CVE-2023-34410 (https://codereview.qt-project.org/c/qt/qtbase/+/477560): https://codereview.qt-project.org/c/qt/qtbase/+/480002 An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate. Are we affected?
CVE-2023-33285 (https://codereview.qt-project.org/c/qt/qtbase/+/477644): An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=524acfede1f643d6c8d7ff0c96e977cb2cd18378 commit 524acfede1f643d6c8d7ff0c96e977cb2cd18378 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2023-06-10 09:31:26 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2023-06-10 09:32:58 +0000 dev-qt/qtnetwork: Fix CVE-2023-34410 CVE-2023-33285 already fixed in dev-qt/qtnetwork-5.15.9-r2. Bug: https://bugs.gentoo.org/908085 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> .../files/qtnetwork-5.15.9-CVE-2023-34410.patch | 113 +++++++++++++++++++++ dev-qt/qtnetwork/qtnetwork-5.15.9-r3.ebuild | 81 +++++++++++++++ 2 files changed, 194 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d0556a48018dd0028b52b044b14349ae8b97046f commit d0556a48018dd0028b52b044b14349ae8b97046f Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2023-07-13 07:35:58 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2023-07-13 08:42:04 +0000 dev-qt/qtnetwork: drop 5.15.9 Bug: https://bugs.gentoo.org/908085 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> dev-qt/qtnetwork/Manifest | 2 - .../files/qtnetwork-5.15.9-CVE-2023-32762.patch | 39 ------- .../files/qtnetwork-5.15.9-CVE-2023-34410.patch | 113 --------------------- ....15.9-QDnsLookup-dont-overflow-the-buffer.patch | 103 ------------------- .../qtnetwork-5.15.9-libproxy-0.5-pkgconfig.patch | 32 ------ dev-qt/qtnetwork/qtnetwork-5.15.9-r2.ebuild | 80 --------------- dev-qt/qtnetwork/qtnetwork-5.15.9-r3.ebuild | 81 --------------- dev-qt/qtnetwork/qtnetwork-5.15.9.ebuild | 74 -------------- 8 files changed, 524 deletions(-)
What are the accurate fixed versions, then? Was qtbase ever affected in Gentoo?
For qtbase, CVE-2023-33285 patch for 6.5.0 was added 2023-06-0, and 6.5.1 was added with the CVE-2023-34410 patch on 2023-06-10, with 6.5.0 being removed shortly after.
Fixing summary accordingly then.
Makes sense, thank you! All done then.
