Bug 29977

Summary: qtbase5, ktexteditor, kate new security issue CVE-2022-23853 / CVE-2022-25255
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: KDE maintainers <kde>
Status: RESOLVED OLD QA Contact: Sec team <security>
Severity: critical    
Priority: Normal CC: geiger.david68210, nicolas.salguero
Version: 8   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Source RPM: ktexteditor-5.88.0-2.mga9.src.rpm, kate-21.12.0-1.mga9.src.rpm CVE:
Status comment: Patches available from upstream
Bug Depends on: 31545    
Bug Blocks:    

Description David Walser 2022-01-31 16:13:52 CET 
KDE has issued an advisory today (January 31):
https://kde.org/info/security/advisory-20220131-1.txt

Upstream commits to fix the issue are linked in the advisory above.

Mageia 8 is also affected.
David Walser 2022-01-31 16:14:04 CET

Whiteboard: (none) => MGA8TOO
Status comment: (none) => Patches available from upstream

Comment 1 David Walser 2022-02-08 22:27:51 CET 
Fedora has issued an advisory for Kate today (February 8):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/EZYXB76JRC5HAOAK2N635KJFOZ2ARVSR/
Comment 2 David Walser 2022-03-15 20:02:55 CET 
The root cause of this issue was patched upstream in Qt itself and that fix was assigned a new CVE (CVE-2022-25255).  Qt4 is also affected.

SUSE has issued an advisory for this today (March 15):
https://lists.suse.com/pipermail/sle-security-updates/2022-March/010443.html

Summary: ktexteditor, kate new security issue CVE-2022-23853 => qt4, qtbase5, ktexteditor, kate new security issue CVE-2022-23853 / CVE-2022-25255

Comment 4 David Walser 2022-11-09 03:31:09 CET 
RedHat has issued an advisory for this today (November 8):
https://access.redhat.com/errata/RHSA-2022:7482
David Walser 2023-02-13 18:22:16 CET

Depends on: (none) => 31545

Comment 5 David GEIGER 2023-02-13 19:22:01 CET 
For Cauldron CVE-2022-23853 and CVE-2022-25255 seems fixed with:

- kate-22.12.0-1.mga9
- ktexteditor-5.102.0-1.mga9
- qtbase5-5.15.7-4.mga9 (CVE-2022-25255 with patch 0165-QProcess-Unix-ensure-we-don-t-accidentally-execute-s.patch)
- qtbase6-6.4.1-5.mga9

For Qt4 I don't know if there is a fix or if it is affected??

CC: (none) => geiger.david68210

Comment 6 David Walser 2023-02-13 23:44:53 CET 
Qt4 is mentioned in the bug title here:
https://bugzilla.suse.com/show_bug.cgi?id=1196501

but nowhere else in that bug, and nobody has patched it.  I'll remove it.

Summary: qt4, qtbase5, ktexteditor, kate new security issue CVE-2022-23853 / CVE-2022-25255 => qtbase5, ktexteditor, kate new security issue CVE-2022-23853 / CVE-2022-25255
Whiteboard: MGA8TOO => (none)
Version: Cauldron => 8

Comment 7 David Walser 2023-02-20 22:38:29 CET 
(In reply to David Walser from comment #2)
> The root cause of this issue was patched upstream in Qt itself and that fix
> was assigned a new CVE (CVE-2022-25255).  Qt4 is also affected.
> 
> SUSE has issued an advisory for this today (March 15):
> https://lists.suse.com/pipermail/sle-security-updates/2022-March/010443.html

qtbase5 fixed in:
https://advisories.mageia.org/MGASA-2023-0051.html
David Walser 2023-05-19 20:49:12 CEST

Depends on: (none) => 31940

David Walser 2023-05-22 20:00:11 CEST

Depends on: 31940 => (none)

Comment 8 Nicolas Salguero 2024-01-12 09:37:24 CET 
Mageia 8 EOL

Resolution: (none) => OLD
CC: (none) => nicolas.salguero
Status: NEW => RESOLVED