Upstream has issued an advisory on April 24: http://lists.qt-project.org/pipermail/announce/2014-April/000045.html Patches are linked in the message above. Qt4 4.8.6 is also out, but I don't believe this issue was fixed in that release (though you may still want to upgrade it for stable). For qtbase5, I'm not sure if this issue is fixed in the 5.3.0 beta we currently have packaged in Cauldron, but it will be in the final 5.3.0 release, but the Mageia 4 package will need to be patched. Reproducible: Steps to Reproduce:
CC: (none) => balcaen.john, lmenut
Whiteboard: (none) => MGA4TOO, MGA3TOO
Summary: qt4, qtbase5 new DoS security issue in QtGui => qt4, qtbase5 new DoS security issue in QtGui (CVE-2014-0190)
Fedora has issued an advisory for this on April 27: https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132395.html They updated to 4.8.6 and added a patch.
URL: (none) => http://lwn.net/Vulnerabilities/597177/
I've updated qt4 in Mageia 3, Mageia 4, and Cauldron to 4.8.6, added the patch to fix this, and synced the other changes from Fedora, with one exception. I did not add the following patch, so if it's desirable to have it in Mageia, hopefully Nicolas, John, or Luc will add it: http://pkgs.fedoraproject.org/cgit/qt.git/plain/qt-everywhere-opensource-src-4.8.6-systemtrayicon.patch I've also patched qtbase5 in Mageia 4 to fix this. Advisory (Mageia 3): ======================== Updated qt4 packages fixes security vulnerability: A NULL pointer dereference flaw was found in QGIFFormat::fillRect in QtGui. If an application using the qt-x11 libraries opened a malicious GIF file with invalid width and height values, it could cause the application to crash (CVE-2014-0190). Qt4 has been patched to correct this flaw and has been updated to version 4.8.6, which fixes several other bugs. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0190 http://lists.qt-project.org/pipermail/announce/2014-April/000045.html http://blog.qt.digia.com/blog/2014/04/24/qt-4-8-6-released/ https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132395.html ======================== Updated packages in core/updates_testing: ======================== qt4-common-4.8.6-1.mga3 libqtxml4-4.8.6-1.mga3 libqtscripttools4-4.8.6-1.mga3 libqtxmlpatterns4-4.8.6-1.mga3 libqtsql4-4.8.6-1.mga3 libqtnetwork4-4.8.6-1.mga3 libqtscript4-4.8.6-1.mga3 libqtgui4-4.8.6-1.mga3 libqtsvg4-4.8.6-1.mga3 libqttest4-4.8.6-1.mga3 libqthelp4-4.8.6-1.mga3 libqtclucene4-4.8.6-1.mga3 libqtcore4-4.8.6-1.mga3 libqt3support4-4.8.6-1.mga3 libqtopengl4-4.8.6-1.mga3 libqtdesigner4-4.8.6-1.mga3 libqtdbus4-4.8.6-1.mga3 libqtmultimedia4-4.8.6-1.mga3 qt4-qtdbus-4.8.6-1.mga3 libqtdeclarative4-4.8.6-1.mga3 qt4-qmlviewer-4.8.6-1.mga3 libqt4-devel-4.8.6-1.mga3 qt4-devel-private-4.8.6-1.mga3 qt4-xmlpatterns-4.8.6-1.mga3 qt4-qtconfig-4.8.6-1.mga3 qt4-doc-4.8.6-1.mga3 qt4-demos-4.8.6-1.mga3 qt4-examples-4.8.6-1.mga3 qt4-linguist-4.8.6-1.mga3 qt4-assistant-4.8.6-1.mga3 qt4-database-plugin-mysql-4.8.6-1.mga3 qt4-database-plugin-sqlite-4.8.6-1.mga3 qt4-database-plugin-tds-4.8.6-1.mga3 qt4-database-plugin-pgsql-4.8.6-1.mga3 qt4-graphicssystems-plugin-4.8.6-1.mga3 qt4-accessibility-plugin-4.8.6-1.mga3 qt4-designer-4.8.6-1.mga3 qt4-designer-plugin-webkit-4.8.6-1.mga3 qt4-designer-plugin-qt3support-4.8.6-1.mga3 qt4-qvfb-4.8.6-1.mga3 qt4-qdoc3-4.8.6-1.mga3 from qt4-4.8.6-1.mga3.src.rpm Advisory (Mageia 4): ======================== Updated qt4 and qtbase5 packages fixes security vulnerability: A NULL pointer dereference flaw was found in QGIFFormat::fillRect in QtGui. If an application using the qt-x11 libraries opened a malicious GIF file with invalid width and height values, it could cause the application to crash (CVE-2014-0190). Qt4 has been patched to correct this flaw and has been updated to version 4.8.6, which fixes several other bugs. Qtbase5 has also been patched to correct this flaw. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0190 http://lists.qt-project.org/pipermail/announce/2014-April/000045.html http://blog.qt.digia.com/blog/2014/04/24/qt-4-8-6-released/ https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132395.html https://lists.fedoraproject.org/pipermail/package-announce/2014-May/132648.html ======================== Updated packages in core/updates_testing: ======================== qt4-common-4.8.6-1.mga4 libqtxml4-4.8.6-1.mga4 libqtscripttools4-4.8.6-1.mga4 libqtxmlpatterns4-4.8.6-1.mga4 libqtsql4-4.8.6-1.mga4 libqtnetwork4-4.8.6-1.mga4 libqtscript4-4.8.6-1.mga4 libqtgui4-4.8.6-1.mga4 libqtsvg4-4.8.6-1.mga4 libqttest4-4.8.6-1.mga4 libqthelp4-4.8.6-1.mga4 libqtclucene4-4.8.6-1.mga4 libqtcore4-4.8.6-1.mga4 libqt3support4-4.8.6-1.mga4 libqtopengl4-4.8.6-1.mga4 libqtdesigner4-4.8.6-1.mga4 libqtdbus4-4.8.6-1.mga4 libqtmultimedia4-4.8.6-1.mga4 qt4-qtdbus-4.8.6-1.mga4 libqtdeclarative4-4.8.6-1.mga4 qt4-qmlviewer-4.8.6-1.mga4 libqt4-devel-4.8.6-1.mga4 qt4-devel-private-4.8.6-1.mga4 qt4-xmlpatterns-4.8.6-1.mga4 qt4-qtconfig-4.8.6-1.mga4 qt4-doc-4.8.6-1.mga4 qt4-demos-4.8.6-1.mga4 qt4-examples-4.8.6-1.mga4 qt4-linguist-4.8.6-1.mga4 qt4-assistant-4.8.6-1.mga4 qt4-database-plugin-mysql-4.8.6-1.mga4 qt4-database-plugin-sqlite-4.8.6-1.mga4 qt4-database-plugin-tds-4.8.6-1.mga4 qt4-database-plugin-pgsql-4.8.6-1.mga4 qt4-graphicssystems-plugin-4.8.6-1.mga4 qt4-accessibility-plugin-4.8.6-1.mga4 qt4-designer-4.8.6-1.mga4 qt4-designer-plugin-webkit-4.8.6-1.mga4 qt4-designer-plugin-qt3support-4.8.6-1.mga4 qt4-qvfb-4.8.6-1.mga4 qt4-qdoc3-4.8.6-1.mga4 qtbase5-common-5.2.0-2.3.mga4 qtbase5-examples-5.2.0-2.3.mga4 qtbase5-database-plugin-odbc-5.2.0-2.3.mga4 qtbase5-database-plugin-mysql-5.2.0-2.3.mga4 qtbase5-database-plugin-sqlite-5.2.0-2.3.mga4 qtbase5-database-plugin-tds-5.2.0-2.3.mga4 qtbase5-database-plugin-pgsql-5.2.0-2.3.mga4 libqt5core5-5.2.0-2.3.mga4 libqt5core-devel-5.2.0-2.3.mga4 libqt5core-private-devel-5.2.0-2.3.mga4 libqt5sql5-5.2.0-2.3.mga4 libqt5sql-devel-5.2.0-2.3.mga4 libqt5sql-private-devel-5.2.0-2.3.mga4 libqt5dbus5-5.2.0-2.3.mga4 libqt5dbus-devel-5.2.0-2.3.mga4 libqt5dbus-private-devel-5.2.0-2.3.mga4 libqt5concurrent5-5.2.0-2.3.mga4 libqt5concurrent-devel-5.2.0-2.3.mga4 libqt5gui5-5.2.0-2.3.mga4 libqt5gui-devel-5.2.0-2.3.mga4 libqt5gui-private-devel-5.2.0-2.3.mga4 libqt5network5-5.2.0-2.3.mga4 libqt5network-devel-5.2.0-2.3.mga4 libqt5network-private-devel-5.2.0-2.3.mga4 libqt5opengl5-5.2.0-2.3.mga4 libqt5opengl-devel-5.2.0-2.3.mga4 libqt5opengl-private-devel-5.2.0-2.3.mga4 libqt5printsupport5-5.2.0-2.3.mga4 libqt5printsupport-devel-5.2.0-2.3.mga4 libqt5printsupport-private-devel-5.2.0-2.3.mga4 libqt5test5-5.2.0-2.3.mga4 libqt5test-devel-5.2.0-2.3.mga4 libqt5test-private-devel-5.2.0-2.3.mga4 libqt5widgets5-5.2.0-2.3.mga4 libqt5widgets-devel-5.2.0-2.3.mga4 libqt5widgets-private-devel-5.2.0-2.3.mga4 libqt5xml5-5.2.0-2.3.mga4 libqt5xml-devel-5.2.0-2.3.mga4 libqt5platformsupport-devel-5.2.0-2.3.mga4 libqt5platformsupport-private-devel-5.2.0-2.3.mga4 libqt5bootstrap-devel-5.2.0-2.3.mga4 libqt5base5-devel-5.2.0-2.3.mga4 qtbase5-common-devel-5.2.0-2.3.mga4 from SRPMS: qt4-4.8.6-1.mga4.src.rpm qtbase5-5.2.0-2.3.mga4.src.rpm
CC: (none) => mageiaVersion: Cauldron => 4Assignee: mageia => qa-bugsWhiteboard: MGA4TOO, MGA3TOO => MGA3TOO
I can't find a PoC. I made a GIF file in the GIMP and played with the width and height values in hexedit and opened the results with gwenview and couldn't get it to crash. So all we can do is just test general Qt usage I think, as well as opening normal GIF files.
Do I need to install all the files to help test this ? and then try to open a gif file. Roelof
CC: (none) => rwobben
For Qt5 you may be able to test this with scribus-unstable and trying to load a GIF file into a document.
@david thanks still the question stands do I have to install all the rpm in the list and if so, how can I do it the best ? Roelof
CC: (none) => r.wobben
Ideally yes Roelof, to ensure they all update without any packaging issues. The easiest way for an update like this is to use MCC and select them .
Maybe another stupid question but on which testing repo can I find these updates. I already enables core updates and another one but I cannot find the updates ? Roelof
(In reply to roelof Wobben from comment #8) > Maybe another stupid question but on which testing repo can I find these > updates. I already enables core updates and another one but I cannot find > the updates ? > > Roelof https://wiki.mageia.org/en/Enabling_the_Testing_media
Thanks, I installed now all qt4 parts but qt5 still cannot be found. Roelof
Depending on what you used to install them, you may have only upgraded qt4 packages which you already had installed (which is fine). You could install scribus-unstable as I suggested in Comment 5, which would pull in the needed packages for qt5, then just make sure the updates_testing versions of those packages get installed. Also note that the qt5 update is only for Mageia 4.
Upgrade the qt4 packages and found no problem. Installed scribus-unstable . Still no problems. Downloaded 4 gif pictures and place them into a document. Still no problems at all. So in my opninion there can only be one conclusion : Mga4 64 ok. Roelof
Whiteboard: MGA3TOO => MGA3TOO MGA4 64 OK
Whiteboard: MGA3TOO MGA4 64 OK => MGA3TOO MGA4-64-OK
Well done Roelof and thanks David for helping
I have a couple of days off now so will test 32 bit. Carolyn
CC: (none) => cmrisolde
Tested Mga4 32-bit with GIMP, Gwenview and Scribus as above, also displaying a GIF picture in a Gambas Qt4 app. All seems fine and no apparent problems with installing any of the updated packages. Will look at Qt4 with Mga3 later. Carolyn
Whiteboard: MGA3TOO MGA4-64-OK => MGA3TOO MGA4-64-OK MGA4-32-OK
Tested Qt4 with Mga 32-bit as per comment 15 - no problems noticed. Carolyn
Whiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK => MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK
Similar tests with Mga3 64-bit - seems to be OK. Updated validated. See comment 2 for advisories and SRPMs (separate for Mga3 and Mga4). Could sysadmin please push from core/updates_testing to core/updates. Thank you. Carolyn
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK => MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK
Advisories uploaded as 13276.mga3.adv and 13276.mga4.adv.
CC: (none) => remiWhiteboard: MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK => MGA3TOO MGA4-64-OK MGA4-32-OK MGA3-32-OK MGA3-64-OK advisory
Mga3 update pushed: http://advisories.mageia.org/MGASA-2014-0240.html Mga4 update pushed: http://advisories.mageia.org/MGASA-2014-0241.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED