Bug 31950

Summary: qt4, qtsvg5, qtsvg6 new security issue CVE-2023-32573
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: KDE maintainers <kde>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: geiger.david68210, smelror
Version: Cauldron   
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8TOO
Source RPM: qtsvg5-5.15.7-1.mga9.src.rpm, qtsvg6-6.4.1-2.mga9.src.rpm CVE:
Status comment:
Bug Depends on: 29913    
Bug Blocks:    

Description David Walser 2023-05-22 14:04:16 CEST 
A security issue in QtSvg:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32573

has a patch:
https://download.qt.io/official_releases/qt/5.15/CVE-2023-32573-qtsvg-5.15.diff

Note that Qt4 is most likely also affected.

Mageia 8 is also affected.
David Walser 2023-05-22 14:04:30 CEST

CC: (none) => smelror
Whiteboard: (none) => MGA8TOO

Comment 1 David GEIGER 2023-05-22 19:52:01 CEST 
Done for both mga8 and Cauldron!

Note that there is no qtsvg6 package for mga8.

CC: (none) => geiger.david68210

Comment 2 David Walser 2023-05-22 19:54:13 CEST 
(In reply to David GEIGER from comment #1)
> Done for both mga8 and Cauldron!
> 
> Note that there is no qtsvg6 package for mga8.

Thanks, did you check Qt4?  Our previous qtsvg security updates have affected that too.
Comment 3 David Walser 2023-05-22 19:56:11 CEST 
Mageia 8 updated packages for qtsvg5:
qtsvg5-doc-5.15.2-1.2.mga8
libqt5svg5-5.15.2-1.2.mga8
libqt5svg-devel-5.15.2-1.2.mga8
qtsvg5-5.15.2-1.2.mga8

from qtsvg5-5.15.2-1.2.mga8.src.rpm
David Walser 2023-05-22 19:56:28 CEST

Status comment: (none) => qt4 may also be affected, to be checked

David GEIGER 2023-06-28 19:26:01 CEST

Blocks: (none) => 29913

Comment 4 David GEIGER 2023-06-28 19:27:02 CEST 
Fixed for both cauldron and mga8 in bug 29913!
Comment 5 David GEIGER 2023-06-29 06:29:33 CEST 
Assigning to QA.

Assignee: kde => qa-bugs

Comment 6 David Walser 2023-06-29 23:33:44 CEST 
Just noting here that you did indeed patch qt4 for this issue.

We don't assign two bugs to QA for the same update(s), so assigning this back to the KDE team and we'll handle this update in Bug 29913.  When that bug is closed, we'll close this one.

Status comment: qt4 may also be affected, to be checked => (none)
Summary: qtsvg5, qtsvg6 new security issue CVE-2023-32573 => qt4, qtsvg5, qtsvg6 new security issue CVE-2023-32573
Assignee: qa-bugs => kde

Thomas Backlund 2023-07-19 20:34:01 CEST

Depends on: (none) => 29913
Blocks: 29913 => (none)

Comment 7 Thomas Backlund 2023-07-19 22:00:45 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0231.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED