Bug 931096 (CVE-2024-33861)

Summary:	<dev-qt/qtbase-6.7.0-r2: invalid QStringConverter has an invalid pointer being passed as a callback which can allow modification of the stack (CVE-2024-33861)
Product:	Gentoo Security	Reporter:	Ionen Wolkens <ionen>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	CONFIRMED ---
Severity:	normal	CC:	qt
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
URL:	https://www.qt.io/blog/security-advisory-qstringconverter
Whiteboard:	B2 [glsa?]
Package list:		Runtime testing required:	---

Description Ionen Wolkens gentoo-dev

2024-05-02 12:20:10 UTC

>Qt itself is not vulnerable to remote attack however an application
>using QStringDecoder either directly or indirectly can be vulnerable.
>This affects Qt 6.5.0->6.5.5, 6.6.x and 6.7.0.
Sounds this does not affect Qt5 and is fixed in 6.7.1 which is due to release in a week or so. Meanwhile Qt has provided a patch[1] which I'll add to 6.7.0 soon. Given how trivial it is, think will skip stabilization process churn and just git mv if nothing comes up.

[1] https://download.qt.io/official_releases/qt/6.7/CVE-2024-33861-qtbase-6.7.diff

Comment 1 Larry the Git Cow gentoo-dev

2024-05-02 13:09:20 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2fb597e863fb296b5cdaf36e8b258b20c47d4a1

commit c2fb597e863fb296b5cdaf36e8b258b20c47d4a1
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2024-05-02 12:24:58 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2024-05-02 13:08:51 +0000

    dev-qt/qtbase: backport fix for CVE-2024-33861
    
    Bug: https://bugs.gentoo.org/931096
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 .../qtbase/files/qtbase-6.7.0-CVE-2024-33861.patch | 23 ++++++++++++++++++++++
 ...base-6.7.0-r1.ebuild => qtbase-6.7.0-r2.ebuild} |  1 +
 2 files changed, 24 insertions(+)

Comment 2 Ionen Wolkens gentoo-dev

2024-05-02 13:10:01 UTC

All done from this end, no affected versions left.