Fedora has issued an advisory on April 25: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2PT6327C64Q4RBFRWUSBKCG7SVGBWU5W/ The issue is fixed upstream in 5.15.0. Mageia 7 is also affected.
Already fixed in Cauldron: http://svnweb.mageia.org/packages?view=revision&revision=1565558
CC: (none) => geiger.david68210Version: Cauldron => 7
Looks like you forgot to file a bug...
Yes I forgot... So done for mga7! Also I re-enable the ibase plugin and switch compilation to use system pcre2 and system double-conversion.
Advisory: ======================== Updated qtbase5 packages fix security vulnerability: An XML Entity Expansion flaw was found in the QT library. Applications that use QT to load untrusted images, for example, SVG images, or untrusted XML documents, may be vulnerable to this flaw. This flaw allows an attacker to cause a denial of service (CVE-2015-9541). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-9541 https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2PT6327C64Q4RBFRWUSBKCG7SVGBWU5W/ ======================== Updated packages in core/updates_testing: ======================== qtbase5-common-5.12.6-3.mga7 qtbase5-common-devel-5.12.6-3.mga7 qtbase5-examples-5.12.6-3.mga7 qtbase5-doc-5.12.6-3.mga7 libqt5core5-5.12.6-3.mga7 libqt5core-devel-5.12.6-3.mga7 libqt5concurrent5-5.12.6-3.mga7 libqt5concurrent-devel-5.12.6-3.mga7 libqt5dbus5-5.12.6-3.mga7 libqt5dbus-devel-5.12.6-3.mga7 libqt5eglfsdeviceintegration5-5.12.6-3.mga7 libqt5eglfsdeviceintegration-devel-5.12.6-3.mga7 libqt5eglfskmssupport5-5.12.6-3.mga7 libqt5eglfskmssupport-devel-5.12.6-3.mga7 libqt5gui5-5.12.6-3.mga7 libqt5gui-devel-5.12.6-3.mga7 libqt5network5-5.12.6-3.mga7 libqt5network-devel-5.12.6-3.mga7 libqt5opengl5-5.12.6-3.mga7 libqt5opengl-devel-5.12.6-3.mga7 libqt5platformsupport-devel-5.12.6-3.mga7 libqt5printsupport5-5.12.6-3.mga7 libqt5printsupport-devel-5.12.6-3.mga7 libqt5sql5-5.12.6-3.mga7 libqt5sql-devel-5.12.6-3.mga7 libqt5test5-5.12.6-3.mga7 libqt5test-devel-5.12.6-3.mga7 libqt5widgets5-5.12.6-3.mga7 libqt5widgets-devel-5.12.6-3.mga7 libqt5xcbqpa5-5.12.6-3.mga7 libqt5xcbqpa-devel-5.12.6-3.mga7 libqt5xml5-5.12.6-3.mga7 libqt5xml-devel-5.12.6-3.mga7 libqt5base5-devel-5.12.6-3.mga7 libqt5accessibilitysupport-static-devel-5.12.6-3.mga7 libqt5linuxaccessibilitysupport-static-devel-5.12.6-3.mga7 libqt5bootstrap-static-devel-5.12.6-3.mga7 libqt5devicediscoverysupport-static-devel-5.12.6-3.mga7 libqt5eglsupport-static-devel-5.12.6-3.mga7 libqt5eventdispatchersupport-static-devel-5.12.6-3.mga7 libqt5fbsupport-static-devel-5.12.6-3.mga7 libqt5fontdatabasesupport-static-devel-5.12.6-3.mga7 libqt5glxsupport-static-devel-5.12.6-3.mga7 libqt5inputsupport-static-devel-5.12.6-3.mga7 libqt5kmssupport-static-devel-5.12.6-3.mga7 libqt5platformcompositorsupport-static-devel-5.12.6-3.mga7 libqt5servicesupport-static-devel-5.12.6-3.mga7 libqt5edid-devel-5.12.6-3.mga7 libqt5themesupport-static-devel-5.12.6-3.mga7 libqt5-database-plugin-odbc-5.12.6-3.mga7 libqt5-database-plugin-mysql-5.12.6-3.mga7 libqt5-database-plugin-sqlite-5.12.6-3.mga7 libqt5-database-plugin-tds-5.12.6-3.mga7 libqt5-database-plugin-ibase-5.12.6-3.mga7 libqt5-database-plugin-pgsql-5.12.6-3.mga7 from qtbase5-5.12.6-3.mga7.src.rpm
Assignee: kde => qa-bugs
Created attachment 11611 [details] A possible PoC for the CVE-2015-9541 issue This worked: $ g++ -o example `pkg-config --libs --cflags QtCore QtGui` example.cpp
CC: (none) => tarazed25
mga7, x86_64 Before updating installed all the packages listed. For CVE-2015-9541 https://bugreports.qt.io/browse/QTBUG-47417 Downloaded the examples and compiled them, e.g. $ g++ -o example `pkg-config --libs --cflags QtCore QtGui` example.cpp Have no idea about Qt programming but it looks like this example creates a text browser and passes it a made up base64 encoded image (PNG not SVG?). $ ./example QFSFileEngine::open: No file name specified terminate called after throwing an instance of 'std::bad_alloc' what(): std::bad_alloc Aborted (core dumped) This goes into a loop for about two minutes and then aborts. No sign of a gui. Not really worth pursuing these as PoC. Updated 38 packages. The example program hangs and aborts just as before. Given the age of the CVE maybe this is what should be expected. No firm conclusion anyway. More testing tomorrow.
$ urpmq -il qtbase5-examples This returns a list of examples for qt5, not specifically qtbase5, so we can take it that they are one and the same and assume that trying random samples should be an adequate test. Documentation is in /usr/share/doc/qt5 $ cd /usr/share/doc/qt5 $ ls -d * global/ qtdbus.qch qtopengl.qch qttestlib.qch qmake/ qtdoc/ qtplatformheaders/ qtwidgets/ qmake.qch qtdoc.qch qtplatformheaders.qch qtwidgets.qch qtconcurrent/ qtgui/ qtprintsupport/ qtxml/ qtconcurrent.qch qtgui.qch qtprintsupport.qch qtxml.qch qtcore/ qtnetwork/ qtsql/ qtcore.qch qtnetwork.qch qtsql.qch qtdbus/ qtopengl/ qttestlib/ There is no easy way into Qt - no helloworld starting point that I could see. Tried out one of the widget examples, analogclock. $ cd /usr/lib64/qt5/examples/widgets/widgets/ $ cp -r analogclock /data/qa/qt5 $ cd /data/qa/qt5/analogclock $ qmake analogclock.pro $ make all $ ls analogclock* analogclock.o main.o moc_analogclock.o analogclock.cpp analogclock.pro Makefile moc_predefs.h analogclock.h main.cpp moc_analogclock.cpp $ ./analogclock This displayed the expected analogue clock widget which showed the correct current time - it is live, keeping in sync with current time. This shows that the basic functions and framework are working, good enough for QA but it might be worth looking at qtxml.
$ urpmq --whatrequires-recursive lib64qt5core5 | sort -u > what $ wc -l what 2693 what Ran celestia under strace for several minutes. $ grep qt5 celestia.trace | wc -l 346 $ grep qt5/plugins celestia.trace | wc -l 294 $ grep Qt5Core celestia.trace openat(AT_FDCWD, "/lib64/libQt5Core.so.5", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib64/libQt5Core.so.5.12.6", O_RDONLY) = 3 openat(AT_FDCWD, "/usr/lib64/libQt5Core.so.5.12.6", O_RDONLY) = 13 kxmlgui is listed as using libqt5core5. It is installed. Applications such as skrooge, okular and ksysguard use it. $ strace -o ksysguard.trace ksysguard Tried various settings and interaction... $ grep kxml ksysguard.trace That turned up a dozen or so references to kxmlgui5. $ grep xml ksysguard.trace | grep lib | grep -i qt $ $ cat ksysguard.trace | grep -i qt5core openat(AT_FDCWD, "/lib64/libQt5Core.so.5", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib64/libQt5Core.so.5.12.6", O_RDONLY) = 3 openat(AT_FDCWD, "/usr/lib64/libQt5Core.so.5.12.6", O_RDONLY) = 12 Not sure if that is definitive for libqt5xml5. Giving this an OK anyway.
Whiteboard: (none) => MGA7-64-OK
Thanks for all your work, Len. I think anything further is beyond the scope of QA. Validating. Advisory in Comment 4.
Keywords: (none) => validated_updateCC: (none) => andrewsfarm, sysadmin-bugs
Keywords: (none) => advisoryCC: (none) => tmb
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0192.html
Status: NEW => RESOLVEDResolution: (none) => FIXED