Bug 27173 - qt4, qtbase5 new security issue CVE-2020-17507
Summary: qt4, qtbase5 new security issue CVE-2020-17507
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal major
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2020-08-21 23:23 CEST by David Walser
Modified: 2020-08-27 17:54 CEST (History)
2 users (show)

See Also:
Source RPM: qt4-4.8.7-31.mga8.src.rpm, qtbase5-5.15.0-3.mga8.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-08-21 23:23:19 CEST 
Fedora has issued an advisory on August 16:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/426FCC6JNK4JUEX5QHJQDYQ6MUVQ3E6P/

The issue is fixed in Qt5 upstream in 5.12.9 and 5.15.1 and can be patched in Qt4.

Mageia 7 is also affected.
David Walser 2020-08-21 23:23:49 CEST

Whiteboard: (none) => MGA7TOO

Comment 1 David GEIGER 2020-08-25 08:07:11 CEST 
So first done for qtbase5 on Cauldron and mga7!

CC: (none) => geiger.david68210

Comment 2 David GEIGER 2020-08-25 10:38:23 CEST 
And now done for qt4 on Cauldron and mga7!
Comment 3 David Walser 2020-08-25 15:12:19 CEST 
Advisory:
========================

Updated qt4 and qtbase5 packages fix security vulnerability:

The read_xbm_body function in gui/image/qxbmhandler.cpp has a buffer over-read
(CVE-2020-17507).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17507
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/426FCC6JNK4JUEX5QHJQDYQ6MUVQ3E6P/
========================

Updated packages in core/updates_testing:
========================
qt4-common-4.8.7-26.2.mga7
libqtxml4-4.8.7-26.2.mga7
libqtscripttools4-4.8.7-26.2.mga7
libqtxmlpatterns4-4.8.7-26.2.mga7
libqtsql4-4.8.7-26.2.mga7
libqtnetwork4-4.8.7-26.2.mga7
libqtscript4-4.8.7-26.2.mga7
libqtgui4-4.8.7-26.2.mga7
libqtsvg4-4.8.7-26.2.mga7
libqttest4-4.8.7-26.2.mga7
libqthelp4-4.8.7-26.2.mga7
libqtclucene4-4.8.7-26.2.mga7
libqtcore4-4.8.7-26.2.mga7
libqt3support4-4.8.7-26.2.mga7
libqtopengl4-4.8.7-26.2.mga7
libqtdesigner4-4.8.7-26.2.mga7
libqtdbus4-4.8.7-26.2.mga7
libqtmultimedia4-4.8.7-26.2.mga7
qt4-qtdbus-4.8.7-26.2.mga7
libqtdeclarative4-4.8.7-26.2.mga7
qt4-qmlviewer-4.8.7-26.2.mga7
libqt4-devel-4.8.7-26.2.mga7
qt4-devel-private-4.8.7-26.2.mga7
qt4-xmlpatterns-4.8.7-26.2.mga7
qt4-qtconfig-4.8.7-26.2.mga7
qt4-doc-4.8.7-26.2.mga7
qt4-demos-4.8.7-26.2.mga7
qt4-examples-4.8.7-26.2.mga7
qt4-linguist-4.8.7-26.2.mga7
qt4-assistant-4.8.7-26.2.mga7
libqt4-database-plugin-mysql-4.8.7-26.2.mga7
libqt4-database-plugin-sqlite-4.8.7-26.2.mga7
libqt4-database-plugin-tds-4.8.7-26.2.mga7
libqt4-database-plugin-pgsql-4.8.7-26.2.mga7
qt4-graphicssystems-plugin-4.8.7-26.2.mga7
qt4-accessibility-plugin-4.8.7-26.2.mga7
qt4-designer-4.8.7-26.2.mga7
qt4-designer-plugin-webkit-4.8.7-26.2.mga7
qt4-designer-plugin-qt3support-4.8.7-26.2.mga7
qt4-qvfb-4.8.7-26.2.mga7
qt4-qdoc3-4.8.7-26.2.mga7
qtbase5-common-5.12.6-4.mga7
qtbase5-common-devel-5.12.6-4.mga7
qtbase5-examples-5.12.6-4.mga7
qtbase5-doc-5.12.6-4.mga7
libqt5core5-5.12.6-4.mga7
libqt5core-devel-5.12.6-4.mga7
libqt5concurrent5-5.12.6-4.mga7
libqt5concurrent-devel-5.12.6-4.mga7
libqt5dbus5-5.12.6-4.mga7
libqt5dbus-devel-5.12.6-4.mga7
libqt5eglfsdeviceintegration5-5.12.6-4.mga7
libqt5eglfsdeviceintegration-devel-5.12.6-4.mga7
libqt5eglfskmssupport5-5.12.6-4.mga7
libqt5eglfskmssupport-devel-5.12.6-4.mga7
libqt5gui5-5.12.6-4.mga7
libqt5gui-devel-5.12.6-4.mga7
libqt5network5-5.12.6-4.mga7
libqt5network-devel-5.12.6-4.mga7
libqt5opengl5-5.12.6-4.mga7
libqt5opengl-devel-5.12.6-4.mga7
libqt5platformsupport-devel-5.12.6-4.mga7
libqt5printsupport5-5.12.6-4.mga7
libqt5printsupport-devel-5.12.6-4.mga7
libqt5sql5-5.12.6-4.mga7
libqt5sql-devel-5.12.6-4.mga7
libqt5test5-5.12.6-4.mga7
libqt5test-devel-5.12.6-4.mga7
libqt5widgets5-5.12.6-4.mga7
libqt5widgets-devel-5.12.6-4.mga7
libqt5xcbqpa5-5.12.6-4.mga7
libqt5xcbqpa-devel-5.12.6-4.mga7
libqt5xml5-5.12.6-4.mga7
libqt5xml-devel-5.12.6-4.mga7
libqt5base5-devel-5.12.6-4.mga7
libqt5accessibilitysupport-static-devel-5.12.6-4.mga7
libqt5linuxaccessibilitysupport-static-devel-5.12.6-4.mga7
libqt5bootstrap-static-devel-5.12.6-4.mga7
libqt5devicediscoverysupport-static-devel-5.12.6-4.mga7
libqt5eglsupport-static-devel-5.12.6-4.mga7
libqt5eventdispatchersupport-static-devel-5.12.6-4.mga7
libqt5fbsupport-static-devel-5.12.6-4.mga7
libqt5fontdatabasesupport-static-devel-5.12.6-4.mga7
libqt5glxsupport-static-devel-5.12.6-4.mga7
libqt5inputsupport-static-devel-5.12.6-4.mga7
libqt5kmssupport-static-devel-5.12.6-4.mga7
libqt5platformcompositorsupport-static-devel-5.12.6-4.mga7
libqt5servicesupport-static-devel-5.12.6-4.mga7
libqt5edid-devel-5.12.6-4.mga7
libqt5themesupport-static-devel-5.12.6-4.mga7
libqt5-database-plugin-odbc-5.12.6-4.mga7
libqt5-database-plugin-mysql-5.12.6-4.mga7
libqt5-database-plugin-sqlite-5.12.6-4.mga7
libqt5-database-plugin-tds-5.12.6-4.mga7
libqt5-database-plugin-ibase-5.12.6-4.mga7
libqt5-database-plugin-pgsql-5.12.6-4.mga7

from SRPMS:
qt4-4.8.7-26.2.mga7.src.rpm
qtbase5-5.12.6-4.mga7.src.rpm

Assignee: kde => qa-bugs
Version: Cauldron => 7
Whiteboard: MGA7TOO => (none)

Comment 4 Aurelien Oudelet 2020-08-27 12:17:25 CEST 
Works well on Mageia 7, Plasma 5.15, x86_64 with nvidia nonfree drivers
Aurelien Oudelet 2020-08-27 14:36:22 CEST

Whiteboard: (none) => MGA7-64-OK

Aurelien Oudelet 2020-08-27 14:53:32 CEST

Keywords: (none) => advisory

Aurelien Oudelet 2020-08-27 16:44:38 CEST

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 5 Mageia Robot 2020-08-27 17:54:04 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0347.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.