Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 151838 - x11-libs/qt: khtml/qt integer overflow (CVE-2006-4811)
Summary: x11-libs/qt: khtml/qt integer overflow (CVE-2006-4811)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
URL: http://rhn.redhat.com/errata/RHSA-200...
Whiteboard: A2 [glsa] vorlon
Keywords:
: 151972 153164 (view as bug list)
Depends on:
Blocks:
 
Reported: 2006-10-18 08:32 UTC by Matthias Geerdsen (RETIRED)
Modified: 2019-12-29 11:12 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
Qt patch (attachment.cgi,955 bytes, patch)
2006-10-18 09:30 UTC, Diego Elio Pettenò (RETIRED)
no flags Details | Diff
patch (qt3_pixmap_patch.txt,4.83 KB, patch)
2006-10-19 13:24 UTC, Dirk Mueller
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-18 08:32:28 UTC
from RH advisory:

An integer overflow flaw was found in the way Qt handled pixmap images.
The KDE khtml library uses Qt in such a way that untrusted parameters could
be passed to Qt, triggering the overflow. An attacker could for example
create a malicious web page that when viewed by a victim in the Konqueror
browser would cause Konqueror to crash or possibly execute arbitrary code
with the privileges of the victim. (CVE-2006-4811)
Comment 1 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-10-18 09:30:45 UTC
Created attachment 99949 [details, diff]
Qt patch

This seems to be the patch from redhat, but it's for qt not for kdelibs, why did they release kdelibs packages, it's something I don't understand.
Comment 2 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-10-18 09:47:30 UTC
I've added the patch in Qt 3.3.6-r3, but I cannot test it myself currently (emerge -e world in progress). The bug was confirmed on Qt-copy, on Arch and KUbuntu too.
http://bugzilla.redhat.com/bugzilla/attachment.cgi?id=138488 is a good testcase to see if the patch works, for arch teams testing.

Can someone confirm if the patch works?
Comment 3 Ioannis Aslanidis (RETIRED) gentoo-dev 2006-10-18 10:26:25 UTC
Confirming that the patch added to Qt 3.3.6-r3 fixes the exploit.
Comment 4 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-18 10:42:46 UTC
arches, pls test x11-libs/qt-3.3.6-r3 and mark stable if possible

amd64, what about app-emulation/emul-linux-x86-qtlibs, I guess it should be fixed too?
Comment 5 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-18 10:51:05 UTC
adding qt herd

what about qt-4* btw?
Comment 6 Ioannis Aslanidis (RETIRED) gentoo-dev 2006-10-18 11:05:34 UTC
All the qt herd members are inside the kde herd.
Comment 7 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-10-18 11:31:45 UTC
Leave qt there for queries at least.
Comment 8 Markus Rothe (RETIRED) gentoo-dev 2006-10-18 12:38:38 UTC
ppc64 stable
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2006-10-18 12:45:10 UTC
-r3 needs media-libs/libmng 1.0.9 at least...which version shall we take? -r0 or -r1? The latter is not in Portage for 30 days, but fixes some issues.  KDE/Qt, please advise.
Comment 10 Markus Meier gentoo-dev 2006-10-18 13:57:00 UTC
1. used media-libs/libmng-1.0.9-r1 as dependency, which emerges fine, but:
1.1 QA Notice: USE Flag 'jpeg' not in IUSE for media-libs/libmng-1.0.9-r1
2. emerges fine on x86
3. passes collision test
4. revdep-rebuild shows nothing broken, kile recompiled fine and kde still works

x11-libs/qt-3.3.6-r3  USE="cups gif ipv6 opengl -debug -doc -examples -firebird -immqt -immqt-bc -mysql -nas -nis -odbc -postgres -sqlite -xinerama"

Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.18.1 i686)
=================================================================
System uname: 2.6.18.1 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System version 1.12.5
Last Sync: Wed, 18 Oct 2006 19:50:01 +0000
ccache version 2.3 [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 11 Joshua Jackson (RETIRED) gentoo-dev 2006-10-18 22:48:48 UTC
jeez I have a AT get to it before I do...You guys just pounce on these things. x86 stable ^.^
Comment 12 Stefan Cornelius (RETIRED) gentoo-dev 2006-10-18 23:45:07 UTC
Done in a hurry, so beware, only checked source, no actual testing done. But seems like Qt4 is affected.

qt-x11-opensource-src-4.1.4/src/gui/image/qpixmap_x11.cpp, around line 1874:

  if (depth1)
        dbpl = (w+7)/8;
    else
        dbpl = ((w*bpp+31)/32)*4;
    dbytes = dbpl*h;  <= EVIL

#if defined(QT_MITSHM)
    if (use_mitshm) {
        dptr = (uchar *)xshmimg->data;
        uchar fillbyte = bpp == 8 ? white.pixel() : 0xff;
        for (int y=0; y<h; y++)
            memset(dptr + y*xshmimg->bytes_per_line, fillbyte, dbpl);
    } else {
#endif
        dptr = (uchar *)malloc(dbytes);  <= EVIL      // create buffer for bits


Comment 13 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-10-19 09:04:33 UTC
Working on QT 4.1 and 4.2 fixes now, but you might want to track them on their own bugs now.
Comment 14 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-10-19 09:10:04 UTC
Qt 4.1.4-r1 and 4.2.0-r1 are ready. Only the first is a stable target though.
Comment 15 Jakub Moc (RETIRED) gentoo-dev 2006-10-19 10:35:02 UTC
*** Bug 151972 has been marked as a duplicate of this bug. ***
Comment 16 Dirk Mueller 2006-10-19 13:23:50 UTC
I would recomment to use the official patch for Qt instead. I'll attach it for reference. 
Comment 17 Dirk Mueller 2006-10-19 13:24:20 UTC
Created attachment 100045 [details, diff]
patch
Comment 18 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-10-19 13:38:03 UTC
I would prefer a quick fix for users, hoping for a maintenance release from trolltech, if it's going to be, to avoid three rebuilds.
Comment 19 Bryan Østergaard (RETIRED) gentoo-dev 2006-10-20 04:50:01 UTC
Alpha done.
Comment 20 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-10-20 08:44:59 UTC
Yuppie, we're going to have new versions of everything at this point -_- Give me some time today and I'll update all the qt versions.
Comment 21 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-10-20 11:14:13 UTC
qt-3.3.6-r4, qt-4.1.4-r2, qt-4.2.0-r2

Hopefully I won't need _more_ bumps.
Comment 22 Matthias Geerdsen (RETIRED) gentoo-dev 2006-10-20 11:21:40 UTC
next round....

pls test qt-3.3.6-r4/qt-4.1.4-r2

herbs/kugelfang/amd64: pls fix emul-linux-x86-qtlibs
Comment 23 Caleb Tennis (RETIRED) gentoo-dev 2006-10-20 11:39:53 UTC
Are these the trolltech maintenance versions released today?
Comment 24 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-10-20 11:53:50 UTC
They are the last ones sent to kde-packager yes
Comment 25 Caleb Tennis (RETIRED) gentoo-dev 2006-10-20 12:22:20 UTC
Ok, but Trolltech release 3.3.7, 4.1.5, and 4.2.1 today.  I assume they are the same thing as our patchlevel versions, but the numbers now don't match :(
Comment 26 Christian Faulhammer (RETIRED) gentoo-dev 2006-10-21 06:21:22 UTC
[ebuild     U ] x11-libs/qt-3.3.6-r4 [3.3.6-r3] USE="cups gif ipv6 mysql opengl -debug -doc -examples -firebird -immqt -immqt-bc -nas -nis -odbc -postgres -sqlite -xinerama" 0 kB 

1) emerges fine
2) passes collision test
3) revdep-rebuild, kdelibs remerged, no problems, apart from a not passed test of kdelibs (Should I report about it?)

[ebuild     U ] x11-libs/qt-4.1.4-r2 [4.1.4] USE="cups gif jpeg mng mysql opengl png zlib -accessibility -debug -doc -examples -firebird -nas -nis -odbc -postgres -sqlite -xinerama" 0 kB 

1) emerges fine so far
QA Notice: pre-stripped files found:
/var/tmp/portage/qt-4.1.4-r2/image/usr/bin/moc
/var/tmp/portage/qt-4.1.4-r2/image/usr/bin/rcc
/var/tmp/portage/qt-4.1.4-r2/image/usr/bin/uic
/var/tmp/portage/qt-4.1.4-r2/image/usr/bin/uic3
/var/tmp/portage/qt-4.1.4-r2/image/usr/bin/qm2ts
/var/tmp/portage/qt-4.1.4-r2/image/usr/bin/qmake
/var/tmp/portage/qt-4.1.4-r2/image/usr/bin/lrelease
/var/tmp/portage/qt-4.1.4-r2/image/usr/bin/assistant
/var/tmp/portage/qt-4.1.4-r2/image/usr/bin/lupdate
/var/tmp/portage/qt-4.1.4-r2/image/usr/bin/qtconfig
/var/tmp/portage/qt-4.1.4-r2/image/usr/bin/qt3to4
/var/tmp/portage/qt-4.1.4-r2/image/usr/bin/designer
/var/tmp/portage/qt-4.1.4-r2/image/usr/bin/linguist
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib/qt4/libQt3Support.so.4.1.4
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib/qt4/libQtTest.so.4.1.4
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib/qt4/libQtNetwork.so.4.1.4
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib/qt4/libQtOpenGL.so.4.1.4
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib/qt4/libQtGui.so.4.1.4
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib/qt4/libQtSvg.so.4.1.4
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib/qt4/libQtCore.so.4.1.4
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib/qt4/libQtDesignerComponents.so.4.1.4
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib/qt4/libQtDesigner.so.4.1.4
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib/qt4/libQtXml.so.4.1.4
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib/qt4/plugins/imageformats/libqgif.so
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib/qt4/plugins/imageformats/libqmng.so
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib/qt4/plugins/imageformats/libqjpeg.so
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib/qt4/plugins/sqldrivers/libqsqlmysql.so
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib/qt4/plugins/designer/libqt3supportwidgets.so
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib/qt4/plugins/inputmethods/libqimsw-multi.so
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib/qt4/libQtSql.so.4.1.4

2) passes collision test
3) revdep-rebuild, emerged a Qt4 app I have a local ebuild for, no problems

Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17-gentoo-r8 i686)
=================================================================
System uname: 2.6.17-gentoo-r8 i686 AMD Athlon(tm) XP 2500+
Gentoo Base System version 1.12.5
Last Sync: Sat, 21 Oct 2006 06:50:01 +0000
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     [Not Present]
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://sunsite.informatik.rwth-aachen.de/pub/Linux/gentoo/"
LANG="de_DE@euro"
LC_ALL="de_DE@euro"
LINGUAS="de"
MAKEOPTS="-j2"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage"
SYNC="rsync://rsync.informatik.rwth-aachen.de/gentoo-portage"
USE="x86 3dnow 3dnowext X Xaw3d a52 aiglx alsa artworkextra asf audiofile bash-completion beagle berkdb bidi bitmap-fonts bootsplash branding bzip2 cairo cdda cddb cdparanoia cdr cli cracklib crypt css cups curl custom-cflags dbus dga directfb divx4linux dlloader dri dts dvd dvdr dvdread dvi eds elibc_glibc emacs emboss encode esd evo exif expat fam fat fbcon ffmpeg firefox fortran ftp gb gcj gdbm gif gnome gpm gstreamer gtk gtk2 gtkhtml hal icq idn imagemagick imap input_devices_keyboard input_devices_mouse ipv6 isdnlog java javascript jikes jpeg jpeg2k kde kernel_linux ldap leim libg++ linguas_de lm_sensors mad maildir matroska mbox mhash mikmod mime mmx mmxext mng mono mp3 mpeg mpeg2 mule mysql nautilus ncurses nforce2 nls nocardbus nptl nptlonly nsplugin nvidia objc ogg opengl pam pcre pdf perl plotutils pmu png ppds pppd preview-latex print python qt3 qt4 quicktime readline reflection reiserfs samba sdk session slang spell spl sse ssl svg svga t1lib tcltk tcpd tetex theora thunderbird tiff truetype truetype-fonts type1-fonts udev usb userland_GNU vcd video_cards_fbdev video_cards_radeon video_cards_vesa videos vorbis win32codecs wmf wxwindows xine xml xorg xosd xv xvid zlib"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 27 Markus Rothe (RETIRED) gentoo-dev 2006-10-22 02:28:50 UTC
qt-3.3.6-r4/qt-4.1.4-r2 stable on ppc64
Comment 28 Jason Wever (RETIRED) gentoo-dev 2006-10-22 08:32:42 UTC
So which packages are we supposed to be marking, the revision bumps or the version bumps (whenever they hit the tree)?
Comment 29 Markus Meier gentoo-dev 2006-10-22 11:44:51 UTC
x11-libs/qt-3.3.6-r4  USE="cups gif ipv6 opengl -debug -doc -examples -firebird -immqt -immqt-bc -mysql -nas -nis -odbc -postgres -sqlite -xinerama"
1. emerges on x86, with following Notice:
>>> Install qt-3.3.6-r4 into /var/tmp/portage/qt-3.3.6-r4/image/ category x11-libs
cp: omitting directory `include/private'

2. passes collision test
3. regular kde stuff still works

x11-libs/qt-4.1.4-r2  USE="cups gif jpeg opengl png zlib -accessibility -debug -doc -examples -firebird -mng -mysql -nas -nis -odbc -postgres -sqlite -xinerama"
1. emerges on x86, with the same pre-stripped files as Christian
2. passes collision test
3. poppler-bindings still compiles (with qt3 and qt4)


Portage 2.1.1 (default-linux/x86/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.18.1 i686)
=================================================================
System uname: 2.6.18.1 i686 Genuine Intel(R) CPU           T2300  @ 1.66GHz
Gentoo Base System version 1.12.5
Last Sync: Sun, 22 Oct 2006 09:50:01 +0000
ccache version 2.3 [disabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.3.5-r3, 2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.17-r1
ACCEPT_KEYWORDS="x86"
AUTOCLEAN="yes"
CBUILD="i686-pc-linux-gnu"
CFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
CHOST="i686-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config /usr/share/texmf/dvipdfm/config/ /usr/share/texmf/dvips/config/ /usr/share/texmf/tex/generic/config/ /usr/share/texmf/tex/platex/config/ /usr/share/texmf/xdvi/"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-O2 -march=prescott -pipe -fomit-frame-pointer"
DISTDIR="/usr/portage/distfiles"
EMERGE_DEFAULT_OPTS="--nospinner"
FEATURES="autoconfig collision-protect distlocks metadata-transfer parallel-fetch sandbox sfperms strict test userfetch userpriv usersandbox"
GENTOO_MIRRORS="http://distfiles.gentoo.org http://distro.ibiblio.org/pub/linux/distributions/gentoo"
LINGUAS="en de en_GB de_CH"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
SYNC="rsync://rsync.europe.gentoo.org/gentoo-portage"
USE="x86 X a52 aac acpi alsa apache2 asf berkdb bitmap-fonts cairo cdr cdrom cli cracklib crypt cups dbus divx dlloader dri dts dvd dvdr dvdread eds elibc_glibc emboss encode fam ffmpeg firefox flac fortran gdbm gif gnome gpm gstreamer gtk hal input_devices_keyboard input_devices_mouse ipv6 isdnlog java jpeg kde kernel_linux ldap libg++ linguas_de linguas_de_CH linguas_en linguas_en_GB mad mikmod mmx mono mp3 mpeg ncurses nls nptl nptlonly ogg opengl oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rtsp samba sdl session smp spell spl sse sse2 sse3 ssl svg tcpd test tetex theora threads truetype truetype-fonts type1-fonts udev unicode userland_GNU vcd video_cards_fbdev video_cards_i810 video_cards_vesa vorbis win32codecs wxwindows x264 xine xml xorg xprint xv xvid zlib"
Unset:  CTARGET, INSTALL_MASK, LANG, LC_ALL, LDFLAGS, PORTAGE_RSYNC_EXTRA_OPTS, PORTDIR_OVERLAY
Comment 30 Gustavo Zacarias (RETIRED) gentoo-dev 2006-10-23 13:16:18 UTC
going with the revbumps since the verbumps are still missing.
qt-3.3.6-r4 & qt-4.1.4-r2 sparc stable.
Comment 31 Joshua Jackson (RETIRED) gentoo-dev 2006-10-23 19:57:55 UTC
/me does the revbump shuffle && electric slide. oh oh oh yeah x86 is stable..Now i need a white polyester suit..
Comment 32 Tobias Heinlein (RETIRED) gentoo-dev 2006-10-24 09:53:16 UTC
[ebuild   R   ] x11-libs/qt-3.3.6-r4  USE="cups gif opengl -debug -doc -examples (-firebird) -immqt -immqt-bc -ipv6 -mysql -nas -nis -odbc -postgres -sqlite -xinerama" 0 kB

1) emerges fine
2) passes collision test
3) kdelibs remerged without problems



[ebuild     UD] x11-libs/qt-4.1.4-r2 [4.2.0-r2] USE="cups gif jpeg mng opengl png zlib -accessibility -debug -doc -examples (-firebird) -mysql -nas -nis -odbc -postgres -sqlite -xinerama (-dbus%*) (-glib%) (-pch%)" 0 kB

1) emerges fine

QA Notice: pre-stripped files found:
/var/tmp/portage/qt-4.1.4-r2/image/usr/bin/moc
/var/tmp/portage/qt-4.1.4-r2/image/usr/bin/rcc
/var/tmp/portage/qt-4.1.4-r2/image/usr/bin/uic
/var/tmp/portage/qt-4.1.4-r2/image/usr/bin/uic3
/var/tmp/portage/qt-4.1.4-r2/image/usr/bin/assistant
/var/tmp/portage/qt-4.1.4-r2/image/usr/bin/linguist
/var/tmp/portage/qt-4.1.4-r2/image/usr/bin/lrelease
/var/tmp/portage/qt-4.1.4-r2/image/usr/bin/lupdate
/var/tmp/portage/qt-4.1.4-r2/image/usr/bin/qm2ts
/var/tmp/portage/qt-4.1.4-r2/image/usr/bin/qt3to4
/var/tmp/portage/qt-4.1.4-r2/image/usr/bin/designer
/var/tmp/portage/qt-4.1.4-r2/image/usr/bin/qtconfig
/var/tmp/portage/qt-4.1.4-r2/image/usr/bin/qmake
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib64/qt4/libQtCore.so.4.1.4
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib64/qt4/libQtXml.so.4.1.4
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib64/qt4/libQtGui.so.4.1.4
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib64/qt4/libQtSql.so.4.1.4
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib64/qt4/libQtNetwork.so.4.1.4
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib64/qt4/libQtSvg.so.4.1.4
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib64/qt4/libQtOpenGL.so.4.1.4
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib64/qt4/libQt3Support.so.4.1.4
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib64/qt4/plugins/imageformats/libqjpeg.so
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib64/qt4/plugins/imageformats/libqgif.so/var/tmp/portage/qt-4.1.4-r2/image/usr/lib64/qt4/plugins/imageformats/libqmng.so/var/tmp/portage/qt-4.1.4-r2/image/usr/lib64/qt4/plugins/inputmethods/libqimsw-multi.so
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib64/qt4/plugins/designer/libqt3supportwidgets.so
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib64/qt4/libQtTest.so.4.1.4
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib64/qt4/libQtDesigner.so.4.1.4
/var/tmp/portage/qt-4.1.4-r2/image/usr/lib64/qt4/libQtDesignerComponents.so.4.1.4
strip: x86_64-pc-linux-gnu-strip --strip-unneeded
   usr/lib64/qt4/libQtAssistantClient.a
      usr/lib64/qt4/libQtUiTools.a

2) passes collision-test
3) poppler-bindings compiles fine with qt4

# emerge --info
Portage 2.1.1-r1 (default-linux/amd64/2006.1/desktop, gcc-4.1.1, glibc-2.4-r3, 2.6.17-gentoo-r8 x86_64)
=================================================================
System uname: 2.6.17-gentoo-r8 x86_64 AMD Athlon(tm) 64 X2 Dual Core Processor 4200+
Gentoo Base System version 1.12.5
Last Sync: Tue, 24 Oct 2006 09:20:01 +0000
ccache version 2.3 [enabled]
app-admin/eselect-compiler: [Not Present]
dev-java/java-config: 1.3.7, 2.0.30
dev-lang/python:     2.4.3-r4
dev-python/pycrypto: 2.0.1-r5
dev-util/ccache:     2.3
dev-util/confcache:  [Not Present]
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.59-r7
sys-devel/automake:  1.4_p6, 1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2
sys-devel/binutils:  2.16.1-r3
sys-devel/gcc-config: 1.3.13-r4
sys-devel/libtool:   1.5.22
virtual/os-headers:  2.6.11-r2
ACCEPT_KEYWORDS="amd64"
AUTOCLEAN="yes"
CBUILD="x86_64-pc-linux-gnu"
CFLAGS="-march=k8 -O2 -pipe"
CHOST="x86_64-pc-linux-gnu"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/java-config/vms/ /etc/revdep-rebuild /etc/splash /etc/terminfo"
CXXFLAGS="-march=k8 -O2 -pipe"
DISTDIR="/usr/portage/distfiles"
FEATURES="autoconfig ccache collision-protect distlocks metadata-transfer multilib-strict sandbox sfperms strict test"
GENTOO_MIRRORS="ftp://linux.rz.ruhr-uni-bochum.de/gentoo-mirror/ ftp://ftp.uni-erlangen.de/pub/mirrors/gentoo ftp://ftp.join.uni-muenster.de/pub/linux/distributions/gentoo "
LANG="en_US.ISO8859-1"
LC_ALL="en_US.ISO8859-1"
MAKEOPTS="-j3"
PKGDIR="/usr/portage/packages"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude='/distfiles' --exclude='/local' --exclude='/packages'"
PORTAGE_TMPDIR="/var/tmp"
PORTDIR="/usr/portage"
PORTDIR_OVERLAY="/usr/local/portage /usr/portage/local/stuff"
SYNC="rsync://rsync.namerica.gentoo.org/gentoo-portage"
USE="amd64 7zip X a52 aac aalib addbookmarks alias alsa amarok arts asf avahi bash-completion berkdb bitmap-fonts browserplugin bzip2 c++ cairo calendar caps cdr cdrom cdsound chroot cli cracklib crypt cups cvs dbus de_tvtoday dhcp dlloader dri dvb dvd dvdr dvdread eds elibc_glibc emboss encode esd fam ffmpeg flac fortran gdbm gif gimp gimpprint gnome gpm gsm gstreamer gtk gtk2 gzip hal hald highlight history howl icq imagemagick input_devices_evdev input_devices_keyboard input_devices_mouse irssi isdnlog java javascript jpeg kde kdm kernel_linux kipi lame ldap libg++ live logitech-mouse mad madwifi md5sum mikmod mng mp3 mpeg ncurses nls nptl nptlonly nsplugin nvidia ogg oggvorbis opengl openssh oss pam pcre perl png ppds pppd python qt3 qt4 quicktime readline reflection rss samba scanner scp sdl session smp speex spell spl sql ssl subversion svg symlink tcl tcltk tcpd tiff tk transcode truetype truetype-fonts type1-fonts udev unicode unzip usb userland_GNU vcd video_cards_nv video_cards_nvidia video_cards_vesa vim visualization vorbis wmf wxwindows x264 xcomposite xine xml xorg xv xvid xvmc zip zlib zvbi"
Unset:  CTARGET, EMERGE_DEFAULT_OPTS, INSTALL_MASK, LDFLAGS, LINGUAS, PORTAGE_RSYNC_EXTRA_OPTS
Comment 33 Simon Stelling (RETIRED) gentoo-dev 2006-10-24 10:16:29 UTC
amd64 stable
Comment 34 Tobias Scherbaum (RETIRED) gentoo-dev 2006-10-24 10:53:56 UTC
ppc stable
Comment 35 René Nussbaumer (RETIRED) gentoo-dev 2006-10-27 09:34:54 UTC
stable on hppa. Sorry for the delay.
Comment 36 Jakub Moc (RETIRED) gentoo-dev 2006-10-28 16:18:51 UTC
*** Bug 153164 has been marked as a duplicate of this bug. ***
Comment 37 Bryan Østergaard (RETIRED) gentoo-dev 2006-10-29 12:00:29 UTC
ia64 done.
Comment 38 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-01 08:20:00 UTC
alpha, pls test qt-3.3.6-r4 and mark stable if possible
Comment 39 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-01 08:25:08 UTC
CVE-2006-4811
<quote>
Integer overflow in Qt 3.3 before 3.3.7, 4.1 before 4.1.5, and 4.2 before 4.2.1, as used in the KDE khtml library, kdelibs 3.1.3, and possibly other packages, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted pixmap image.
</quote>
since emul-linux-x86-qtlibs has only versions 2.2 and 3.4.4 I suppose those are not affected

comments?
Comment 40 Diego Elio Pettenò (RETIRED) gentoo-dev 2006-11-01 08:30:45 UTC
qt-3.4.4 does not exist.
Comment 41 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-01 08:50:44 UTC
opened bug 153704 about emul-linux-x86-qtlibs
Comment 42 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-06 00:39:22 UTC
alpha, we are late on this one

pls test qt-3.3.6-r4 and mark stable if possible
Comment 43 Alexander Færøy 2006-11-06 02:59:27 UTC
Stable on Alpha.
Comment 44 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-06 03:04:53 UTC
ready for GLSA publication
Comment 45 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-06 06:19:02 UTC
GLSA 200611-02

thanks everyone
Comment 46 Matthias Geerdsen (RETIRED) gentoo-dev 2006-11-06 06:19:45 UTC
even closing it now...