830381 – (CVE-2021-45930) <dev-qt/qtsvg-5.15.2-r12: Out of bounds write

Bug 830381 (CVE-2021-45930) - <dev-qt/qtsvg-5.15.2-r12: Out of bounds write

Summary: <dev-qt/qtsvg-5.15.2-r12: Out of bounds write

Status:	RESOLVED FIXED

Alias:	CVE-2021-45930

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	A3 [glsa+]
Keywords:

Depends on:	829923
Blocks:
	Show dependency tree

Reported:	2022-01-01 04:45 UTC by Sam James
Modified:	2024-05-08 09:14 UTC (History)
CC List:	1 user (show)

See Also:	https://invent.kde.org/qt/backports-tracker/-/issues/1258 https://invent.kde.org/qt/qt/qtsvg/-/merge_requests/8
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2022-01-01 04:45:08 UTC

CVE-2021-45930 (https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37025):

Qt SVG in Qt 5.0.0 through 6.2.1 has an out-of-bounds write in QtPrivate::QCommonArrayOps<QPainterPath::Element>::growAppend (called from QPainterPath::addPath and QPathClipper::intersect).

Comment 1 Sam James archtester

2022-01-01 04:46:10 UTC

We need https://github.com/qt/qtsvg/commit/a3b753c2d077313fc9eb93af547051b956e383fc which I don't see within Qt5PatchCollection (please verify though).

Comment 2 Larry the Git Cow gentoo-dev

2022-01-04 11:58:40 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f31718294562703e041b14042f569a67ac70cfb6

commit f31718294562703e041b14042f569a67ac70cfb6
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-01-04 11:31:30 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-01-04 11:58:15 +0000

    dev-qt/qtsvg: 5.15.2-r12 version bump at KDE 0cb681ea
    
    Fix CVE-2021-45930: Out of bounds write
    "Do stricter error checking when parsing path nodes"
    QTBUG: https://bugreports.qt.io/browse/QTBUG-96044 (login required)
    Upstream commit 5b9285c34731e67f9f1d61ec804740991f2a0380
    
    "SVG Image reading: Reject oversize svgs as corrupt"
    QTBUG: https://bugreports.qt.io/browse/QTBUG-95891
    Upstream commit 0cb681eacca0f757702fa409bb05d3d3650aba4e
    
    Bug: https://bugs.gentoo.org/830381
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-qt/qtsvg/Manifest                |  1 +
 dev-qt/qtsvg/qtsvg-5.15.2-r12.ebuild | 25 +++++++++++++++++++++++++
 2 files changed, 26 insertions(+)

Comment 3 Larry the Git Cow gentoo-dev

2022-01-20 13:26:31 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=7fee31b4c1d5530bf76c21e5fe853aa43f13b5a1

commit 7fee31b4c1d5530bf76c21e5fe853aa43f13b5a1
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-01-20 12:19:39 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-01-20 13:24:21 +0000

    dev-qt/qtsvg: Cleanup vulnerable 5.15.2-r11
    
    Bug: https://bugs.gentoo.org/830381
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-qt/qtsvg/Manifest                |  1 -
 dev-qt/qtsvg/qtsvg-5.15.2-r11.ebuild | 25 -------------------------
 2 files changed, 26 deletions(-)

Comment 4 Larry the Git Cow gentoo-dev

2024-05-08 09:13:56 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=2456b87477e6ccf454b884c2405316b8102a652b

commit 2456b87477e6ccf454b884c2405316b8102a652b
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-05-08 09:13:29 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2024-05-08 09:13:49 +0000

    [ GLSA 202405-26 ] qtsvg: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/830381
    Bug: https://bugs.gentoo.org/906465
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202405-26.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)