Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 808531 (CVE-2021-38593) - <dev-qt/qtgui-5.15.2-r10: Out of bounds write (CVE-2021-38593)
Summary: <dev-qt/qtgui-5.15.2-r10: Out of bounds write (CVE-2021-38593)
Status: RESOLVED FIXED
Alias: CVE-2021-38593
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL:
Whiteboard: A3 [glsa+]
Keywords: PullRequest, UPSTREAM
Depends on: 806797
Blocks:
  Show dependency tree
 
Reported: 2021-08-16 00:34 UTC by Sam James
Modified: 2024-02-03 06:24 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Sam James archtester Gentoo Infrastructure gentoo-dev Security 2021-08-16 00:34:45 UTC
Description:
"Qt 5.0.0 through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke)."
Comment 2 Andreas Sturmlechner gentoo-dev 2021-08-21 11:38:33 UTC
Also depends on:

https://invent.kde.org/qt/backports-tracker/-/issues/259
Comment 3 Andreas Sturmlechner gentoo-dev 2021-08-22 21:37:27 UTC
Patches merged upstream.
Comment 4 Larry the Git Cow gentoo-dev 2021-08-25 14:36:38 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f01973dc8dbe0b64096e2467f9063976700e1884

commit f01973dc8dbe0b64096e2467f9063976700e1884
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-08-15 22:27:19 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-08-25 14:35:48 +0000

    dev-qt/qtgui: 5.15.2-r10 version bump at KDE c2ea67ec
    
    - EAPI-8
    - Fix CVE-2021-38593
    
    See also:
    https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35566
    https://invent.kde.org/qt/qt/qtbase/-/merge_requests/47
    
    Bug: https://bugs.gentoo.org/808531
    Closes: https://bugs.gentoo.org/807871
    Package-Manager: Portage-3.0.22, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-qt/qtgui/Manifest                |   1 +
 dev-qt/qtgui/qtgui-5.15.2-r10.ebuild | 185 +++++++++++++++++++++++++++++++++++
 2 files changed, 186 insertions(+)
Comment 5 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2021-10-17 00:33:25 UTC
Please cleanup
Comment 6 Larry the Git Cow gentoo-dev 2021-10-17 00:44:04 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b8fe578396ad2fa99ec407cc27cada67d85217b9

commit b8fe578396ad2fa99ec407cc27cada67d85217b9
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-10-17 00:37:32 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-10-17 00:40:25 +0000

    dev-qt/qtgui: Drop vulnerable 5.15.2-r2
    
    Bug: https://bugs.gentoo.org/808531
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-qt/qtgui/Manifest                              |   2 -
 .../files/qtgui-5.15.2-bogus-xcb-util-dep.patch    |  72 --------
 dev-qt/qtgui/qtgui-5.15.2-r2.ebuild                | 190 ---------------------
 3 files changed, 264 deletions(-)
Comment 7 Andreas Sturmlechner gentoo-dev 2022-04-19 20:01:28 UTC
This cleanup happened, btw.
Comment 8 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-04-20 14:12:14 UTC
(In reply to Andreas Sturmlechner from comment #7)
> This cleanup happened, btw.

Yes, that's why 'cleanup' is no longer in the whiteboard
Comment 9 Larry the Git Cow gentoo-dev 2024-02-03 06:23:30 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=bf99e106687f9b6e6a78ef119c0842d716e4bf86

commit bf99e106687f9b6e6a78ef119c0842d716e4bf86
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2024-02-03 06:19:26 +0000
Commit:     John Helmert III <ajak@gentoo.org>
CommitDate: 2024-02-03 06:23:18 +0000

    [ GLSA 202402-03 ] QtGui: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/808531
    Bug: https://bugs.gentoo.org/907119
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: John Helmert III <ajak@gentoo.org>

 glsa-202402-03.xml | 44 ++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 44 insertions(+)