Dirk Mueller (KDE) discovered an Off-by-one Buffer overflow that could lead to the execution of arbitrary code or denial of service for Qt applications using malicious unicode input.
All versions in portage are affected. Patches here:
Upstream will release these patches as part of their next maintenance release.
Setting whiteboard and cc'ing maintainers.
qt, please provide a updated ebuilds.
CC'ing kde herd as per Philantrop's request.
my vote is to patch qt3 and qt4 and directly bump to stable without having to call in the arch teams. there's nothing intrusive about these patches whatsoever that would necessitate needing the arch teams to need to test.
does anyone object to that?
(In reply to comment #3)
> does anyone object to that?
May I say that I *agree* with your suggestion instead? ;)
given the content of the patchs, I agree too.
Quoting Dirk Mueller who discovered this:
It is not exploitable with Qt 4.x or above because there is an
additional QChar(0) being allocated in QString, however it is still a
bug there, as the array returned by utf16() etc is no longer
So this needs fixing for Qt3, but not necessarily for Qt4. If we do a stable bump, fixing it for Qt4 too doesn't cost too much either though.
ok, I've added qt-3.3.8-r4 and qt-4.3.1-r1 applying both of these patches
ppc is the only non-stable arch we need for 4.3.1-r1. mips is unstable for 3.3.8-r*, but we haven't heard from them in years so I doubt notifying of them of this is going to help.
(In reply to comment #7)
> ppc is the only non-stable arch we need for 4.3.1-r1. mips is unstable for
> 3.3.8-r*, but we haven't heard from them in years so I doubt notifying of them
> of this is going to help.
Thanks a lot for taking care so fast.
I'll leave a comment at bug 192134 for ppc.
mips, please stabilize qt-3.3.8-r4 if appropriate.
All arches but mips are stable. This is ready for a GLSA.
Anyone checked whether these patches collide with the utf8-bug patches? I'm wondering because they do work on the same code snippet.
they both apply properly on my machine
Will there be also a patch for 3.3.4?
I depend on 3.3.4 since qt 3.3.8 and Gentoo hardened have some problems. see bug #175996 for a description. So I would very happy for a supported 3.3.4 ebuild.
(In reply to comment #13)
> Will there be also a patch for 3.3.4?
That version is also unfixed for bug 172746 and bug 185446, so we either do this right or not at all.
Besides that, it's the decision of the qt herd / the hardened people.
I'm leaving it open to the hardened folks. Any patching that needs to be done to 3.3.4 is fine by me.
GLSA 200710-28 - sorry for the dealy