Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 185446 - x11-libs/qt Multiple issues (CVE-2007-3388)
Summary: x11-libs/qt Multiple issues (CVE-2007-3388)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High normal (vote)
Assignee: Gentoo Security
Whiteboard: B2 [glsa] jaervosz
: 187465 (view as bug list)
Depends on: 187552
  Show dependency tree
Reported: 2007-07-15 19:34 UTC by Sune Kloppenborg Jeppesen (RETIRED)
Modified: 2020-04-02 21:47 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---

CVE-2007-3388.diff (CVE-2007-3388.diff,974 bytes, patch)
2007-07-15 19:35 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff
format-warnings.diff (format-warnings.diff,8.23 KB, patch)
2007-07-15 19:37 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff
qt_patch.diff (qt_patch.diff,6.36 KB, patch)
2007-07-22 08:08 UTC, Sune Kloppenborg Jeppesen (RETIRED)
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-07-15 19:34:01 UTC
Attaching patches in a moment.
Comment 1 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-07-15 19:35:33 UTC
Created attachment 124945 [details, diff]

Patch for issue reported by Tracey Parry of Portcullis Computer Security Ltd.
Comment 2 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-07-15 19:37:05 UTC
Created attachment 124947 [details, diff]

Reported by Dirk Mueller.
Comment 3 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-07-15 19:40:36 UTC
Caleb please advise. Do NOT commit anything yet. Instead you can attach updated ebuilds to this bug for prestable testing if needed.
Comment 4 Caleb Tennis (RETIRED) gentoo-dev 2007-07-15 20:06:27 UTC
both patches look mostly harmless to me.  99% of them just affect debugging output, which shouldn't matter to anyone really.  The very last line on the format-warning.diff seems to affect reverseable layouts, which might cause an impact to someone who uses a right-to-left language, but I don't have any way to test that particular feature.

In short: the patches look completely fine to me.
Comment 5 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-07-15 20:25:34 UTC
Thx Caleb. Do you want prestable arch testing or should we just wait until the issues go public?
Comment 6 Caleb Tennis (RETIRED) gentoo-dev 2007-07-15 20:44:56 UTC
I don't see any fixes in here that would affect any arches at all, really, so I think we're okay to wait.
Comment 7 Caleb Tennis (RETIRED) gentoo-dev 2007-07-16 11:26:11 UTC
also, since qt-4.3.0 is ready for a stablization request for the arches anyway, we can just tie these patches with a normal stablization request.  I'm not sure if these will work against the qt-4.2 series, but it may not be necessary to even worry about that.
Comment 8 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-07-16 19:38:00 UTC
The initial report for CVE-2007-3388 said to affect qt-3 only. So I guess we're going directly to stable on qt-3 once the release date is reached?
Comment 9 Caleb Tennis (RETIRED) gentoo-dev 2007-07-16 20:05:08 UTC
oh, didn't realize it was qt3 only.  in any case, no problem going straight to stable with the patches.
Comment 10 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-07-22 08:08:40 UTC
Created attachment 125619 [details, diff]

Upstream patch.
Comment 11 Sune Kloppenborg Jeppesen (RETIRED) gentoo-dev 2007-07-29 21:00:05 UTC
Caleb, did you see any public information about this yet? Disclosure date should have been friday, I wonder wether it was postponed.
Comment 12 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-02 18:19:44 UTC
*** Bug 187465 has been marked as a duplicate of this bug. ***
Comment 13 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-08-02 18:25:46 UTC
this is public now, sorry for the delay.
Arches, please test and mark stable:
qt-3.3.8-r3  and qt-4.3.0-r1 (target "alpha amd64 hppa ia64 mips ppc ppc64 sparc x86 ~x86-fbsd"
Comment 14 Markus Rothe (RETIRED) gentoo-dev 2007-08-02 18:34:37 UTC
ppc64 stable
Comment 15 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2007-08-02 20:38:09 UTC
How about updating the qt.eclass as well when you throw a new qt ebuild into portage?

Currently I get circular dependency errors when updating world because 3.3.8-r3 is not listed in the QT3VERSIONS variable of qt.eclass...
Comment 16 Lars Wendler (Polynomial-C) (RETIRED) gentoo-dev 2007-08-02 20:43:22 UTC
Of course I mean qt3.eclass.
Comment 17 Christian Faulhammer (RETIRED) gentoo-dev 2007-08-02 21:19:46 UTC
x86 stable and qt3.eclass has been fixed by carlo, thanks.
Comment 18 Thomas Anderson (tanderson) (RETIRED) gentoo-dev 2007-08-03 00:00:49 UTC

All looks good here. Building kdelibs against qt-3.3.8-r3 works fine.
Is there anything additional to test so that I know that the vulnerability itself is fixed?

Portage (default-linux/amd64/2007.0, gcc-4.1.2, glibc-2.5-r4, 2.6.20-gentoo-r7 x86_64)
System uname: 2.6.20-gentoo-r7 x86_64 unknown
Gentoo Base System release 1.12.9
Timestamp of tree: Thu, 02 Aug 2007 19:01:01 +0000
ccache version 2.4 [enabled]
dev-java/java-config: 1.3.7, 2.0.33-r1
dev-lang/python:     2.4.4-r4
dev-python/pycrypto: 2.0.1-r6
dev-util/ccache:     2.4-r7
sys-apps/sandbox:    1.2.17
sys-devel/autoconf:  2.13, 2.61
sys-devel/automake:  1.5, 1.6.3, 1.7.9-r1, 1.8.5-r3, 1.9.6-r2, 1.10
sys-devel/binutils:  2.17
sys-devel/gcc-config: 1.3.16
sys-devel/libtool:   1.5.23b
virtual/os-headers:  2.6.21
CFLAGS="-march=athlon64 -O2 -pipe"
CONFIG_PROTECT="/etc /usr/kde/3.5/env /usr/kde/3.5/share/config /usr/kde/3.5/shutdown /usr/share/X11/xkb /usr/share/config"
CONFIG_PROTECT_MASK="/etc/env.d /etc/env.d/java/ /etc/gconf /etc/revdep-rebuild /etc/terminfo"
CXXFLAGS="-march=athlon64 -O2 -pipe"
FEATURES="ccache collision-protect distlocks metadata-transfer multilib-strict sandbox sfperms strict test userpriv"
PORTAGE_RSYNC_OPTS="--recursive --links --safe-links --perms --times --compress --force --whole-file --delete --delete-after --stats --timeout=180 --exclude=/distfiles --exclude=/local --exclude=/packages --filter=H_**/files/digest-*"
USE="X acl aiglx aim amd64 berkdb bitmap-fonts branding cli cracklib crypt cups dri fortran gdbm gpm gtk iconv imap ipv6 isdnlog libg++ midi mmx mpeg3 mudflap ncurses nls nptl nptlonly nvidia opengl openmp pam pcre perl pppd python qt3 readline reflection session sockets spl sqlite3 sse sse2 ssl tcpd test truetype-fonts type1-fonts unicode vim xcomposite xine xorg zlib" ALSA_CARDS="ali5451 als4000 atiixp atiixp-modem bt87x ca0106 cmipci emu10k1x ens1370 ens1371 es1938 es1968 fm801 hda-intel intel8x0 intel8x0m maestro3 trident usb-audio via82xx via82xx-modem ymfpci" ALSA_PCM_PLUGINS="adpcm alaw asym copy dmix dshare dsnoop empty extplug file hooks iec958 ioplug ladspa lfloat linear meter mulaw multi null plug rate route share shm softvol" ELIBC="glibc" INPUT_DEVICES="keyboard mouse evdev" KERNEL="linux" LCD_DEVICES="bayrad cfontz cfontz633 glk hd44780 lb216 lcdm001 mtxorb ncurses text" USERLAND="GNU" VIDEO_CARDS="nvidia"
Comment 19 Tristan Heaven (RETIRED) gentoo-dev 2007-08-03 03:57:37 UTC
/usr/portage/x11-libs/qt/qt-4.3.0-r1.ebuild: line 122: epatch/usr/portage/x11-libs/qt/files/0185-fix-format-strings.diff: No such file or directory

Try again.
Comment 20 Jakub Moc (RETIRED) gentoo-dev 2007-08-03 07:34:17 UTC
Yeah, Bug 187552... No point in stabilizing this ATM, plus it will IMO require another revbump because users silently failed to get the right patch for this issue w/ 4.3.0-r1 :(
Comment 21 Gustavo Zacarias (RETIRED) gentoo-dev 2007-08-03 13:43:20 UTC
sparc stable.
Comment 22 Carsten Lohrke (RETIRED) gentoo-dev 2007-08-03 23:45:04 UTC
Sorry for the typo guys, please do qt-3.3.8-r3 (if you didn't already) and qt-4.3.0-r2.
Comment 23 Tobias Scherbaum (RETIRED) gentoo-dev 2007-08-04 10:17:12 UTC
ppc stable
Comment 24 Raúl Porcel (RETIRED) gentoo-dev 2007-08-05 14:42:26 UTC
alpha/ia64/x86 stable
Comment 25 Gustavo Zacarias (RETIRED) gentoo-dev 2007-08-06 12:49:20 UTC
sparc stable.
Comment 26 Steve Dibb (RETIRED) gentoo-dev 2007-08-12 14:51:52 UTC
amd64 stable
Comment 27 Jeroen Roovers (RETIRED) gentoo-dev 2007-08-15 14:24:29 UTC
Both stable for HPPA.
Comment 28 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-08-22 22:42:19 UTC
GLSA 200708-16, sorry for the delay