Summary: | <dev-qt/qtbase-6.7.2-r1:6, <dev-qt/qtnetwork-5.15.14-r1:5: HTTP/2 security may be compromised | ||
---|---|---|---|
Product: | Gentoo Security | Reporter: | xoip |
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
Status: | CONFIRMED --- | ||
Severity: | normal | CC: | ionen, qt |
Priority: | Normal | ||
Version: | unspecified | ||
Hardware: | All | ||
OS: | Linux | ||
URL: | https://www.qt.io/blog/recently-discovered-http2-handling | ||
See Also: | https://invent.kde.org/qt/qt/qtbase/-/merge_requests/327 | ||
Whiteboard: | A3 [glsa?] | ||
Package list: | Runtime testing required: | --- | |
Bug Depends on: | 936171 | ||
Bug Blocks: |
Description
xoip
2024-07-11 16:33:26 UTC
No patch available upstream for 5.15. Presumably it's this one, but does not apply cleanly over kde/5.15 https://invent.kde.org/qt/qt/qtbase/-/commit/b1e75376cc3adfc7da5502a277dfe9711f3e0536 Plus https://invent.kde.org/qt/qt/qtbase/-/commit/14a61026216d20eb3a2893420b7d51374e820b44 but upstream's 5.15 patch likely won't care about tests. May wait till Qt does a blog post w/ patches, I assume these two commits is all we need but I'd rather not be assuming (and QTBUG-126610 is private, so not sure what went on in there). Well, wrt test I guess we don't really have to worry about it unless someone runs the test suite on a macos prefix or something, otherwise securetransport is never set (CONDITION APPLE). The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=69cfa9cc226d2c4195132da0c4a0373a080b7d9d commit 69cfa9cc226d2c4195132da0c4a0373a080b7d9d Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2024-07-16 21:39:56 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2024-07-16 21:40:22 +0000 dev-qt/qtnetwork: Fix CVE-2024-39936 Bug: https://bugs.gentoo.org/935869 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> .../files/qtnetwork-5.15.14-CVE-2024-39936.patch | 178 +++++++++++++++++++++ dev-qt/qtnetwork/qtnetwork-5.15.14-r1.ebuild | 64 ++++++++ 2 files changed, 242 insertions(+) The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b0845fa8c13b564c6d0b26891c0b043afe0e6bc commit 6b0845fa8c13b564c6d0b26891c0b043afe0e6bc Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2024-07-16 23:28:03 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2024-07-16 23:28:05 +0000 dev-qt/qtbase: backport fix for CVE-2024-39936 Still no update from Qt's blog, but given been handled for Qt5 may as well do it here too at this point. Bug: https://bugs.gentoo.org/935869 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> .../qtbase/files/qtbase-6.7.2-CVE-2024-39936.patch | 200 ++++++++++++ dev-qt/qtbase/qtbase-6.7.2-r1.ebuild | 350 +++++++++++++++++++++ 2 files changed, 550 insertions(+) Well, blog post just been published. Patch is the same (beside skipping adding a new test for it), so should be nothing to change. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82e647db0aad2ea52f63a2d1babb681a5c02f909 commit 82e647db0aad2ea52f63a2d1babb681a5c02f909 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2024-07-21 12:51:37 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2024-07-21 12:53:38 +0000 dev-qt/qtbase: drop vulnerable 6.7.2 Bug: https://bugs.gentoo.org/935869 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> dev-qt/qtbase/qtbase-6.7.2.ebuild | 349 -------------------------------------- 1 file changed, 349 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8abb6224e29aae4f7c1591f24f5a93ceac067c5 commit c8abb6224e29aae4f7c1591f24f5a93ceac067c5 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2024-07-21 12:53:23 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2024-07-21 12:53:38 +0000 dev-qt/qtnetwork: drop vulnerable 5.15.14 Bug: https://bugs.gentoo.org/935869 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> dev-qt/qtnetwork/qtnetwork-5.15.14.ebuild | 62 ------------------------------- 1 file changed, 62 deletions(-) |