Fedora has issued an advisory on March 29: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XS6G3ZDFCHWFQD4CFXWFPHREOHBBDTD7/ Mageia 6 is also affected.
Whiteboard: (none) => MGA6TOO
Both mga6 and Cauldron are ready on svn, I'm awaiting for the Qt5_mass_rebuild completed to submit Qt4!
CC: (none) => geiger.david68210
Advisory: ======================== Updated qt4 packages fix security vulnerability: A malformed PPM image causes a division by zero and a crash in qppmhandler.cpp (CVE-2018-19872). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2018-19872 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/XS6G3ZDFCHWFQD4CFXWFPHREOHBBDTD7/ ======================== Updated packages in core/updates_testing: ======================== qt4-common-4.8.7-15.1.mga6 libqtxml4-4.8.7-15.1.mga6 libqtscripttools4-4.8.7-15.1.mga6 libqtxmlpatterns4-4.8.7-15.1.mga6 libqtsql4-4.8.7-15.1.mga6 libqtnetwork4-4.8.7-15.1.mga6 libqtscript4-4.8.7-15.1.mga6 libqtgui4-4.8.7-15.1.mga6 libqtsvg4-4.8.7-15.1.mga6 libqttest4-4.8.7-15.1.mga6 libqthelp4-4.8.7-15.1.mga6 libqtclucene4-4.8.7-15.1.mga6 libqtcore4-4.8.7-15.1.mga6 libqt3support4-4.8.7-15.1.mga6 libqtopengl4-4.8.7-15.1.mga6 libqtdesigner4-4.8.7-15.1.mga6 libqtdbus4-4.8.7-15.1.mga6 libqtmultimedia4-4.8.7-15.1.mga6 qt4-qtdbus-4.8.7-15.1.mga6 libqtdeclarative4-4.8.7-15.1.mga6 qt4-qmlviewer-4.8.7-15.1.mga6 libqt4-devel-4.8.7-15.1.mga6 qt4-devel-private-4.8.7-15.1.mga6 qt4-xmlpatterns-4.8.7-15.1.mga6 qt4-qtconfig-4.8.7-15.1.mga6 qt4-doc-4.8.7-15.1.mga6 qt4-demos-4.8.7-15.1.mga6 qt4-examples-4.8.7-15.1.mga6 qt4-linguist-4.8.7-15.1.mga6 qt4-assistant-4.8.7-15.1.mga6 libqt4-database-plugin-mysql-4.8.7-15.1.mga6 libqt4-database-plugin-sqlite-4.8.7-15.1.mga6 libqt4-database-plugin-tds-4.8.7-15.1.mga6 libqt4-database-plugin-pgsql-4.8.7-15.1.mga6 qt4-graphicssystems-plugin-4.8.7-15.1.mga6 qt4-accessibility-plugin-4.8.7-15.1.mga6 qt4-designer-4.8.7-15.1.mga6 qt4-designer-plugin-webkit-4.8.7-15.1.mga6 qt4-designer-plugin-qt3support-4.8.7-15.1.mga6 qt4-qvfb-4.8.7-15.1.mga6 qt4-qdoc3-4.8.7-15.1.mga6 from qt4-4.8.7-15.1.mga6.src.rpm
Version: Cauldron => 6Assignee: kde => qa-bugsWhiteboard: MGA6TOO => (none)
mga6, x86_64 CVE-2018-19872 https://bugreports.qt.io/browse/QTBUG-69449 There is a test program which needs to be compiled, and a test image. Don't know which libraries to specify to satisfy the QImage class and any other requirements. The script starts with: #include <QImage> #include <QDebug> #include <QString> Found overloaded definitions of QImage in /usr/include/Qt/qimage.h. Tried this: $ g++ -o qtppmtest -I/usr/include/QtGui -I/usr/include/Qt -I/usr/include/QtCore main.cpp but got nowhere. Giving up.
CC: (none) => tarazed25
MGA6-32 MATE on IBM Thinkpad R50e No initial installation issues Googling found some seemingly simple example at https://doc.qt.io/archives/3.3/tutorial1-01.html So created main.cpp (will upload it) and then went on at CLI: $ qmake -project $ qmake $ make g++ -c -pipe -O2 -Wall -W -D_REENTRANT -DQT_NO_DEBUG -DQT_GUI_LIB -DQT_CORE_LIB -DQT_SHARED -I/usr/lib/qt4/mkspecs/linux-g++ -I. -I/usr/include/QtCore -I/usr/include/QtGui -I/usr/include -I. -I. -o main.o main.cpp make: g++: Opdracht niet gevonden Makefile:205: recept voor doel 'main.o' is mislukt make: *** [main.o] Fout 127 So the gcc is needed, but that is not a dependency of qt4 - I wonder. next try: $ make g++ -c -pipe -O2 -Wall -W -D_REENTRANT -DQT_NO_DEBUG -DQT_GUI_LIB -DQT_CORE_LIB -DQT_SHARED -I/usr/lib/qt4/mkspecs/linux-g++ -I. -I/usr/include/QtCore -I/usr/include/QtGui -I/usr/include -I. -I. -o main.o main.cpp main.cpp: In functie ‘int main(int, char**)’: main.cpp:12:7: fout: ‘class QApplication’ has no member named ‘setMainWidget’ a.setMainWidget( &hello ); ^ Makefile:205: recept voor doel 'main.o' is mislukt make: *** [main.o] Fout 1 So I missed some part of qt4??? Not easy to find out Found also bug15327 which seems to imply that some qt4 library is used in the open file dialogue of LibreOffice - at that time. Traced oowriter, but found no reference to qt when opening a file via the dialogue.
CC: (none) => herman.viaene
Created attachment 10953 [details] test for qt4 compilation
Turns out the example was written for qt3. for qt4, the line "a.setMainWidget( &hello );" should be removed, but still then I get: $ make g++ -c -pipe -O2 -Wall -W -D_REENTRANT -DQT_NO_DEBUG -DQT_GUI_LIB -DQT_CORE_LIB -DQT_SHARED -I/usr/lib/qt4/mkspecs/linux-g++ -I. -I/usr/include/QtCore -I/usr/include/QtGui -I/usr/include -I. -I. -o main.o main.cpp main.cpp: In functie ‘int main(int, char**)’: main.cpp:13:14: fout: invalid conversion from ‘int (*)()’ to ‘int’ [-fpermissive] return a.exec; ^ Makefile:207: recept voor doel 'main.o' is mislukt make: *** [main.o] Fout 1 And here my lack of knowledge ......
@Herman: comment 4 Thanks for the qmake pointer - that solved the problem of how to compile the POC test script. $ ./qimage-floating-point-exception sig08_fpe Floating point exception (core dumped) Picking this up later.
@Herman: comment 4. I hacked your tutorial script a bit in an attempt to reshape it for Qt4 but failed to compile it. I started by changing the includes to #include <QtGui/qapplication.h> #include <QtGui/qpushbutton.h> but that failed to find setMainWidget, as you discovered. Commenting out the setMainWidget line led to a series of undefined references. So really we need a Qt4 tutorial.
Shall have a look at these pages: http://zetcode.com/gui/qt4/
Well, that did not help much. Looks like Qt4 is a moving target because the pushbutton example the new site provides could not find the includes until I added QtGui/ to the path. After that it was back to undefined references like: /home/lcl/qa/qt4/main.cpp:12: undefined reference to `QWidget::QWidget(QWidget*, QFlags<Qt::WindowType>)' Also there was this puzzling line in the logs: g++ -Wl,-O1 -o qt4 main.o -lQt5Gui -lQt5Core -lGL -lpthread Qt5? And the Makefile is riddled with Qt5's. Just wondering if there is something wrong with qmake. There is every indication that it is looking at Qt5 - the makefile defines the include directories like so: -I/usr/lib64/qt5/include -I/usr/lib64/qt5/include/QtGui -I/usr/lib64/qt5/include/QtCore
@ Len You have to be very carefull what you install. On trying to solve this problem (getting make on this laptop), I noticed that installing a package-I-forgot-its-name would install also some qt5 stuff. I wanted to avoid that, so took another way. I wonder whether you can get rid of the qt5 stuff without blowing your installation apart.
@ Len, your Comment 8 My feeling is that the error in my Comment 4 has nothing to do with qt4, but is a problem of not knowing the gcc syntaxes.
@Herman, comment 12. Yes, trying to figure out what includes and which libraries need to be specified is a headache for Qt stuff. Each version distributes its files in different ways and that is where qmake should be most useful but it does look as if the resulting makefile needs to be examined and perhaps edited. For me it does not make sense for it to mix qt4 and qt5 references.
Updated the packages and tried out the POC again. $ qmake -project $ qmake Info: creating stash file /home/lcl/Downloads/pocs/qimage-floating-point-exception/.qmake.stash $ make g++ -c -pipe -std=gnu++0x -O2 -g -pipe -Wformat -Werror=format-security -Wp,-D_FORTIFY_SOURCE=2 -fstack-protector --param=ssp-buffer-size=4 -fno-strict-aliasing -DPIC -fPIC -std=gnu++11 -Wall -W -D_REENTRANT -fPIC -DQT_DEPRECATED_WARNINGS -DQT_NO_DEBUG -DQT_GUI_LIB -DQT_CORE_LIB -I. -I. -I/usr/lib64/qt5/include -I/usr/lib64/qt5/include/QtGui -I/usr/lib64/qt5/include/QtCore -I. -isystem /usr/include/libdrm -I/usr/lib64/qt5/mkspecs/linux-g++ -o main.o main.cpp g++ -Wl,-O1 -o qimage-floating-point-exception main.o -lQt5Gui -lQt5Core -lGL -lpthread Note the qt5 references. $ ./qimage-floating-point-exception sig08_fpe Floating point exception (core dumped) No change. The test program failed to compile again and the Makefile contained many qt5 references.
@Herman, comment 11. I am beginning to wonder if you may be right about qt4 problems when qt5 packages are installed. On this system there are 42 qt4 packages and 127 qt5. The qt4.pro file has "TARGET = qt4". Maybe time for some feedback.
Keywords: (none) => feedback
@Herman Experimenting a bit and examining the generated Makefile: 1) If the system has qt4 and qt5 installed then the qt5 qmake supersedes the qt4 version and will come into play automatically. 2) The project file is named after the current directory which is also the TARGET. My experimental files sit in a directory named ...../qtt so the project file is qtt.pro and TARGET=qtt. 3) Any C file in that directory will be included in the source list. 4) Makefile will look for libraries and include files under the hierarchy relevant to the latest qmake and there does not seem to be a way to force compilation under an earlier version without extensive editing of the makefile. So, if the qt5 stack has been installed via a recent scheduled update then we are wasting our time trying to test qt4. Creating a special qt4 testing environment in something like virtualbox seems like overkill for a single update test. Not everyone has the resources for vbox. docker maybe?
With reference to comment 16: One way to get past this is to construct a compilation line with all the correct references, which would require familiarity with the qt4 layout. I did have a stab at that but failed to get anywhere.
@ Len Comment 15: checked my system : has 29 qt5-xxxxxx packages plus a few python3-qt5 and a few like phonon-qt5, that's a far cry from your 127. I'm wondering whether one would need a completely qt5-free system to test this.
If you want to build something Qt4 and not use Qt5, there should be environment variables you can set. I think there's at least QTDIR and QMAKE. You should be able to find examples in spec files of some Qt4 apps.
Thanks David - we shall look into that.
It looks like it may be simpler than that. /etc/alternatives has an entry for qmake-qt4 which points to /usr/lib64/qt4/bin/qmake. Following this up later.
The Makefile now refers to qt4 throughout but the compilation fails on definitions and declarations. For instance, 'class' and 'namespace' are unknown. It is possible that the Qt4 installation is lacking something, maybe some development files. Investigating in the morning.
@Herman, comment 18. In view of the failure of qmake-qt4 it looks like the absence of the Qt5 installation would not have made any difference. $ echo $QTDIR /usr/lib64/qt4 Inspection of the makefile shows that the compiler is looking in the correct place for include files. $ printenv | grep QT | grep -v qt5 QT_XFT=0 QTDIR=/usr/lib64/qt4 QTINC=/usr/lib/qt3/include QT4DOCDIR=/usr/share/doc/qt4 QTLIB=/usr/lib64 As an extra precaution I added this to the project file: DEFINES += QT_DISABLE_DEPRECATED_BEFORE=0x040000 Meanwhile, why not have a look at the suite of examples in /usr/lib64/qt4/examples/. They can be run from a menu launched by /usr/lib64/qt4/bin/qtdemo. Try a few of those and you have a good test of qt4. It is good for 64-bits here but I would like to know what went wrong with the tutorial test compilation.
I did see those demo files, but I couldn't figure out what to do with them, I was not aware of the command. So at CLI I have been able to run it and exercise a few of the demos. They all looked good, but $ /usr/lib/qt4/bin/qtdemo Error loading documentation for "SameGame" : "tag mismatch" 44 199 Error loading documentation for "40000 Chips" : "tag mismatch" 41 370 Error loading documentation for "Boxes" : "tag mismatch" 56 6 Error loading documentation for "Spectrum Analyzer" : "tag mismatch" 104 6 Error loading documentation for "Minehunt" : "tag mismatch" 42 204 Error loading documentation for "Animated Tiles" : "tag mismatch" 44 151 Error loading documentation for "States" : "tag mismatch" 35 158 Error loading documentation for "Stickman" : "tag mismatch" 87 82 QPainter::begin: Paint device returned engine == 0, type: 3 QPainter::setRenderHint: Painter must be active to set rendering hints Error loading documentation for "Local Fortune Client" : "tag mismatch" 37 137 Error loading documentation for "Basic Drawing" : "tag mismatch" 513 6 Error loading documentation for "Transformations" : "tag mismatch" 324 6 I checked, the packages qt4-qdoc3-4.8.7-15.1.mga6 and qt4-doc-4.8.7-15.1.mga6 have been installed, so something else might be missing. But to my feeling this shouldn't stop this update. How about that, David???
@Herman. Yes, I saw some of those tag mismatches but not as many and since they were about documentation ignored them. And I agree with you about releasing the update.
Whiteboard: (none) => MGA6-32-OK
Just tried the 'layout' demo. That issued the documentation error but clicking the documentation link in 'borders' brought up a clear description, with graphics. So we should just let this one go. It is working well enough.
Whiteboard: MGA6-32-OK => MGA6-32-OK MGA6-64-OK
Going to take your word for it, guys. Validating. Advisory in Comment 2.
Keywords: feedback => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
CC: (none) => tmbKeywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2019-0161.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED