906465 – (CVE-2023-32573) <dev-qt/qtsvg-5.15.9-r1: Uninitialized variable usage in m_unitsPerEm

Bug 906465 (CVE-2023-32573) - <dev-qt/qtsvg-5.15.9-r1: Uninitialized variable usage in m_unitsPerEm

Summary: <dev-qt/qtsvg-5.15.9-r1: Uninitialized variable usage in m_unitsPerEm

Status:	IN_PROGRESS

Alias:	CVE-2023-32573

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal (vote)
Assignee:	Gentoo Security

URL:	https://invent.kde.org/qt/qt/qtsvg/-/...
Whiteboard:	B4 [glsa]
Keywords:

Depends on:	905842
Blocks:
	Show dependency tree

Reported:	2023-05-15 19:21 UTC by Sam James
Modified:	2024-03-24 07:21 UTC (History)
CC List:	2 users (show)

See Also:
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2023-05-15 19:21:30 UTC

"In Qt before 5.15.14, 6.0.x through 6.2.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1, QtSvg QSvgFont m_unitsPerEm initialization is mishandled."

Comment 1 Sam James archtester

2023-05-15 19:21:56 UTC

Stable bug is done so only really need qt@ to confirm this is the same bug fixed in 5.15.9-r1.

Comment 2 Andreas Sturmlechner gentoo-dev

2023-05-18 15:29:11 UTC

That's what that commit appeared to do.

Comment 3 Andreas Sturmlechner gentoo-dev

2023-05-23 21:03:10 UTC

See also:
https://www.qt.io/blog/security-advisory-qt-svg
https://download.qt.io/official_releases/qt/5.15/CVE-2023-32573-qtsvg-5.15.diff