Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 192472 - x11-libs/qt convertToUnicode Off-by-one Buffer overflow (CVE-2007-4137)
Summary: x11-libs/qt convertToUnicode Off-by-one Buffer overflow (CVE-2007-4137)
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High major (vote)
Assignee: Gentoo Security
Whiteboard: A2 [glsa]
Depends on: 192134
  Show dependency tree
Reported: 2007-09-14 00:24 UTC by Robert Buchholz (RETIRED)
Modified: 2020-04-03 06:58 UTC (History)
4 users (show)

See Also:
Package list:
Runtime testing required: ---


Note You need to log in before you can comment on or make changes to this bug.
Description Robert Buchholz (RETIRED) gentoo-dev 2007-09-14 00:24:30 UTC
Dirk Mueller (KDE) discovered an Off-by-one Buffer overflow that could lead to the execution of arbitrary code or denial of service for Qt applications using malicious unicode input.

All versions in portage are affected. Patches here:

Upstream will release these patches as part of their next maintenance release.
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-09-14 00:26:34 UTC
Setting whiteboard and cc'ing maintainers.

qt, please provide a updated ebuilds.
Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2007-09-14 16:06:02 UTC
CC'ing kde herd as per Philantrop's request.
Comment 3 Caleb Tennis (RETIRED) gentoo-dev 2007-09-14 16:50:09 UTC
my vote is to patch qt3 and qt4 and directly bump to stable without having to call in the arch teams.  there's nothing intrusive about these patches whatsoever that would necessitate needing the arch teams to need to test.

does anyone object to that?
Comment 4 Wulf Krueger (RETIRED) gentoo-dev 2007-09-14 17:26:49 UTC
(In reply to comment #3)
> does anyone object to that?

May I say that I *agree* with your suggestion instead? ;)
Comment 5 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-09-14 20:35:44 UTC
given the content of the patchs, I agree too.
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2007-09-14 21:04:10 UTC
Quoting Dirk Mueller who discovered this:
    It is not exploitable with Qt 4.x or above because there is an  
    additional QChar(0) being allocated in QString, however it is still a  
    bug there, as the array returned by utf16() etc is no longer  
    terminated properly.

So this needs fixing for Qt3, but not necessarily for Qt4. If we do a stable bump, fixing it for Qt4 too doesn't cost too much either though.
Comment 7 Caleb Tennis (RETIRED) gentoo-dev 2007-09-14 21:31:06 UTC
ok, I've added qt-3.3.8-r4 and qt-4.3.1-r1 applying both of these patches

ppc is the only non-stable arch we need for 4.3.1-r1.  mips is unstable for 3.3.8-r*, but we haven't heard from them in years so I doubt notifying of them of this is going to help.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2007-09-14 21:50:17 UTC
(In reply to comment #7)
> ppc is the only non-stable arch we need for 4.3.1-r1.  mips is unstable for
> 3.3.8-r*, but we haven't heard from them in years so I doubt notifying of them
> of this is going to help.

Thanks a lot for taking care so fast.

I'll leave a comment at bug 192134 for ppc.
mips, please stabilize qt-3.3.8-r4 if appropriate.
Comment 9 Robert Buchholz (RETIRED) gentoo-dev 2007-09-14 21:52:25 UTC
Comment 10 Robert Buchholz (RETIRED) gentoo-dev 2007-09-15 10:45:49 UTC
All arches but mips are stable. This is ready for a GLSA.
Comment 11 Sebastian 2007-09-15 11:06:27 UTC
Anyone checked whether these patches collide with the utf8-bug patches? I'm wondering because they do work on the same code snippet.

Comment 12 Caleb Tennis (RETIRED) gentoo-dev 2007-09-15 11:21:29 UTC
they both apply properly on my machine
Comment 13 Christian Korff 2007-09-15 18:28:04 UTC
Will there be also a patch for 3.3.4?

I depend on 3.3.4 since qt 3.3.8 and Gentoo hardened have some problems. see bug #175996 for a description. So I would very happy for a supported 3.3.4 ebuild.
Comment 14 Robert Buchholz (RETIRED) gentoo-dev 2007-09-16 04:02:08 UTC
(In reply to comment #13)
> Will there be also a patch for 3.3.4?

That version is also unfixed for bug 172746 and bug 185446, so we either do this right or not at all.
Besides that, it's the decision of the qt herd / the hardened people.
Comment 15 Caleb Tennis (RETIRED) gentoo-dev 2007-09-25 13:02:13 UTC
I'm leaving it open to the hardened folks.  Any patching that needs to be done to 3.3.4 is fine by me.
Comment 16 Raphael Marichez (Falco) (RETIRED) gentoo-dev 2007-10-25 22:13:23 UTC
GLSA 200710-28 - sorry for the dealy