Bug 24081

Checked for release 5.12.0 in Cauldron, this one is not affected as it is already fixed upstream.

CC: (none) => geiger.david68210

Fixed for mga6!

Advisory:
========================

Updated qtbase5 packages fix security vulnerabilities:

Double free in QXmlStreamReader (CVE-2018-15518).

Denial of Service on malformed BMP file in QBmpHandler (CVE-2018-19873).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-15518
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19873
https://lists.opensuse.org/opensuse-updates/2018-12/msg00121.html
========================

Updated packages in core/updates_testing:
========================
qtbase5-common-5.9.4-1.2.mga6
qtbase5-common-devel-5.9.4-1.2.mga6
qtbase5-examples-5.9.4-1.2.mga6
qtbase5-doc-5.9.4-1.2.mga6
libqt5core5-5.9.4-1.2.mga6
libqt5core-devel-5.9.4-1.2.mga6
libqt5concurrent5-5.9.4-1.2.mga6
libqt5concurrent-devel-5.9.4-1.2.mga6
libqt5dbus5-5.9.4-1.2.mga6
libqt5dbus-devel-5.9.4-1.2.mga6
libqt5eglfsdeviceintegration5-5.9.4-1.2.mga6
libqt5eglfsdeviceintegration-devel-5.9.4-1.2.mga6
libqt5eglfskmssupport5-5.9.4-1.2.mga6
libqt5eglfskmssupport-devel-5.9.4-1.2.mga6
libqt5gui5-5.9.4-1.2.mga6
libqt5gui-devel-5.9.4-1.2.mga6
libqt5network5-5.9.4-1.2.mga6
libqt5network-devel-5.9.4-1.2.mga6
libqt5opengl5-5.9.4-1.2.mga6
libqt5opengl-devel-5.9.4-1.2.mga6
libqt5platformsupport-devel-5.9.4-1.2.mga6
libqt5printsupport5-5.9.4-1.2.mga6
libqt5printsupport-devel-5.9.4-1.2.mga6
libqt5sql5-5.9.4-1.2.mga6
libqt5sql-devel-5.9.4-1.2.mga6
libqt5test5-5.9.4-1.2.mga6
libqt5test-devel-5.9.4-1.2.mga6
libqt5widgets5-5.9.4-1.2.mga6
libqt5widgets-devel-5.9.4-1.2.mga6
libqt5xcbqpa5-5.9.4-1.2.mga6
libqt5xcbqpa-devel-5.9.4-1.2.mga6
libqt5xml5-5.9.4-1.2.mga6
libqt5xml-devel-5.9.4-1.2.mga6
libqt5base5-devel-5.9.4-1.2.mga6
libqt5accessibilitysupport-static-devel-5.9.4-1.2.mga6
libqt5linuxaccessibilitysupport-static-devel-5.9.4-1.2.mga6
libqt5bootstrap-static-devel-5.9.4-1.2.mga6
libqt5devicediscoverysupport-static-devel-5.9.4-1.2.mga6
libqt5eglsupport-static-devel-5.9.4-1.2.mga6
libqt5eventdispatchersupport-static-devel-5.9.4-1.2.mga6
libqt5fbsupport-static-devel-5.9.4-1.2.mga6
libqt5fontdatabasesupport-static-devel-5.9.4-1.2.mga6
libqt5glxsupport-static-devel-5.9.4-1.2.mga6
libqt5inputsupport-static-devel-5.9.4-1.2.mga6
libqt5kmssupport-static-devel-5.9.4-1.2.mga6
libqt5platformcompositorsupport-static-devel-5.9.4-1.2.mga6
libqt5servicesupport-static-devel-5.9.4-1.2.mga6
libqt5themesupport-static-devel-5.9.4-1.2.mga6
libqt5-database-plugin-odbc-5.9.4-1.2.mga6
libqt5-database-plugin-mysql-5.9.4-1.2.mga6
libqt5-database-plugin-sqlite-5.9.4-1.2.mga6
libqt5-database-plugin-tds-5.9.4-1.2.mga6
libqt5-database-plugin-pgsql-5.9.4-1.2.mga6

from qtbase5-5.9.4-1.2.mga6.src.rpm

Version: Cauldron => 6
Whiteboard: MGA6TOO => (none)
Assignee: kde => qa-bugs

Preparing to test Mageia 6 64-bit

The following 18 packages are going to be installed:
- lib64qt5-database-plugin-mysql-5.9.4-1.2.mga6.x86_64
- lib64qt5-database-plugin-sqlite-5.9.4-1.2.mga6.x86_64
- lib64qt5concurrent5-5.9.4-1.2.mga6.x86_64
- lib64qt5core5-5.9.4-1.2.mga6.x86_64
- lib64qt5dbus5-5.9.4-1.2.mga6.x86_64
- lib64qt5eglfsdeviceintegration5-5.9.4-1.2.mga6.x86_64
- lib64qt5eglfskmssupport5-5.9.4-1.2.mga6.x86_64
- lib64qt5gui5-5.9.4-1.2.mga6.x86_64
- lib64qt5network5-5.9.4-1.2.mga6.x86_64
- lib64qt5opengl5-5.9.4-1.2.mga6.x86_64
- lib64qt5printsupport5-5.9.4-1.2.mga6.x86_64
- lib64qt5sql5-5.9.4-1.2.mga6.x86_64
- lib64qt5test5-5.9.4-1.2.mga6.x86_64
- lib64qt5widgets5-5.9.4-1.2.mga6.x86_64
- lib64qt5xcbqpa5-5.9.4-1.2.mga6.x86_64
- lib64qt5xml5-5.9.4-1.2.mga6.x86_64
- qtbase5-common-5.9.4-1.2.mga6.x86_64
- qtbase5-examples-5.9.4-1.2.mga6.x86_64
which is what I happen to have. Afterwards, I shall use Plasma, only reporting -ve feedback, until this bug is OK'd generally.

This is the sort of update that the QA Repo tool was made for. Using "*5.9.4* in the rpm field, the tool was able to pick out just the packages to be tested.

Testing on real hardware, 64-bit Plasma Mageia 6 with Athlon X2 and nvidia340 graphics, and 32-bit Plasma Mageia 6 on Intel i3 with Intel graphics. These packages are so integral to the function of Plasma that I think testing both arches is a good idea.

Packages updated include the same packages as Lewis listed in Comment 4, except for qtbase5-examples, which was not installed on my systems.

Packages installed cleanly on both systems. After a reboot (which shouldn't have been needed but I did it anyway), I tried this and that, with no issues noted.

I do not have all QT applications installed, so of course I can't test them all. However, it appears that Plasma's basic functioning is unimpaired.

Giving this a tentative OK on both arches. If this test is insufficient, please advise. If no problems arise, I will validate in a day or two.

Whiteboard: (none) => MGA6-32-OK MGA6-64-OK
CC: (none) => andrewsfarm

(In reply to Thomas Andrews from comment #5)
> Giving this a tentative OK on both arches. If this test is insufficient,
> please advise. If no problems arise, I will validate in a day or two.
I have had no problems running this update. Leave validation to you when you see fit.
Advisory done from comment 3.

Keywords: (none) => advisory
CC: (none) => lewyssmith

No problems here, either. Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2019-0025.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED