| Summary: | <dev-qt/qtnetworkauth-5.15.14:5, <dev-qt/qtnetworkauth-6.7.1:6: badly seeded PRNG may result in guessable values (CVE-2024-36048) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | Ionen Wolkens <ionen> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | CONFIRMED --- | ||
| Severity: | normal | CC: | qt |
| Priority: | Normal | ||
| Version: | unspecified | ||
| Hardware: | All | ||
| OS: | Linux | ||
| URL: | https://www.qt.io/blog/security-advisory-qstringconverter-0 | ||
| See Also: | https://invent.kde.org/qt/qt/qtnetworkauth/-/merge_requests/1 | ||
| Whiteboard: | B4 [glsa?] | ||
| Package list: | Runtime testing required: | --- | |
| Bug Depends on: | 932347, 933196 | ||
| Bug Blocks: | |||
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f41d46c1ea1b4ebb6fccbdc95f126d9420a1237f commit f41d46c1ea1b4ebb6fccbdc95f126d9420a1237f Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2024-05-30 10:20:16 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2024-05-30 12:34:27 +0000 dev-qt/qtnetworkauth: add 5.15.14 Bug: https://bugs.gentoo.org/932337 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> dev-qt/qtnetworkauth/Manifest | 2 ++ dev-qt/qtnetworkauth/qtnetworkauth-5.15.14.ebuild | 29 +++++++++++++++++++++++ 2 files changed, 31 insertions(+) dev-qt/qtnetworkauth-5.15.13 cleanup done. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ed44f01c4e1b665df660a49429e5ac71780cc969 commit ed44f01c4e1b665df660a49429e5ac71780cc969 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2024-06-08 05:40:42 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2024-06-08 13:39:33 +0000 dev-qt/qtnetworkauth: drop 6.7.0 All done wrt bug #932337 Bug: https://bugs.gentoo.org/932337 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> dev-qt/qtnetworkauth/Manifest | 1 - dev-qt/qtnetworkauth/qtnetworkauth-6.7.0.ebuild | 15 --------------- 2 files changed, 16 deletions(-) |
Release notes for Qt 6.7.1[1] mention having fixed CVE-2024-36048, but Qt has not done a blog post about it (yet) that I can see so have little details beside the CVE's description: QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values. And what seems to be the fix[2] for 6.7.1. 6.7.1 is already in-tree, pending stable in ~2 weeks or so if nothing comes up. 5.15.x still needs fixing (figure it may wait until Qt does a blog post w/ patches unless want to try to use 6.7.1's fix). [1] https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.7.1/release-note.md [2] https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560317