Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 932337 (CVE-2024-36048)

Summary: <dev-qt/qtnetworkauth-5.15.14:5, <dev-qt/qtnetworkauth-6.7.1:6: badly seeded PRNG may result in guessable values (CVE-2024-36048)
Product: Gentoo Security Reporter: Ionen Wolkens <ionen>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: CONFIRMED ---    
Severity: normal CC: qt
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://www.qt.io/blog/security-advisory-qstringconverter-0
See Also: https://invent.kde.org/qt/qt/qtnetworkauth/-/merge_requests/1
Whiteboard: B4 [glsa?]
Package list:
Runtime testing required: ---
Bug Depends on: 932347, 933196    
Bug Blocks:    

Description Ionen Wolkens gentoo-dev 2024-05-21 06:39:50 UTC
Release notes for Qt 6.7.1[1] mention having fixed CVE-2024-36048, but Qt has not done a blog post about it (yet) that I can see so have little details beside the CVE's description:

    QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values.

And what seems to be the fix[2] for 6.7.1.

6.7.1 is already in-tree, pending stable in ~2 weeks or so if nothing comes up.

5.15.x still needs fixing (figure it may wait until Qt does a blog post w/ patches unless want to try to use 6.7.1's fix).

[1] https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.7.1/release-note.md
[2] https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560317
Comment 1 Larry the Git Cow gentoo-dev 2024-05-30 12:52:39 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f41d46c1ea1b4ebb6fccbdc95f126d9420a1237f

commit f41d46c1ea1b4ebb6fccbdc95f126d9420a1237f
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2024-05-30 10:20:16 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2024-05-30 12:34:27 +0000

    dev-qt/qtnetworkauth: add 5.15.14
    
    Bug: https://bugs.gentoo.org/932337
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-qt/qtnetworkauth/Manifest                     |  2 ++
 dev-qt/qtnetworkauth/qtnetworkauth-5.15.14.ebuild | 29 +++++++++++++++++++++++
 2 files changed, 31 insertions(+)
Comment 2 Andreas Sturmlechner gentoo-dev 2024-06-06 16:44:26 UTC
dev-qt/qtnetworkauth-5.15.13 cleanup done.
Comment 3 Larry the Git Cow gentoo-dev 2024-06-08 13:41:08 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ed44f01c4e1b665df660a49429e5ac71780cc969

commit ed44f01c4e1b665df660a49429e5ac71780cc969
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2024-06-08 05:40:42 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2024-06-08 13:39:33 +0000

    dev-qt/qtnetworkauth: drop 6.7.0
    
    All done wrt bug #932337
    
    Bug: https://bugs.gentoo.org/932337
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 dev-qt/qtnetworkauth/Manifest                   |  1 -
 dev-qt/qtnetworkauth/qtnetworkauth-6.7.0.ebuild | 15 ---------------
 2 files changed, 16 deletions(-)