From https://bugzilla.redhat.com/show_bug.cgi?id=1210675: Fuzzing test revealed that for certain malformed gif files, the handler would segfault. Upstream fix: https://codereview.qt-project.org/#/c/108248/ From https://bugzilla.redhat.com/show_bug.cgi?id=1210674: Fuzzing test revealed that for certain malformed ico files, the handler would segfault. Upstream fix: https://codereview.qt-project.org/#/c/108312/ From https://bugzilla.redhat.com/show_bug.cgi?id=1210673: Fuzzing test revealed that for certain malformed bmp files, the handler would segfault. Upstream fix: https://codereview.qt-project.org/#/c/108312/ @maintainer(s): after the bump, in case we need to stabilize the package, please let us know if it is ready for the stabilization or not.
Upstream announcement: http://lists.qt-project.org/pipermail/announce/2015-April/000067.html
Are we waiting for the next release, or shall we apply the patches?
(In reply to Ben de Groot from comment #2) > Are we waiting for the next release, or shall we apply the patches? I have no strong preference either way. Both 4.8.7 and 5.4.2 releases are quite close. Personally I'd apply the patches to 4.8.5 and 4.8.6 (and stabilize the former), but I'd wait for the 5.4.2 release. But please feel free to proceed in whichever way you prefer as I don't have time to do it myself.
+ 07 May 2015; Ben de Groot <yngwin@gentoo.org> + +files/qtgui-4.8.6-CVE-2015-1858.patch, + +files/qtgui-4.8.6-CVE-2015-1860.patch, +qtgui-4.8.6-r4.ebuild: + Apply upstream patches for bug #546174. Fixes CVE-2015-1858, CVE-2015-1859, + CVE-2015-1860. This commit fixes it for Qt4. This is a candidate for stabilization in bug #530238. For Qt5 this will be fixed in the upcoming 5.4.2 release.
Qt 5 is taken care of too. + 16 May 2015; Michael Palimaka <kensington@gentoo.org> + +files/qtgui-5.4.1-CVE-2015-1858-1859.patch, + +files/qtgui-5.4.1-CVE-2015-1860.patch, +qtgui-5.4.1-r2.ebuild, + -qtgui-5.4.1-r1.ebuild: + Backport patches from upstream to solve CVE-2015-1858, CVE-2015-1859, and + CVE-2015-1860 wrt bug #546174.
CVE-2015-1860 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1860): Multiple buffer overflows in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted GIF image.
(In reply to Michael Palimaka (kensington) from comment #5) > Qt 5 is taken care of too. Since there hasn't been a stable Qt5 version yet, no further action is needed from the Qt team. (except removing 4.8.5 after bug 530238 is taken care of)
CVE-2015-1859 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1859): Multiple buffer overflows in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted ICO image. CVE-2015-1858 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1858): Multiple buffer overflows in the QtBase module in Qt before 4.8.7 and 5.x before 5.4.2 allow remote attackers to cause a denial of service and possibly execute arbitrary code via a crafted BMP image.
Affected Qt 4 versions have been removed as well, so no tree versions are affected now. https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2f38ee0ac7e073edbf0018b93b78e035081ff595
GLSA Vote: No
Vote: YES.
Arches and Maintainer(s), Thank you for your work. GLSA Vote: Yes New GLSA Request filed.
This issue was resolved and addressed in GLSA 201603-10 at https://security.gentoo.org/glsa/201603-10 by GLSA coordinator Kristian Fiskerstrand (K_F).