Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 530238 (qt-4.8.6-stable) - Qt 4.8.6-r1 stable request (CVE-2015-1860)
Summary: Qt 4.8.6-r1 stable request (CVE-2015-1860)
Status: RESOLVED FIXED
Alias: qt-4.8.6-stable
Product: Gentoo Linux
Classification: Unclassified
Component: [OLD] Keywording and Stabilization (show other bugs)
Hardware: All Linux
: Normal normal with 2 votes (vote)
Assignee: Qt Bug Alias
URL:
Whiteboard:
Keywords: STABLEREQ
: 545026 545100 (view as bug list)
Depends on: 524924 529196 529398 532422 532510 545106 545142 547350 547998 548622
Blocks: multilib-stable qt-5.4.2-stable CVE-2015-1858, CVE-2015-1859, CVE-2015-1860
  Show dependency tree
 
Reported: 2014-11-23 20:48 UTC by Michał Górny
Modified: 2015-10-18 20:34 UTC (History)
15 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2014-11-23 20:48:23 UTC
Probably quite early but we should start thinking about it. Or dropping stable keywords from the only multilib revdep :).
Comment 1 Davide Pesavento gentoo-dev 2014-11-23 21:51:33 UTC
(In reply to Michał Górny from comment #0)
> Or dropping stable keywords from the only multilib revdep :).

What are you talking about?
Comment 2 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2014-11-23 22:02:45 UTC
(In reply to Davide Pesavento from comment #1)
> (In reply to Michał Górny from comment #0)
> > Or dropping stable keywords from the only multilib revdep :).
> 
> What are you talking about?

games-kids/crayon-physics is the only stable thing needing multilib Qt4. We can either stabilize Qt4 or drop stable keywords from it to make way for no-emul-linux-x86 stable systems.
Comment 3 Davide Pesavento gentoo-dev 2014-11-23 22:19:31 UTC
It's clearly too early to stabilize 4.8.6-r1, plus there are known regressions.
Please drop that package to ~arch. It should have never gone stable anyway.
Comment 4 Michał Górny archtester Gentoo Infrastructure gentoo-dev Security 2014-11-23 22:47:19 UTC
(In reply to Davide Pesavento from comment #3)
> It's clearly too early to stabilize 4.8.6-r1, plus there are known
> regressions.
> Please drop that package to ~arch. It should have never gone stable anyway.

Just to be clear, it went stable using emul-linux-x86-qtlibs.
Comment 5 Davide Pesavento gentoo-dev 2015-03-30 10:56:04 UTC
*** Bug 545026 has been marked as a duplicate of this bug. ***
Comment 6 Alexandre Rostovtsev (RETIRED) gentoo-dev 2015-03-30 21:23:35 UTC
*** Bug 545098 has been marked as a duplicate of this bug. ***
Comment 7 Alexandre Rostovtsev (RETIRED) gentoo-dev 2015-03-30 21:26:41 UTC
*** Bug 545100 has been marked as a duplicate of this bug. ***
Comment 8 Davide Pesavento gentoo-dev 2015-03-30 21:46:59 UTC
I think at this point it's better to CC arches and proceed with the stabilization.
Comment 9 Ben de Groot (RETIRED) gentoo-dev 2015-05-10 12:42:26 UTC
Arches, please test and mark stable:

dev-qt/assistant-4.8.6-r1
dev-qt/designer-4.8.6-r1
dev-qt/linguist-4.8.6-r1
dev-qt/pixeltool-4.8.6-r1
dev-qt/qdbusviewer-4.8.6-r1
dev-qt/qt3support-4.8.6-r1
dev-qt/qtbearer-4.8.6-r1
dev-qt/qtcore-4.8.6-r2
dev-qt/qtdbus-4.8.6-r1
dev-qt/qtdeclarative-4.8.6-r1
dev-qt/qtdemo-4.8.6-r1
dev-qt/qtgui-4.8.6-r4
dev-qt/qthelp-4.8.6-r3
dev-qt/qtmultimedia-4.8.6-r1
dev-qt/qtopengl-4.8.6-r1
dev-qt/qtopenvg-4.8.6-r1
dev-qt/qtphonon-4.8.6-r1
dev-qt/qtscript-4.8.6-r2
dev-qt/qtsql-4.8.6-r1
dev-qt/qtsvg-4.8.6-r1
dev-qt/qttest-4.8.6-r1
dev-qt/qttranslations-4.8.6-r1
dev-qt/qtwebkit-4.8.6-r1
dev-qt/qtxmlpatterns-4.8.6-r1

Some ebuilds have not been keyworded on certain minor arches, so on those arches the specific ebuilds can be skipped.
Comment 10 Ben de Groot (RETIRED) gentoo-dev 2015-05-10 13:02:04 UTC
Note that 4.8.6-r1 is especially important for amd64, because it introduces eclass-based multilib, and has multiple related fixes.

Other arches may opt to wait until 4.8.7, which is expected to be released next week, and for which we will file a stable request within a month after release.
Comment 11 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-05-11 13:56:52 UTC
(In reply to Ben de Groot from comment #9)
> Arches, please test and mark stable:
> 
> dev-qt/assistant-4.8.6-r1
> dev-qt/designer-4.8.6-r1
> dev-qt/linguist-4.8.6-r1
> dev-qt/pixeltool-4.8.6-r1
> dev-qt/qdbusviewer-4.8.6-r1
> dev-qt/qt3support-4.8.6-r1
> dev-qt/qtbearer-4.8.6-r1
> dev-qt/qtcore-4.8.6-r2
> dev-qt/qtdbus-4.8.6-r1
> dev-qt/qtdeclarative-4.8.6-r1
> dev-qt/qtdemo-4.8.6-r1
> dev-qt/qtgui-4.8.6-r4
> dev-qt/qthelp-4.8.6-r3
> dev-qt/qtmultimedia-4.8.6-r1
> dev-qt/qtopengl-4.8.6-r1
> dev-qt/qtopenvg-4.8.6-r1
> dev-qt/qtphonon-4.8.6-r1
> dev-qt/qtscript-4.8.6-r2
> dev-qt/qtsql-4.8.6-r1
> dev-qt/qtsvg-4.8.6-r1
> dev-qt/qttest-4.8.6-r1
> dev-qt/qttranslations-4.8.6-r1
> dev-qt/qtwebkit-4.8.6-r1
> dev-qt/qtxmlpatterns-4.8.6-r1
> 
> Some ebuilds have not been keyworded on certain minor arches, so on those
> arches the specific ebuilds can be skipped.

++ dev-qt/qtchooser
Comment 12 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-05-11 15:03:29 UTC
amd64 stable
Comment 13 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-05-15 12:59:03 UTC
x86 stable
Comment 14 Jeroen Roovers gentoo-dev 2015-05-16 10:12:05 UTC
Stable for HPPA PPC64.
Comment 15 Pacho Ramos gentoo-dev 2015-05-16 11:35:33 UTC
ppc stable
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2015-05-16 23:07:49 UTC
CVE-2015-1860 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1860):
  Multiple buffer overflows in the QtBase module in Qt before 4.8.7 and 5.x
  before 5.4.2 allow remote attackers to cause a denial of service and
  possibly execute arbitrary code via a crafted GIF image.
Comment 17 Markus Meier gentoo-dev 2015-05-30 11:07:48 UTC
arm stable
Comment 18 Tobias Klausmann gentoo-dev 2015-07-05 21:17:57 UTC
Stable on alpha. Removed associated mask.
Comment 19 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-08-06 14:03:36 UTC
ia64 stable
Comment 20 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-10-18 09:42:15 UTC
sparc stable.
Comment 21 Davide Pesavento gentoo-dev 2015-10-18 20:34:57 UTC
Awesome, that was the last arch therefore we can finally close this bug.

Removal of the vulnerable version(s) will be handled in bug 546174.