Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 541972 (CVE-2015-0295) - <dev-qt/qtgui-4.8.5-r4: DoS vulnerability in the BMP image handler (CVE-2015-0295)
Summary: <dev-qt/qtgui-4.8.5-r4: DoS vulnerability in the BMP image handler (CVE-2015-...
Status: RESOLVED FIXED
Alias: CVE-2015-0295
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://lists.qt-project.org/pipermail...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks: qt-5.4.2-stable
  Show dependency tree
 
Reported: 2015-03-03 08:37 UTC by Agostino Sarubbo
Modified: 2015-05-11 20:09 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-03-03 08:37:28 UTC
From ${URL} :

Title:        DoS vulnerability in the BMP image handler
Risk Rating:  Low
CVE:          CVE-2015-0295
Platforms:    All
Modules:      QtBase
Versions:     All versions before 5.5
Author:       Richard J. Moore <rich at kde.org>
Date:         22 February 2015

Overview
--------

The builtin BMP decoder in QtGui prior to Qt 5.5 contained a bug that would
lead to a divsion by zero when loading certain corrupt BMP files. This in
turn
would cause the application loading these hand crafted BMPs to crash.

Details
-------

It is possible to construct BMP files such that when calculating the masks
required to extract the colour components a division by zero occurred.

Impact
------

An application loading the malicious BMP file will crash.

Workaround
----------

None

Solution
--------

Upgrade to Qt 5.5 once released or apply the patches below:

For Qt 5.0 to 5.4:

https://codereview.qt-project.org/106929

For Qt 4.8:

https://codereview.qt-project.org/107108



@maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Comment 1 Davide Pesavento gentoo-dev 2015-03-03 13:49:33 UTC
So let me understand... every crash is a security vulnerability now? A division-by-zero is not exploitable by itself afaik.
Comment 2 Kristian Fiskerstrand gentoo-dev Security 2015-03-03 13:58:52 UTC
(In reply to Davide Pesavento from comment #1)
> So let me understand... every crash is a security vulnerability now? A
> division-by-zero is not exploitable by itself afaik.

It is if it is not caught and as such crashes: resulting in Denial of Service.
Comment 3 Davide Pesavento gentoo-dev 2015-03-03 14:01:38 UTC
So every externally triggerable crash is a DoS?
Comment 4 Kristian Fiskerstrand gentoo-dev Security 2015-03-03 14:14:49 UTC
(In reply to Davide Pesavento from comment #3)
> So every externally triggerable crash is a DoS?

Basically yes, although it would in some circumstances depend on the security properties stated by the upstream. I haven't looked into this bug too closely but I imagine it is caused due to a CWE-20: Improper Input Validation.
Comment 5 Michael Palimaka (kensington) gentoo-dev 2015-03-16 16:29:36 UTC
In overlay.

https://gitweb.gentoo.org/proj/qt.git/commit/?id=04813ef4c2153cb4e91af61b48561f15909527c8
Comment 6 Davide Pesavento gentoo-dev 2015-03-16 16:51:50 UTC
4.8.{5,6} need patching too -> git fetch https://codereview.qt-project.org/qt/qt refs/changes/08/107108/4 && git format-patch -1 --stdout FETCH_HEAD

You can revbump both in tree and stabilize 4.8.5-r4
Comment 7 Michael Palimaka (kensington) gentoo-dev 2015-03-17 14:24:13 UTC
Thanks, fixed in CVS.

+  17 Mar 2015; Michael Palimaka <kensington@gentoo.org>
+  +files/qtgui-5.4.1-CVE-2015-0295.patch, +qtgui-5.4.1-r1.ebuild,
+  -qtgui-5.4.1.ebuild:
+  Backport patch from upstream to solve CVE-2015-0295 wrt bug #541972.
Comment 8 Michael Palimaka (kensington) gentoo-dev 2015-03-17 14:43:48 UTC
Thanks Davide, 4.8 done too.

+  17 Mar 2015; Michael Palimaka <kensington@gentoo.org>
+  +files/qtgui-4.8.5-CVE-2015-0295.patch, +qtgui-4.8.5-r4.ebuild,
+  +qtgui-4.8.6-r2.ebuild, -qtgui-4.8.6-r1.ebuild:
+  Backport patch from upstream to solve CVE-2015-0295 wrt bug #541972.

Arch teams, please test and stabilise dev-qt/qtgui-4.8.5-r4.

Target KEYWORDS="alpha amd64 arm hppa ia64 ppc ppc64 sparc x86".
Comment 9 Agostino Sarubbo gentoo-dev 2015-03-18 08:33:01 UTC
amd64 stable
Comment 10 Andreas Schürch gentoo-dev 2015-03-18 12:50:09 UTC
x86 done.
Comment 11 Jeroen Roovers gentoo-dev 2015-03-19 17:49:06 UTC
Stable for HPPA.
Comment 12 Agostino Sarubbo gentoo-dev 2015-03-25 16:08:05 UTC
ia64 stable
Comment 13 Agostino Sarubbo gentoo-dev 2015-03-26 11:23:06 UTC
ppc stable
Comment 14 Agostino Sarubbo gentoo-dev 2015-03-26 11:30:14 UTC
ppc64 stable
Comment 15 Markus Meier gentoo-dev 2015-03-28 06:56:07 UTC
arm stable
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2015-03-28 17:25:45 UTC
CVE-2015-0295 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-0295):
  The BMP decoder in QtGui in QT before 5.5 does not properly calculate the
  masks used to extract the color components, which allows remote attackers to
  cause a denial of service (divide-by-zero and crash) via a crafted BMP file.
Comment 17 Agostino Sarubbo gentoo-dev 2015-03-30 09:51:33 UTC
sparc stable
Comment 18 Agostino Sarubbo gentoo-dev 2015-03-30 10:04:07 UTC
alpha stable.

Maintainer(s), please cleanup.
Security, please vote.
Comment 19 Michael Palimaka (kensington) gentoo-dev 2015-03-30 14:02:54 UTC
+  30 Mar 2015; Michael Palimaka <kensington@gentoo.org> -qtgui-4.8.5-r3.ebuild:
+  Remove old.
Comment 20 Yury German Gentoo Infrastructure gentoo-dev Security 2015-04-04 15:21:26 UTC
Arches and Maintainer(s), Thank you for your work.

GLSA Vote: Yes
Comment 21 Kristian Fiskerstrand gentoo-dev Security 2015-05-11 16:04:05 UTC
GLSA Vote: No
Comment 22 Mikle Kolyada archtester Gentoo Infrastructure gentoo-dev Security 2015-05-11 20:09:38 UTC
GLSA vote: no.

Closing as [noglsa]