" )

Comment 3 Andreas Sturmlechner gentoo-dev

2023-08-05 23:23:17 UTC

Excellent.

Comment 4 Larry the Git Cow gentoo-dev

2023-08-16 16:31:54 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c087cd6aecbcbcd9ae58a1ee9a38f28118a39503

commit c087cd6aecbcbcd9ae58a1ee9a38f28118a39503
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2023-08-16 15:27:07 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2023-08-16 16:03:32 +0000

    dev-qt/qtcore: cleanup vulnerable 5.15.10
    
    Bug: https://bugs.gentoo.org/911790
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-qt/qtcore/Manifest              |   1 -
 dev-qt/qtcore/qtcore-5.15.10.ebuild | 119 ------------------------------------
 2 files changed, 120 deletions(-)

Comment 5 genBTC 2023-12-09 22:56:03 UTC

status ?

Comment 6 Ionen Wolkens gentoo-dev

2023-12-09 23:13:18 UTC

(In reply to genBTC from comment #5)
> status ?
There's nothing left to do here beside letting the security team decide if want to do a glsa for this (been fixed for a few months, and vulnerable versions are removed). Or is the glsa what you're asking about?