Bug 23166 - qt3 new security issue CVE-2016-10040
Summary: qt3 new security issue CVE-2016-10040
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 6
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA6-32-OK MGA6-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2018-06-10 20:49 CEST by David Walser
Modified: 2018-06-14 21:29 CEST (History)
3 users (show)

See Also:
Source RPM: qt3-3.3.8b-42.mga6.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2018-06-10 20:49:11 CEST
Fedora has issued an advisory on June 9:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MMPQK37WEHT2KHWYTH4WNIAWNFKBUZ3P/

Mageia 5 is also affected (but this package is only required by lsb).

Patched packages uploaded for Mageia 6 and Cauldron.

Testing that it upgrades successfully is sufficient.

Advisory:
========================

Updated qt3 packages fix security vulnerability:

A stack overflow flaw was found in the way Qt parsed XML input with several
nested opening tags. An application using Qt's QXmlSimpleReader to parse
specially crafted XML input could crash (CVE-2016-10040).

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2016-10040
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/MMPQK37WEHT2KHWYTH4WNIAWNFKBUZ3P/
========================

Updated packages in core/updates_testing:
========================
libqt3-3.3.8b-42.1.mga6
qt3-common-3.3.8b-42.1.mga6
libqt3-mysql-3.3.8b-42.1.mga6
libqt3-psql-3.3.8b-42.1.mga6
libqt3-odbc-3.3.8b-42.1.mga6
libqt3-sqlite-3.3.8b-42.1.mga6

from qt3-3.3.8b-42.1.mga6.src.rpm
David Walser 2018-06-10 20:49:22 CEST

Version: Cauldron => 6

Comment 1 PC LX 2018-06-11 14:24:54 CEST
No packages in the repositories use the Qt3 packages and I no longer have anything that uses or can be compiled to use Qt3.

Any idea on how to test these Qt3 packages?

CC: (none) => mageia

Comment 2 David Walser 2018-06-11 14:53:03 CEST
As I said in Comment 0, just test that they upgrade cleanly.
Comment 3 Herman Viaene 2018-06-11 15:57:00 CEST
MGA6-32 on IBM Thinkpad R50e MATE
No installation issues, clean install.

CC: (none) => herman.viaene
Whiteboard: (none) => MGA6-32-OK

Comment 4 PC LX 2018-06-11 16:50:21 CEST
Installed without issues.

System: Mageia 6, x86_64, Intel CPU.

$ urpmi qt3-common lib64qt3 lib64qt3-mysql lib64qt3-odbc lib64qt3-psql lib64qt3-sqlite
<SNIP NO ERRORS>
$ uname -a
Linux marte 4.14.44-desktop-2.mga6 #1 SMP Mon May 28 22:35:45 UTC 2018 x86_64 x86_64 x86_64 GNU/Linux
$ rpm -qa | egrep 'qt3-common|lib64qt3-' | sort
lib64qt3-3.3.8b-42.1.mga6
lib64qt3-mysql-3.3.8b-42.1.mga6
lib64qt3-odbc-3.3.8b-42.1.mga6
lib64qt3-psql-3.3.8b-42.1.mga6
lib64qt3-sqlite-3.3.8b-42.1.mga6
qt3-common-3.3.8b-42.1.mga6

Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK

Comment 5 Frédéric Buclin 2018-06-11 17:11:44 CEST Comment hidden (obsolete)
Comment 6 Frédéric Buclin 2018-06-11 17:12:28 CEST
(In reply to Frédéric Buclin from comment #5)
> (In reply to PC LX from comment #1)
> > No packages in the repositories use the Qt3 packages and I no longer have
> > anything that uses or can be compiled to use Qt3.
> 
> In cauldron, bug 19684 should be fixed instead (a.k.a. kill Qt3), see bug
> 19684 comment 2.
Comment 7 David Walser 2018-06-11 17:47:49 CEST
Yes it does need to be removed from Cauldron.
Comment 8 claire robinson 2018-06-14 18:17:15 CEST
Frédéric could you ensure there is a bug report for removing qt3 from Cauldron please.

Validating this one.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 9 claire robinson 2018-06-14 18:41:18 CEST
Advisoried

Keywords: (none) => advisory

Comment 10 Mageia Robot 2018-06-14 20:16:10 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2018-0284.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Comment 11 Frédéric Buclin 2018-06-14 21:29:43 CEST
(In reply to claire robinson from comment #8)
> Frédéric could you ensure there is a bug report for removing qt3 from
> Cauldron please.

This should be done in bug 19684.

Note You need to log in before you can comment on or make changes to this bug.