Bug 13276 - qt4, qtbase5 new DoS security issue in QtGui (CVE-2014-0190)
Summary: qt4, qtbase5 new DoS security issue in QtGui (CVE-2014-0190)
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL: http://lwn.net/Vulnerabilities/597177/
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-04-28 15:21 CEST by David Walser
Modified: 2014-05-29 09:24 CEST (History)
9 users (show)

See Also:
Source RPM: qt4-4.8.5-8.mga5.src.rpm, qtbase5-5.2.0-2.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-04-28 15:21:45 CEST
Upstream has issued an advisory on April 24:
http://lists.qt-project.org/pipermail/announce/2014-April/000045.html

Patches are linked in the message above.

Qt4 4.8.6 is also out, but I don't believe this issue was fixed in that release (though you may still want to upgrade it for stable).

For qtbase5, I'm not sure if this issue is fixed in the 5.3.0 beta we currently have packaged in Cauldron, but it will be in the final 5.3.0 release, but the Mageia 4 package will need to be patched.

Reproducible: 

Steps to Reproduce:
David Walser 2014-04-28 15:21:59 CEST

CC: (none) => balcaen.john, lmenut

David Walser 2014-04-28 15:22:04 CEST

Whiteboard: (none) => MGA4TOO, MGA3TOO

David Walser 2014-04-28 15:22:26 CEST

Summary: qt4, qtbase5 new DoS security issue in QtGui => qt4, qtbase5 new DoS security issue in QtGui (CVE-2014-0190)

Comment 1 David Walser 2014-05-02 18:10:12 CEST
Fedora has issued an advisory for this on April 27:
https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132395.html

They updated to 4.8.6 and added a patch.

URL: (none) => http://lwn.net/Vulnerabilities/597177/

Comment 2 David Walser 2014-05-13 21:25:37 CEST
I've updated qt4 in Mageia 3, Mageia 4, and Cauldron to 4.8.6, added the patch to fix this, and synced the other changes from Fedora, with one exception.  I did not add the following patch, so if it's desirable to have it in Mageia, hopefully Nicolas, John, or Luc will add it:
http://pkgs.fedoraproject.org/cgit/qt.git/plain/qt-everywhere-opensource-src-4.8.6-systemtrayicon.patch

I've also patched qtbase5 in Mageia 4 to fix this.

Advisory (Mageia 3):
========================

Updated qt4 packages fixes security vulnerability:

A NULL pointer dereference flaw was found in QGIFFormat::fillRect in QtGui.
If an application using the qt-x11 libraries opened a malicious GIF file with
invalid width and height values, it could cause the application to crash
(CVE-2014-0190).

Qt4 has been patched to correct this flaw and has been updated to version
4.8.6, which fixes several other bugs.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0190
http://lists.qt-project.org/pipermail/announce/2014-April/000045.html
http://blog.qt.digia.com/blog/2014/04/24/qt-4-8-6-released/
https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132395.html
========================

Updated packages in core/updates_testing:
========================
qt4-common-4.8.6-1.mga3
libqtxml4-4.8.6-1.mga3
libqtscripttools4-4.8.6-1.mga3
libqtxmlpatterns4-4.8.6-1.mga3
libqtsql4-4.8.6-1.mga3
libqtnetwork4-4.8.6-1.mga3
libqtscript4-4.8.6-1.mga3
libqtgui4-4.8.6-1.mga3
libqtsvg4-4.8.6-1.mga3
libqttest4-4.8.6-1.mga3
libqthelp4-4.8.6-1.mga3
libqtclucene4-4.8.6-1.mga3
libqtcore4-4.8.6-1.mga3
libqt3support4-4.8.6-1.mga3
libqtopengl4-4.8.6-1.mga3
libqtdesigner4-4.8.6-1.mga3
libqtdbus4-4.8.6-1.mga3
libqtmultimedia4-4.8.6-1.mga3
qt4-qtdbus-4.8.6-1.mga3
libqtdeclarative4-4.8.6-1.mga3
qt4-qmlviewer-4.8.6-1.mga3
libqt4-devel-4.8.6-1.mga3
qt4-devel-private-4.8.6-1.mga3
qt4-xmlpatterns-4.8.6-1.mga3
qt4-qtconfig-4.8.6-1.mga3
qt4-doc-4.8.6-1.mga3
qt4-demos-4.8.6-1.mga3
qt4-examples-4.8.6-1.mga3
qt4-linguist-4.8.6-1.mga3
qt4-assistant-4.8.6-1.mga3
qt4-database-plugin-mysql-4.8.6-1.mga3
qt4-database-plugin-sqlite-4.8.6-1.mga3
qt4-database-plugin-tds-4.8.6-1.mga3
qt4-database-plugin-pgsql-4.8.6-1.mga3
qt4-graphicssystems-plugin-4.8.6-1.mga3
qt4-accessibility-plugin-4.8.6-1.mga3
qt4-designer-4.8.6-1.mga3
qt4-designer-plugin-webkit-4.8.6-1.mga3
qt4-designer-plugin-qt3support-4.8.6-1.mga3
qt4-qvfb-4.8.6-1.mga3
qt4-qdoc3-4.8.6-1.mga3

from qt4-4.8.6-1.mga3.src.rpm


Advisory (Mageia 4):
========================

Updated qt4 and qtbase5 packages fixes security vulnerability:

A NULL pointer dereference flaw was found in QGIFFormat::fillRect in QtGui.
If an application using the qt-x11 libraries opened a malicious GIF file with
invalid width and height values, it could cause the application to crash
(CVE-2014-0190).

Qt4 has been patched to correct this flaw and has been updated to version
4.8.6, which fixes several other bugs.

Qtbase5 has also been patched to correct this flaw.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0190
http://lists.qt-project.org/pipermail/announce/2014-April/000045.html
http://blog.qt.digia.com/blog/2014/04/24/qt-4-8-6-released/
https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132395.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132648.html
========================

Updated packages in core/updates_testing:
========================
qt4-common-4.8.6-1.mga4
libqtxml4-4.8.6-1.mga4
libqtscripttools4-4.8.6-1.mga4
libqtxmlpatterns4-4.8.6-1.mga4
libqtsql4-4.8.6-1.mga4
libqtnetwork4-4.8.6-1.mga4
libqtscript4-4.8.6-1.mga4
libqtgui4-4.8.6-1.mga4
libqtsvg4-4.8.6-1.mga4
libqttest4-4.8.6-1.mga4
libqthelp4-4.8.6-1.mga4
libqtclucene4-4.8.6-1.mga4
libqtcore4-4.8.6-1.mga4
libqt3support4-4.8.6-1.mga4
libqtopengl4-4.8.6-1.mga4
libqtdesigner4-4.8.6-1.mga4
libqtdbus4-4.8.6-1.mga4
libqtmultimedia4-4.8.6-1.mga4
qt4-qtdbus-4.8.6-1.mga4
libqtdeclarative4-4.8.6-1.mga4
qt4-qmlviewer-4.8.6-1.mga4
libqt4-devel-4.8.6-1.mga4
qt4-devel-private-4.8.6-1.mga4
qt4-xmlpatterns-4.8.6-1.mga4
qt4-qtconfig-4.8.6-1.mga4
qt4-doc-4.8.6-1.mga4
qt4-demos-4.8.6-1.mga4
qt4-examples-4.8.6-1.mga4
qt4-linguist-4.8.6-1.mga4
qt4-assistant-4.8.6-1.mga4
qt4-database-plugin-mysql-4.8.6-1.mga4
qt4-database-plugin-sqlite-4.8.6-1.mga4
qt4-database-plugin-tds-4.8.6-1.mga4
qt4-database-plugin-pgsql-4.8.6-1.mga4
qt4-graphicssystems-plugin-4.8.6-1.mga4
qt4-accessibility-plugin-4.8.6-1.mga4
qt4-designer-4.8.6-1.mga4
qt4-designer-plugin-webkit-4.8.6-1.mga4
qt4-designer-plugin-qt3support-4.8.6-1.mga4
qt4-qvfb-4.8.6-1.mga4
qt4-qdoc3-4.8.6-1.mga4
qtbase5-common-5.2.0-2.3.mga4
qtbase5-examples-5.2.0-2.3.mga4
qtbase5-database-plugin-odbc-5.2.0-2.3.mga4
qtbase5-database-plugin-mysql-5.2.0-2.3.mga4
qtbase5-database-plugin-sqlite-5.2.0-2.3.mga4
qtbase5-database-plugin-tds-5.2.0-2.3.mga4
qtbase5-database-plugin-pgsql-5.2.0-2.3.mga4
libqt5core5-5.2.0-2.3.mga4
libqt5core-devel-5.2.0-2.3.mga4
libqt5core-private-devel-5.2.0-2.3.mga4
libqt5sql5-5.2.0-2.3.mga4
libqt5sql-devel-5.2.0-2.3.mga4
libqt5sql-private-devel-5.2.0-2.3.mga4
libqt5dbus5-5.2.0-2.3.mga4
libqt5dbus-devel-5.2.0-2.3.mga4
libqt5dbus-private-devel-5.2.0-2.3.mga4
libqt5concurrent5-5.2.0-2.3.mga4
libqt5concurrent-devel-5.2.0-2.3.mga4
libqt5gui5-5.2.0-2.3.mga4
libqt5gui-devel-5.2.0-2.3.mga4
libqt5gui-private-devel-5.2.0-2.3.mga4
libqt5network5-5.2.0-2.3.mga4
libqt5network-devel-5.2.0-2.3.mga4
libqt5network-private-devel-5.2.0-2.3.mga4
libqt5opengl5-5.2.0-2.3.mga4
libqt5opengl-devel-5.2.0-2.3.mga4
libqt5opengl-private-devel-5.2.0-2.3.mga4
libqt5printsupport5-5.2.0-2.3.mga4
libqt5printsupport-devel-5.2.0-2.3.mga4
libqt5printsupport-private-devel-5.2.0-2.3.mga4
libqt5test5-5.2.0-2.3.mga4
libqt5test-devel-5.2.0-2.3.mga4
libqt5test-private-devel-5.2.0-2.3.mga4
libqt5widgets5-5.2.0-2.3.mga4
libqt5widgets-devel-5.2.0-2.3.mga4
libqt5widgets-private-devel-5.2.0-2.3.mga4
libqt5xml5-5.2.0-2.3.mga4
libqt5xml-devel-5.2.0-2.3.mga4
libqt5platformsupport-devel-5.2.0-2.3.mga4
libqt5platformsupport-private-devel-5.2.0-2.3.mga4
libqt5bootstrap-devel-5.2.0-2.3.mga4
libqt5base5-devel-5.2.0-2.3.mga4
qtbase5-common-devel-5.2.0-2.3.mga4

from SRPMS:
qt4-4.8.6-1.mga4.src.rpm
qtbase5-5.2.0-2.3.mga4.src.rpm

CC: (none) => mageia
Version: Cauldron => 4
Assignee: mageia => qa-bugs
Whiteboard: MGA4TOO, MGA3TOO => MGA3TOO

Comment 3 David Walser 2014-05-14 17:12:48 CEST
I can't find a PoC.  I made a GIF file in the GIMP and played with the width and height values in hexedit and opened the results with gwenview and couldn't get it to crash.  So all we can do is just test general Qt usage I think, as well as opening normal GIF files.
Comment 4 roelof Wobben 2014-05-15 19:04:16 CEST
Do I need to install all the files to help test this ?
and then try to open a gif file.

Roelof

CC: (none) => rwobben

Comment 5 David Walser 2014-05-16 16:56:05 CEST
For Qt5 you may be able to test this with scribus-unstable and trying to load a GIF file into a document.
Comment 6 roelof Wobben 2014-05-16 17:04:29 CEST
@david thanks still the question stands do I have to install all the rpm in the list and if so, how can I do it the best ?

Roelof

CC: (none) => r.wobben

Comment 7 claire robinson 2014-05-16 17:07:42 CEST
Ideally yes Roelof, to ensure they all update without any packaging issues.

The easiest way for an update like this is to use MCC and select them .
Comment 8 roelof Wobben 2014-05-17 10:33:30 CEST
Maybe another stupid question but on which testing repo can I find these updates. I already enables core updates and another one but I cannot find the updates ?

Roelof
Comment 9 David Walser 2014-05-17 12:21:39 CEST
(In reply to roelof Wobben from comment #8)
> Maybe another stupid question but on which testing repo can I find these
> updates. I already enables core updates and another one but I cannot find
> the updates ?
> 
> Roelof

https://wiki.mageia.org/en/Enabling_the_Testing_media
Comment 10 roelof Wobben 2014-05-17 13:39:25 CEST
Thanks, 

I installed now all qt4 parts but qt5 still cannot be found. 

Roelof
Comment 11 David Walser 2014-05-17 13:45:26 CEST
Depending on what you used to install them, you may have only upgraded qt4 packages which you already had installed (which is fine).  You could install scribus-unstable as I suggested in Comment 5, which would pull in the needed packages for qt5, then just make sure the updates_testing versions of those packages get installed.  Also note that the qt5 update is only for Mageia 4.
Comment 12 roelof Wobben 2014-05-17 14:42:07 CEST
Upgrade the qt4 packages and found no problem.
Installed scribus-unstable . Still no problems.
Downloaded 4 gif pictures and place them into a document. 

Still no problems at all. 

So in my opninion there can only be one conclusion : Mga4 64 ok. 

Roelof

Whiteboard: MGA3TOO => MGA3TOO MGA4 64 OK

roelof Wobben 2014-05-17 14:52:02 CEST

Whiteboard: MGA3TOO MGA4 64 OK => MGA3TOO MGA4-64-OK

Comment 13 claire robinson 2014-05-17 15:17:43 CEST
Well done Roelof and thanks David for helping
Comment 14 Carolyn Rowse 2014-05-26 09:02:32 CEST
I have a couple of days off now so will test 32 bit.

Carolyn

CC: (none) => cmrisolde

Comment 15 Carolyn Rowse 2014-05-26 10:27:56 CEST
Tested Mga4 32-bit with GIMP, Gwenview and Scribus as above, also displaying a GIF picture in a Gambas Qt4 app.  All seems fine and no apparent problems with installing any of the updated packages.

Will look at Qt4 with Mga3 later.

Carolyn

Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO MGA4-64-OK MGA4-32-OK

Comment 16 Carolyn Rowse 2014-05-26 15:55:35 CEST
Tested Qt4 with Mga 32-bit as per comment 15 - no problems noticed.

Carolyn

Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK => MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK

Comment 17 Carolyn Rowse 2014-05-26 18:12:42 CEST
Similar tests with Mga3 64-bit - seems to be OK.


Updated validated.

See comment 2 for advisories and SRPMs (separate for Mga3 and Mga4).

Could sysadmin please push from core/updates_testing to core/updates.

Thank you.

Carolyn

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK => MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK

Comment 18 Rémi Verschelde 2014-05-26 18:29:01 CEST
Advisories uploaded as 13276.mga3.adv and 13276.mga4.adv.

CC: (none) => remi
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK => MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK advisory

Comment 19 Thomas Backlund 2014-05-29 09:24:15 CEST
Mga3 update pushed:
http://advisories.mageia.org/MGASA-2014-0240.html

Mga4 update pushed:
http://advisories.mageia.org/MGASA-2014-0241.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.