Bug 31940

Summary: qtbase5 new security issues CVE-2023-3276[23]
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: andrewsfarm, davidwhodgins, geiger.david68210, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-32-OK MGA8-64-OK
Source RPM: qtbase5-5.15.7-4.mga9.src.rpm CVE:
Status comment:

Description David Walser 2023-05-19 20:48:53 CEST 
Fedora has issued an advisory on May 18:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/JOTXCTZAIHUV2MKEPOPE3QDWDQRQN7TL/

Mageia 8 is also affected.
David Walser 2023-05-19 20:49:12 CEST

Whiteboard: (none) => MGA8TOO
Blocks: (none) => 29977

Comment 1 David GEIGER 2023-05-22 19:45:26 CEST 
Done for both mga8 and Cauldron!

CC: (none) => geiger.david68210

Comment 2 David Walser 2023-05-22 19:57:20 CEST 
(In reply to David GEIGER from comment #1)
> Done for both mga8 and Cauldron!

Thanks, I see you addressed the CVEs in this bug.  What about Bug 29977?

Whiteboard: MGA8TOO => (none)

Comment 3 David Walser 2023-05-22 19:58:47 CEST 
(In reply to David Walser from comment #2)
> (In reply to David GEIGER from comment #1)
> > Done for both mga8 and Cauldron!
> 
> Thanks, I see you addressed the CVEs in this bug.  What about Bug 29977?

To answer my own question, qtbase5 has already been addressed for that bug, it's kate/ktexteditor that have yet to be fixed.

Version: Cauldron => 8

Comment 4 David Walser 2023-05-22 20:00:11 CEST 
qtbase5-doc-5.15.2-4.9.mga8
qtbase5-examples-5.15.2-4.9.mga8
libqt5themesupport-static-devel-5.15.2-4.9.mga8
libqt5linuxaccessibilitysupport-static-devel-5.15.2-4.9.mga8
libqt5bootstrap-static-devel-5.15.2-4.9.mga8
libqt5gui5-5.15.2-4.9.mga8
libqt5inputsupport-static-devel-5.15.2-4.9.mga8
libqt5core5-5.15.2-4.9.mga8
qtbase5-common-devel-5.15.2-4.9.mga8
libqt5gui-devel-5.15.2-4.9.mga8
libqt5widgets5-5.15.2-4.9.mga8
libqt5fontdatabasesupport-static-devel-5.15.2-4.9.mga8
libqt5fbsupport-static-devel-5.15.2-4.9.mga8
libqt5core-devel-5.15.2-4.9.mga8
libqt5eglsupport-static-devel-5.15.2-4.9.mga8
libqt5widgets-devel-5.15.2-4.9.mga8
libqt5opengl-devel-5.15.2-4.9.mga8
libqt5eventdispatchersupport-static-devel-5.15.2-4.9.mga8
libqt5kmssupport-static-devel-5.15.2-4.9.mga8
libqt5network5-5.15.2-4.9.mga8
libqt5platformcompositorsupport-static-devel-5.15.2-4.9.mga8
libqt5devicediscoverysupport-static-devel-5.15.2-4.9.mga8
libqt5vulkansupport-static-devel-5.15.2-4.9.mga8
libqt5xcbqpa5-5.15.2-4.9.mga8
qtbase5-common-5.15.2-4.9.mga8
libqt5eglfsdeviceintegration5-5.15.2-4.9.mga8
libqt5servicesupport-static-devel-5.15.2-4.9.mga8
libqt5xkbcommonsupport-static-devel-5.15.2-4.9.mga8
libqt5edid-devel-5.15.2-4.9.mga8
libqt5dbus5-5.15.2-4.9.mga8
libqt5network-devel-5.15.2-4.9.mga8
libqt5test-devel-5.15.2-4.9.mga8
libqt5printsupport5-5.15.2-4.9.mga8
libqt5glxsupport-static-devel-5.15.2-4.9.mga8
libqt5accessibilitysupport-static-devel-5.15.2-4.9.mga8
libqt5opengl5-5.15.2-4.9.mga8
libqt5test5-5.15.2-4.9.mga8
libqt5eglfskmssupport5-5.15.2-4.9.mga8
libqt5xml5-5.15.2-4.9.mga8
libqt5sql5-5.15.2-4.9.mga8
libqt5printsupport-devel-5.15.2-4.9.mga8
libqt5-database-plugin-odbc-5.15.2-4.9.mga8
libqt5dbus-devel-5.15.2-4.9.mga8
libqt5concurrent-devel-5.15.2-4.9.mga8
libqt5-database-plugin-ibase-5.15.2-4.9.mga8
libqt5sql-devel-5.15.2-4.9.mga8
libqt5-database-plugin-pgsql-5.15.2-4.9.mga8
libqt5xml-devel-5.15.2-4.9.mga8
libqt5-database-plugin-sqlite-5.15.2-4.9.mga8
libqt5-database-plugin-mysql-5.15.2-4.9.mga8
libqt5-database-plugin-tds-5.15.2-4.9.mga8
libqt5eglfsdeviceintegration-devel-5.15.2-4.9.mga8
libqt5concurrent5-5.15.2-4.9.mga8
libqt5platformsupport-devel-5.15.2-4.9.mga8
libqt5xcbqpa-devel-5.15.2-4.9.mga8
libqt5eglfskmssupport-devel-5.15.2-4.9.mga8
libqt5base5-devel-5.15.2-4.9.mga8

from qtbase5-5.15.2-4.9.mga8.src.rpm

Assignee: kde => qa-bugs
Blocks: 29977 => (none)

Comment 5 Thomas Andrews 2023-05-24 14:16:10 CEST 
HP Probook 6550b, i3, Intel graphics, Broadcom wifi, mga8-64 Plasma system.
 
Used the replace function in kwrite to change all "libqt" to "lib64qt" then used qarepo to get the packages. No installation issues.

"urpmq --whatrequires-recursive qtbase5-common" produces a VERY long list of affected packages, including many libraries. Libreoffice, Dolphin, VLC, Gimp, Kwrite, not to mention basic Plasma packages are all on the list.

So after the update I tried several of the ones that I commonly use, and all seemed to be working - though a thorough test would take a very long time.

This looks OK to me here.

CC: (none) => andrewsfarm

Comment 6 Thomas Andrews 2023-05-24 16:46:20 CEST 
On Foolishness, my Dell Inspiron 5100, P4, Radeon RV200 graphics, Atheros-based wifi, 32-bit Xfce system, using the desktop kernel.

No installation issues. Checked Gimp, vlc, and libreoffice after the update, with no issues to report. Looks OK here, too.

Validating.

CC: (none) => sysadmin-bugs
Whiteboard: (none) => MGA8-32-OK MGA8-64-OK
Keywords: (none) => validated_update

Dave Hodgins 2023-05-30 18:57:16 CEST

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 7 Mageia Robot 2023-05-31 08:42:49 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0190.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED