12178 – qt5 new security issue CVE-2013-4549

Bug 12178 - qt5 new security issue CVE-2013-4549

Summary: qt5 new security issue CVE-2013-4549

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	3
Hardware:	i586 Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:	http://lwn.net/Vulnerabilities/577579/
Whiteboard:	advisory MGA3-64-OK MGA3-32-OK
Keywords:	validated_update

Depends on:	12043
Blocks:
	Show dependency tree / graph

Reported:	2014-01-02 18:22 CET by David Walser
Modified:	2014-03-03 21:43 CET (History)
CC List:	6 users (show)

See Also:
Source RPM:	qtbase5
CVE:	CVE-2013-4549
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2014-01-02 18:22:26 CET

+++ This bug was initially created as a clone of Bug #12043 +++

Ubuntu has issued an advisory on December 17:
http://www.ubuntu.com/usn/usn-2057-1/

qt5 in Cauldron is new enough as to not be affected.

Reproducible: 

Steps to Reproduce:

Comment 1 Angelo Naselli 2014-03-01 15:24:04 CET

Advisory:
========================
QXmlSimpleReader in Qt versions prior to 5.2 supports expansion of internal
entities in XML documents without placing restrictions to ensure the document
does not cause excessive memory usage. If an application using this API
processes untrusted data then the application may use unexpected amounts of
memory if a malicious document is processed.

Details
-------

It is possible to construct XML documents using internal entities that consume
large amounts of memory and other resources to process, this is known as the
'Billion Laughs' attack. Qt versions prior to 5.2 did not offer protection
against this issue.

Impact
------

An application loading untrusted XML data may consume arbitrary amounts of
memory and CPU when attempting to parse a maliciously constructed document.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4549
http://lists.qt-project.org/pipermail/announce/2013-December/000036.html
http://www.ubuntu.com/usn/usn-2057-1/
========================

Updated packages in core/updates_testing:
========================
qtbase5-common-5.0.2-1.1.mga3
qtbase5-common-devel-5.0.2-1.1.mga3
qtbase5-database-plugin-mysql-5.0.2-1.1.mga3
qtbase5-database-plugin-odbc-5.0.2-1.1.mga3
qtbase5-database-plugin-pgsql-5.0.2-1.1.mga3
qtbase5-database-plugin-sqlite-5.0.2-1.1.mga3
qtbase5-database-plugin-tds-5.0.2-1.1.mga3
qtbase5-debuginfo-5.0.2-1.1.mga3
qtbase5-examples-5.0.2-1.1.mga3
lib64qt5base5-devel-5.0.2-1.1.mga3
lib64qt5bootstrap-devel-5.0.2-1.1.mga3
lib64qt5concurrent5-5.0.2-1.1.mga3
lib64qt5concurrent-devel-5.0.2-1.1.mga3
lib64qt5core5-5.0.2-1.1.mga3
lib64qt5core-devel-5.0.2-1.1.mga3
lib64qt5core-private-devel-5.0.2-1.1.mga3
lib64qt5dbus5-5.0.2-1.1.mga3
lib64qt5dbus-devel-5.0.2-1.1.mga3
lib64qt5dbus-private-devel-5.0.2-1.1.mga3
lib64qt5gui5-5.0.2-1.1.mga3
lib64qt5gui-devel-5.0.2-1.1.mga3
lib64qt5gui-private-devel-5.0.2-1.1.mga3
lib64qt5network5-5.0.2-1.1.mga3
lib64qt5network-devel-5.0.2-1.1.mga3
lib64qt5network-private-devel-5.0.2-1.1.mga3
lib64qt5opengl5-5.0.2-1.1.mga3
lib64qt5opengl-devel-5.0.2-1.1.mga3
lib64qt5opengl-private-devel-5.0.2-1.1.mga3
lib64qt5platformsupport-devel-5.0.2-1.1.mga3
lib64qt5platformsupport-private-devel-5.0.2-1.1.mga3
lib64qt5printsupport5-5.0.2-1.1.mga3
lib64qt5printsupport-devel-5.0.2-1.1.mga3
lib64qt5printsupport-private-devel-5.0.2-1.1.mga3
lib64qt5sql5-5.0.2-1.1.mga3
lib64qt5sql-devel-5.0.2-1.1.mga3
lib64qt5sql-private-devel-5.0.2-1.1.mga3
lib64qt5test5-5.0.2-1.1.mga3
lib64qt5test-devel-5.0.2-1.1.mga3
lib64qt5test-private-devel-5.0.2-1.1.mga3
lib64qt5widgets5-5.0.2-1.1.mga3
lib64qt5widgets-devel-5.0.2-1.1.mga3
lib64qt5widgets-private-devel-5.0.2-1.1.mga3
lib64qt5xml5-5.0.2-1.1.mga3
lib64qt5xml-devel-5.0.2-1.1.mga3

from qtbase5-5.0.2-1.1.mga3.src.rpm

Status: NEW => ASSIGNED
CC: (none) => anaselli
CVE: (none) => CVE-2013-4549
Assignee: bugsquad => qa-bugs
Source RPM: qt4 => qtbase5

Comment 2 David Walser 2014-03-01 15:26:23 CET

Thanks Angelo!

We can use the more concise advisory text from Ubuntu that we used for the qt4 update.

Patched package uploaded for Mageia 3 by Angelo.  Thanks Angelo!

Advisory:
========================

Updated qt5 packages fixes security vulnerability:

It was discovered that QXmlSimpleReader in Qt incorrectly handled XML
entity expansion. An attacker could use this flaw to cause Qt applications
to consume large amounts of resources, resulting in a denial of service
(CVE-2013-4549).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4549
http://lists.qt-project.org/pipermail/announce/2013-December/000036.html
http://www.ubuntu.com/usn/usn-2057-1/
========================

Updated packages in core/updates_testing:
========================
qtbase5-common-5.0.2-1.1.mga3
qtbase5-examples-5.0.2-1.1.mga3
qtbase5-database-plugin-odbc-5.0.2-1.1.mga3
qtbase5-database-plugin-mysql-5.0.2-1.1.mga3
qtbase5-database-plugin-sqlite-5.0.2-1.1.mga3
qtbase5-database-plugin-tds-5.0.2-1.1.mga3
qtbase5-database-plugin-pgsql-5.0.2-1.1.mga3
libqt5core5-5.0.2-1.1.mga3
libqt5core-devel-5.0.2-1.1.mga3
libqt5core-private-devel-5.0.2-1.1.mga3
libqt5sql5-5.0.2-1.1.mga3
libqt5sql-devel-5.0.2-1.1.mga3
libqt5sql-private-devel-5.0.2-1.1.mga3
libqt5dbus5-5.0.2-1.1.mga3
libqt5dbus-devel-5.0.2-1.1.mga3
libqt5dbus-private-devel-5.0.2-1.1.mga3
libqt5concurrent5-5.0.2-1.1.mga3
libqt5concurrent-devel-5.0.2-1.1.mga3
libqt5gui5-5.0.2-1.1.mga3
libqt5gui-devel-5.0.2-1.1.mga3
libqt5gui-private-devel-5.0.2-1.1.mga3
libqt5network5-5.0.2-1.1.mga3
libqt5network-devel-5.0.2-1.1.mga3
libqt5network-private-devel-5.0.2-1.1.mga3
libqt5opengl5-5.0.2-1.1.mga3
libqt5opengl-devel-5.0.2-1.1.mga3
libqt5opengl-private-devel-5.0.2-1.1.mga3
libqt5printsupport5-5.0.2-1.1.mga3
libqt5printsupport-devel-5.0.2-1.1.mga3
libqt5printsupport-private-devel-5.0.2-1.1.mga3
libqt5test5-5.0.2-1.1.mga3
libqt5test-devel-5.0.2-1.1.mga3
libqt5test-private-devel-5.0.2-1.1.mga3
libqt5widgets5-5.0.2-1.1.mga3
libqt5widgets-devel-5.0.2-1.1.mga3
libqt5widgets-private-devel-5.0.2-1.1.mga3
libqt5xml5-5.0.2-1.1.mga3
libqt5xml-devel-5.0.2-1.1.mga3
libqt5platformsupport-devel-5.0.2-1.1.mga3
libqt5platformsupport-private-devel-5.0.2-1.1.mga3
libqt5bootstrap-devel-5.0.2-1.1.mga3
libqt5base5-devel-5.0.2-1.1.mga3
qtbase5-common-devel-5.0.2-1.1.mga3
qtbase5-debuginfo-5.0.2-1.1.mga3

from qtbase5-5.0.2-1.1.mga3.src.rpm

Comment 3 Angelo Naselli 2014-03-01 15:31:51 CET

Sure that was my first advisory of such a type of bugs :D

I haven't tested the vulnerability itself, but all install fine and i seem not to 
have regressions on my qt5 applications (X86_64)

Comment 4 Angelo Naselli 2014-03-01 15:32:51 CET

well from my local iurt repository though.

Comment 5 Dave Hodgins 2014-03-03 11:25:37 CET

No public poc, that I could find, so just testing using qtcreator to
create a simple c "hello world program.

Advisory uploaded to svn, Testing complete on Mageia 3 i586 and x86_64.

Someon from the sysadmin team please push 12178.adv to updates.

Keywords: (none) => validated_update
Whiteboard: (none) => advisory MGA3-64-OK MGA3-32-OK
CC: (none) => sysadmin-bugs

Comment 6 Thomas Backlund 2014-03-03 21:43:46 CET

Update pushed:
http://advisories.mageia.org/MGASA-2014-0115.html

Status: ASSIGNED => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.