>Qt itself is not vulnerable to remote attack however an application >using QStringDecoder either directly or indirectly can be vulnerable. >This affects Qt 6.5.0->6.5.5, 6.6.x and 6.7.0. Sounds this does not affect Qt5 and is fixed in 6.7.1 which is due to release in a week or so. Meanwhile Qt has provided a patch[1] which I'll add to 6.7.0 soon. Given how trivial it is, think will skip stabilization process churn and just git mv if nothing comes up. [1] https://download.qt.io/official_releases/qt/6.7/CVE-2024-33861-qtbase-6.7.diff
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c2fb597e863fb296b5cdaf36e8b258b20c47d4a1 commit c2fb597e863fb296b5cdaf36e8b258b20c47d4a1 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2024-05-02 12:24:58 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2024-05-02 13:08:51 +0000 dev-qt/qtbase: backport fix for CVE-2024-33861 Bug: https://bugs.gentoo.org/931096 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> .../qtbase/files/qtbase-6.7.0-CVE-2024-33861.patch | 23 ++++++++++++++++++++++ ...base-6.7.0-r1.ebuild => qtbase-6.7.0-r2.ebuild} | 1 + 2 files changed, 24 insertions(+)
All done from this end, no affected versions left.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/data/glsa.git/commit/?id=29a5b16cc4c50389b3712f7d011fe04c7a771814 commit 29a5b16cc4c50389b3712f7d011fe04c7a771814 Author: GLSAMaker <glsamaker@gentoo.org> AuthorDate: 2025-06-12 07:35:56 +0000 Commit: Hans de Graaff <graaff@gentoo.org> CommitDate: 2025-06-12 07:36:23 +0000 [ GLSA 202506-06 ] Qt: Multiple Vulnerabilities Bug: https://bugs.gentoo.org/924647 Bug: https://bugs.gentoo.org/931096 Bug: https://bugs.gentoo.org/935869 Bug: https://bugs.gentoo.org/954261 Signed-off-by: GLSAMaker <glsamaker@gentoo.org> Signed-off-by: Hans de Graaff <graaff@gentoo.org> glsa-202506-06.xml | 58 ++++++++++++++++++++++++++++++++++++++++++++++++++++++ 1 file changed, 58 insertions(+)
