Bug 13509 - qt3 missing updates for CVE-2013-4549 and CVE-2014-0190
Summary: qt3 missing updates for CVE-2013-4549 and CVE-2014-0190
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 4
Hardware: i586 Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3...
Keywords: validated_update
Depends on:
Blocks:
 
Reported: 2014-06-10 18:13 CEST by David Walser
Modified: 2014-06-18 20:03 CEST (History)
3 users (show)

See Also:
Source RPM: qt3-3.3.8b-33.mga4.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2014-06-10 18:13:35 CEST
We previously issued updates for qt4 and qt5:
http://lwn.net/Vulnerabilities/577579/ Bug 12043 and Bug 12178
http://lwn.net/Vulnerabilities/597177/ Bug 13276

We still have qt3 packaged and didn't update it for these issues.

Fedora issued advisories for this on December 6 and May 30:
https://lists.fedoraproject.org/pipermail/package-announce/2014-January/127076.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134040.html

Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron.

Advisory:
========================

Updated qt3 packages fix security vulnerabilities:

QXmlSimpleReader in Qt versions prior to 5.2 supports expansion of internal
entities in XML documents without placing restrictions to ensure the document
does not cause excessive memory usage. If an application using this API
processes untrusted data then the application may use unexpected amounts of
memory if a malicious document is processed (CVE-2013-4549).

A NULL pointer dereference flaw was found in QGIFFormat::fillRect in QtGui.
If an application using the qt-x11 libraries opened a malicious GIF file with
invalid width and height values, it could cause the application to crash
(CVE-2014-0190).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4549
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0190
http://lists.qt-project.org/pipermail/announce/2013-December/000036.html
http://lists.qt-project.org/pipermail/announce/2014-April/000045.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-January/127076.html
https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134040.html
http://advisories.mageia.org/MGASA-2014-0009.html
http://advisories.mageia.org/MGASA-2014-0240.html
========================

Updated packages in core/updates_testing:
========================
libqt3-3.3.8b-32.1.mga3
qt3-common-3.3.8b-32.1.mga3
libqt3-mysql-3.3.8b-32.1.mga3
libqt3-psql-3.3.8b-32.1.mga3
libqt3-odbc-3.3.8b-32.1.mga3
libqt3-sqlite-3.3.8b-32.1.mga3
libqt3-3.3.8b-33.2.mga4
qt3-common-3.3.8b-33.2.mga4
libqt3-mysql-3.3.8b-33.2.mga4
libqt3-psql-3.3.8b-33.2.mga4
libqt3-odbc-3.3.8b-33.2.mga4
libqt3-sqlite-3.3.8b-33.2.mga4

from SRPMS:
qt3-3.3.8b-32.1.mga3.src.rpm
qt3-3.3.8b-33.2.mga4.src.rpm

Reproducible: 

Steps to Reproduce:
David Walser 2014-06-10 18:13:41 CEST

Whiteboard: (none) => MGA3TOO

Comment 1 David Walser 2014-06-17 18:26:35 CEST
Nothing in Mageia uses this library, so just verifying that the packages install OK (on Mageia 3 and Mageia 4 i586).

Whiteboard: MGA3TOO => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK

Comment 2 William Kenney 2014-06-18 18:19:35 CEST
In VirtualBox, M3, KDE, 64-bit

Package(s) under test:
qt3-common

install qt3-common

[root@localhost wilcal]# urpmi qt3-common
Package qt3-common-3.3.8b-32.mga3.x86_64 is already installed

Reboot system and back to a working desktop

install qt3-common from updates_testing

[root@localhost wilcal]# urpmi qt3-common
Package qt3-common-3.3.8b-32.1.mga3.x86_64 is already installed

Successfully reboot system and back to a working desktop

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64

CC: (none) => wilcal.int
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK

Comment 3 William Kenney 2014-06-18 18:45:49 CEST
In VirtualBox, M4, KDE, 64-bit

Package(s) under test:
qt3-common

install qt3-common

[root@localhost wilcal]# urpmi qt3-common
Package qt3-common-3.3.8b-33.mga4.x86_64 is already installed

Reboot system and back to a working desktop

install qt3-common from updates_testing

[root@localhost wilcal]# urpmi qt3-common
Package qt3-common-3.3.8b-33.2.mga4.x86_64 is already installed

Successfully reboot system and back to a working desktop

Test platform:
Intel Core i7-2600K Sandy Bridge 3.4GHz
GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo
GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB
RTL8111/8168B PCI Express 1Gbit Ethernet
DRAM 16GB (4 x 4GB)
Mageia 4 64-bit, Nvidia driver
virtualbox-4.3.10-1.1.mga4.x86_64
virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
William Kenney 2014-06-18 18:46:13 CEST

Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK

Comment 4 William Kenney 2014-06-18 18:47:03 CEST
Testing complete for mga3 32-bit & 64-bit
Testing complete for mga4 32-bit & 64-bit
Validating the update.
Could someone from the sysadmin team push this to updates.
Thanks

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Thomas Backlund 2014-06-18 20:03:56 CEST
Advisory added

Update pushed:
http://advisories.mageia.org/MGASA-2014-0263.html

Status: NEW => RESOLVED
CC: (none) => tmb
Resolution: (none) => FIXED
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory


Note You need to log in before you can comment on or make changes to this bug.