We previously issued updates for qt4 and qt5: http://lwn.net/Vulnerabilities/577579/ Bug 12043 and Bug 12178 http://lwn.net/Vulnerabilities/597177/ Bug 13276 We still have qt3 packaged and didn't update it for these issues. Fedora issued advisories for this on December 6 and May 30: https://lists.fedoraproject.org/pipermail/package-announce/2014-January/127076.html https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134040.html Patched packages uploaded for Mageia 3, Mageia 4, and Cauldron. Advisory: ======================== Updated qt3 packages fix security vulnerabilities: QXmlSimpleReader in Qt versions prior to 5.2 supports expansion of internal entities in XML documents without placing restrictions to ensure the document does not cause excessive memory usage. If an application using this API processes untrusted data then the application may use unexpected amounts of memory if a malicious document is processed (CVE-2013-4549). A NULL pointer dereference flaw was found in QGIFFormat::fillRect in QtGui. If an application using the qt-x11 libraries opened a malicious GIF file with invalid width and height values, it could cause the application to crash (CVE-2014-0190). References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-4549 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2014-0190 http://lists.qt-project.org/pipermail/announce/2013-December/000036.html http://lists.qt-project.org/pipermail/announce/2014-April/000045.html https://lists.fedoraproject.org/pipermail/package-announce/2014-January/127076.html https://lists.fedoraproject.org/pipermail/package-announce/2014-June/134040.html http://advisories.mageia.org/MGASA-2014-0009.html http://advisories.mageia.org/MGASA-2014-0240.html ======================== Updated packages in core/updates_testing: ======================== libqt3-3.3.8b-32.1.mga3 qt3-common-3.3.8b-32.1.mga3 libqt3-mysql-3.3.8b-32.1.mga3 libqt3-psql-3.3.8b-32.1.mga3 libqt3-odbc-3.3.8b-32.1.mga3 libqt3-sqlite-3.3.8b-32.1.mga3 libqt3-3.3.8b-33.2.mga4 qt3-common-3.3.8b-33.2.mga4 libqt3-mysql-3.3.8b-33.2.mga4 libqt3-psql-3.3.8b-33.2.mga4 libqt3-odbc-3.3.8b-33.2.mga4 libqt3-sqlite-3.3.8b-33.2.mga4 from SRPMS: qt3-3.3.8b-32.1.mga3.src.rpm qt3-3.3.8b-33.2.mga4.src.rpm Reproducible: Steps to Reproduce:
Whiteboard: (none) => MGA3TOO
Nothing in Mageia uses this library, so just verifying that the packages install OK (on Mageia 3 and Mageia 4 i586).
Whiteboard: MGA3TOO => MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK
In VirtualBox, M3, KDE, 64-bit Package(s) under test: qt3-common install qt3-common [root@localhost wilcal]# urpmi qt3-common Package qt3-common-3.3.8b-32.mga3.x86_64 is already installed Reboot system and back to a working desktop install qt3-common from updates_testing [root@localhost wilcal]# urpmi qt3-common Package qt3-common-3.3.8b-32.1.mga3.x86_64 is already installed Successfully reboot system and back to a working desktop Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
CC: (none) => wilcal.intWhiteboard: MGA3TOO has_procedure MGA3-32-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK
In VirtualBox, M4, KDE, 64-bit Package(s) under test: qt3-common install qt3-common [root@localhost wilcal]# urpmi qt3-common Package qt3-common-3.3.8b-33.mga4.x86_64 is already installed Reboot system and back to a working desktop install qt3-common from updates_testing [root@localhost wilcal]# urpmi qt3-common Package qt3-common-3.3.8b-33.2.mga4.x86_64 is already installed Successfully reboot system and back to a working desktop Test platform: Intel Core i7-2600K Sandy Bridge 3.4GHz GIGABYTE GA-Z68X-UD3-B3 LGA 1155 MoBo GIGABYTE GV-N440D3-1GI Nvidia GeForce GT 440 (Fermi) 1GB RTL8111/8168B PCI Express 1Gbit Ethernet DRAM 16GB (4 x 4GB) Mageia 4 64-bit, Nvidia driver virtualbox-4.3.10-1.1.mga4.x86_64 virtualbox-guest-additions-4.3.10-1.1.mga4.x86_64
Whiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK
Testing complete for mga3 32-bit & 64-bit Testing complete for mga4 32-bit & 64-bit Validating the update. Could someone from the sysadmin team push this to updates. Thanks
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Advisory added Update pushed: http://advisories.mageia.org/MGASA-2014-0263.html
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXEDWhiteboard: MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK => MGA3TOO has_procedure MGA3-32-OK MGA3-64-OK MGA4-32-OK MGA4-64-OK advisory