Bug 27218 - qtbase5 new security issue CVE-2020-13962
Summary: qtbase5 new security issue CVE-2020-13962
Status: NEW
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2020-08-28 18:13 CEST by David Walser
Modified: 2021-04-03 15:15 CEST (History)
6 users (show)

See Also:
Source RPM: qtbase5-5.12.6-4.mga7.src.rpm
CVE:
Status comment:


Attachments
List of installed and available packages (11.29 KB, text/plain)
2021-03-25 20:03 CET, Ulrich Beckmann
Details

Description David Walser 2020-08-28 18:13:19 CEST
SUSE has issued an advisory on August 27:
https://lists.suse.com/pipermail/sle-security-updates/2020-August/007309.html

The issue is fixed upstream in 5.12.9:
https://bugreports.qt.io/browse/QTBUG-83450

If the "fix another buffer overflow (oss-fuzz-23988)" from Cauldron applies, we should add that too.
Comment 1 David Walser 2020-09-03 22:17:04 CEST
openSUSE has issued an advisory for this on September 1:
https://lists.opensuse.org/opensuse-security-announce/2020-09/msg00004.html
Comment 2 David Walser 2020-11-04 23:42:30 CET
RedHat has issued an advisory for this on November 3:
https://access.redhat.com/errata/RHSA-2020:4690
Comment 3 David Walser 2020-12-28 18:47:12 CET
0002-OpenSSL-handle-SSL_shutdown-s-errors-properly.patch in openSUSE fixes this.  They also have other possibly security-relevant patches.  See:
https://build.opensuse.org/package/view_file/openSUSE:Leap:15.2:Update/libqt5-qtbase/libqt5-qtbase.changes?expand=1
https://build.opensuse.org/package/show/openSUSE:Leap:15.2:Update/libqt5-qtbase

Status comment: (none) => Patch available from openSUSE

Comment 4 Nicolas Lécureuil 2021-03-11 15:54:29 CET
patch 0002-OpenSSL-handle-SSL_shutdown-s-errors-properly.patch added in mga7

src:
    - qtbase5-5.12.6-4.1.mga7

CC: (none) => mageia
Assignee: kde => qa-bugs

Comment 5 David Walser 2021-03-12 20:34:48 CET
Did you look at the other patches?

Package list:
qtbase5-common-5.12.6-4.1.mga7
qtbase5-common-devel-5.12.6-4.1.mga7
qtbase5-examples-5.12.6-4.1.mga7
qtbase5-doc-5.12.6-4.1.mga7
libqt5core5-5.12.6-4.1.mga7
libqt5core-devel-5.12.6-4.1.mga7
libqt5concurrent5-5.12.6-4.1.mga7
libqt5concurrent-devel-5.12.6-4.1.mga7
libqt5dbus5-5.12.6-4.1.mga7
libqt5dbus-devel-5.12.6-4.1.mga7
libqt5eglfsdeviceintegration5-5.12.6-4.1.mga7
libqt5eglfsdeviceintegration-devel-5.12.6-4.1.mga7
libqt5eglfskmssupport5-5.12.6-4.1.mga7
libqt5eglfskmssupport-devel-5.12.6-4.1.mga7
libqt5gui5-5.12.6-4.1.mga7
libqt5gui-devel-5.12.6-4.1.mga7
libqt5network5-5.12.6-4.1.mga7
libqt5network-devel-5.12.6-4.1.mga7
libqt5opengl5-5.12.6-4.1.mga7
libqt5opengl-devel-5.12.6-4.1.mga7
libqt5platformsupport-devel-5.12.6-4.1.mga7
libqt5printsupport5-5.12.6-4.1.mga7
libqt5printsupport-devel-5.12.6-4.1.mga7
libqt5sql5-5.12.6-4.1.mga7
libqt5sql-devel-5.12.6-4.1.mga7
libqt5test5-5.12.6-4.1.mga7
libqt5test-devel-5.12.6-4.1.mga7
libqt5widgets5-5.12.6-4.1.mga7
libqt5widgets-devel-5.12.6-4.1.mga7
libqt5xcbqpa5-5.12.6-4.1.mga7
libqt5xcbqpa-devel-5.12.6-4.1.mga7
libqt5xml5-5.12.6-4.1.mga7
libqt5xml-devel-5.12.6-4.1.mga7
libqt5base5-devel-5.12.6-4.1.mga7
libqt5accessibilitysupport-static-devel-5.12.6-4.1.mga7
libqt5linuxaccessibilitysupport-static-devel-5.12.6-4.1.mga7
libqt5bootstrap-static-devel-5.12.6-4.1.mga7
libqt5devicediscoverysupport-static-devel-5.12.6-4.1.mga7
libqt5eglsupport-static-devel-5.12.6-4.1.mga7
libqt5eventdispatchersupport-static-devel-5.12.6-4.1.mga7
libqt5fbsupport-static-devel-5.12.6-4.1.mga7
libqt5fontdatabasesupport-static-devel-5.12.6-4.1.mga7
libqt5glxsupport-static-devel-5.12.6-4.1.mga7
libqt5inputsupport-static-devel-5.12.6-4.1.mga7
libqt5kmssupport-static-devel-5.12.6-4.1.mga7
libqt5platformcompositorsupport-static-devel-5.12.6-4.1.mga7
libqt5servicesupport-static-devel-5.12.6-4.1.mga7
libqt5edid-devel-5.12.6-4.1.mga7
libqt5themesupport-static-devel-5.12.6-4.1.mga7
libqt5-database-plugin-odbc-5.12.6-4.1.mga7
libqt5-database-plugin-mysql-5.12.6-4.1.mga7
libqt5-database-plugin-sqlite-5.12.6-4.1.mga7
libqt5-database-plugin-tds-5.12.6-4.1.mga7
libqt5-database-plugin-ibase-5.12.6-4.1.mga7
libqt5-database-plugin-pgsql-5.12.6-4.1.mga7

Status comment: Patch available from openSUSE => (none)
Keywords: (none) => feedback

Comment 6 Nicolas Lécureuil 2021-03-12 20:36:20 CET
Yes, i think i will do an other update with only fixes patches ( this allow to let this security issue go faster online ).
Comment 7 David Walser 2021-03-12 20:49:14 CET
(In reply to Nicolas Lécureuil from comment #6)
> Yes, i think i will do an other update with only fixes patches ( this allow
> to let this security issue go faster online ).

Please file a new bug now with this so it isn't forgotten:
They also have other possibly security-relevant patches.  See:
https://build.opensuse.org/package/view_file/openSUSE:Leap:15.2:Update/libqt5-qtbase/libqt5-qtbase.changes?expand=1
https://build.opensuse.org/package/show/openSUSE:Leap:15.2:Update/libqt5-qtbase
Comment 8 David Walser 2021-03-14 15:41:47 CET
(In reply to David Walser from comment #7)
> (In reply to Nicolas Lécureuil from comment #6)
> > Yes, i think i will do an other update with only fixes patches ( this allow
> > to let this security issue go faster online ).
> 
> Please file a new bug now with this so it isn't forgotten:
> They also have other possibly security-relevant patches.  See:
> https://build.opensuse.org/package/view_file/openSUSE:Leap:15.2:Update/
> libqt5-qtbase/libqt5-qtbase.changes?expand=1
> https://build.opensuse.org/package/show/openSUSE:Leap:15.2:Update/libqt5-
> qtbase

Ping...
Comment 9 David Walser 2021-03-14 15:43:43 CET
Current advisory if no other fixes are added...

Advisory:
========================

Updated qtbase5 packages fix security vulnerability:

QSslSocket incorrectly calls SSL_shutdown() in OpenSSL mid-handshake causing
denial of service in TLS applications (CVE-2020-13962).

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13962
https://lists.opensuse.org/opensuse-security-announce/2020-09/msg00004.html
https://access.redhat.com/errata/RHSA-2020:4690
Comment 10 Nicolas Lécureuil 2021-03-14 16:36:00 CET
(In reply to David Walser from comment #8)
> (In reply to David Walser from comment #7)
> > (In reply to Nicolas Lécureuil from comment #6)
> > > Yes, i think i will do an other update with only fixes patches ( this allow
> > > to let this security issue go faster online ).
> > 
> > Please file a new bug now with this so it isn't forgotten:
> > They also have other possibly security-relevant patches.  See:
> > https://build.opensuse.org/package/view_file/openSUSE:Leap:15.2:Update/
> > libqt5-qtbase/libqt5-qtbase.changes?expand=1
> > https://build.opensuse.org/package/show/openSUSE:Leap:15.2:Update/libqt5-
> > qtbase
> 
> Ping...

i am working on it.

Do we validate this one or do we wait for me more fixes ? ( i am ok in both cases)
Comment 11 David Walser 2021-03-14 16:41:44 CET
I would just add the additional fixes here.
Comment 12 Nicolas Lécureuil 2021-03-14 16:43:50 CET
ok they are mostly ready
Comment 13 Nicolas Lécureuil 2021-03-14 17:00:11 CET
i took some patches:

-> Check that the sizes are even representable when checking if clipping is
necessary ( P300 )
-> Multiply instead of shifting, The shift operator is undefined for negative values. (P301)
-> Check returns of hex2int in get_hex_rgb, Avoids undefined behavior when trying to shift negative values. (P302)
-> Sanitize lengthValue in CSS parser, Limit the LengthData to the integer range before rounding it, taking into account that qRound() substracts 1 from negative values. (P303)
-> QBezier: Don't try calculating a unit vector when length is null. It's undefined and causes a division by zero. (P304)
-> Avoid potential ub in corrupt bmp file. biHeight may be int_min, in which case qAbs<int>() will not work. (P305)
-> wasm: disable XDG_RUNTIME_DIR warning XDG is not very relevant on the Web platform. (P306)
-> Use SOURCE_DATE_EPOCH. Use the standard variable name in addition to the QT-specific one to make builds reproducible out-of-the-box (P308)
-> Fix notification of QDockWidget when it gets undocked (P309)
-> Synthesize Enter/LeaveEvent for accepted QTabletEvent (P310)
-> Fix crash when running QtCore: Stack is misaligned on x86-64 (P311)
-> Add support for PostgreSQL 12 (P312)
-> QStandardPaths: Correct handling for XDG_RUNTIME_DIR (P313)
-> QStandardPaths/Unix: improve the XDG_RUNTIME_DIR creation/detection (P312)
-> Add remote print queue support (P313) 

Cups servers which announce themselves on avahi will be shown in
the printer dialog. This adds a delay the first time the print dialog
is opened in order to search for print queues . Because of this delay,
the remote print queue discovery is disabled by default and can be enabled
by setting the QT_ENABLE_PRINTER_DISCOVERY environment variable to 1.
Comment 14 David Walser 2021-03-14 17:35:13 CET
Does the KDE print dialog still correctly show remote printers?
Comment 15 Nicolas Lécureuil 2021-03-14 18:14:46 CET
this will be a test to do by QA Team. If you fear anything, we can remove it, and readd on a specific update
Comment 16 Morgan Leijström 2021-03-15 08:58:40 CET
Updated qtbase5-common, and all lib64qt5* this system had yesterday, reboot.

No regression noted, except initial Firefox quirk below.
I will report again if i find more. This is my workstation.
I have no remote printer.

Firefox got hungry: First reboot after update i had several processes named "Web" that consumed full CPU and internet bandwidth.  I have Firefox (and some other apps) started by script, but normally Firefox consumes comparatively very little even when hundred tabs are "open".  When i shut down Firefox also the "web" processes vanished.  I could not repeat that neither with just launching Firefox again nor full reboot. Just weird.

Also now when running normally i have 8 processes "Web" (because 8 CPU?) all created by Firefox, but sitting there idle.  I assume it is a quirk of firefox but did the qt5 update trig that or was it a coincidence?

So maybe when you test this: watch CPU usage when you launch Firefox.

Packages updated on this system:
- lib64qt5-database-plugin-ibase-5.12.6-4.2.mga7.x86_64
- lib64qt5-database-plugin-mysql-5.12.6-4.2.mga7.x86_64
- lib64qt5-database-plugin-sqlite-5.12.6-4.2.mga7.x86_64
- lib64qt5concurrent5-5.12.6-4.2.mga7.x86_64
- lib64qt5core5-5.12.6-4.2.mga7.x86_64
- lib64qt5dbus5-5.12.6-4.2.mga7.x86_64
- lib64qt5eglfsdeviceintegration5-5.12.6-4.2.mga7.x86_64
- lib64qt5eglfskmssupport5-5.12.6-4.2.mga7.x86_64
- lib64qt5gui5-5.12.6-4.2.mga7.x86_64
- lib64qt5network5-5.12.6-4.2.mga7.x86_64
- lib64qt5opengl5-5.12.6-4.2.mga7.x86_64
- lib64qt5printsupport5-5.12.6-4.2.mga7.x86_64
- lib64qt5sql5-5.12.6-4.2.mga7.x86_64
- lib64qt5test5-5.12.6-4.2.mga7.x86_64
- lib64qt5widgets5-5.12.6-4.2.mga7.x86_64
- lib64qt5xcbqpa5-5.12.6-4.2.mga7.x86_64
- lib64qt5xml5-5.12.6-4.2.mga7.x86_64
- qtbase5-common-5.12.6-4.2.mga7.x86_64

CC: (none) => fri

Comment 17 Aurelien Oudelet 2021-03-15 09:08:42 CET
(In reply to Morgan Leijström from comment #16)
> Updated qtbase5-common, and all lib64qt5* this system had yesterday, reboot.

> Firefox got hungry: First reboot after update i had several processes named
> "Web" that consumed full CPU and internet bandwidth.  I have Firefox (and
> some other apps) started by script, but normally Firefox consumes
> comparatively very little even when hundred tabs are "open".  When i shut
> down Firefox also the "web" processes vanished.  I could not repeat that
> neither with just launching Firefox again nor full reboot. Just weird.
> 
> Also now when running normally i have 8 processes "Web" (because 8 CPU?) all
> created by Firefox, but sitting there idle.  I assume it is a quirk of
> firefox but did the qt5 update trig that or was it a coincidence?
> 
> So maybe when you test this: watch CPU usage when you launch Firefox.

Firefox is a GTK application and as nothing to do related to St toolkit. Perhaps Plasma-browser-integration add-on that has something with Qt/Plasma thing. Note that this add-on provides filesystem Open/Save integration and systray notifications when downloading stuff.

Better, a reboot is necessary when updating such heavy under-the-hood library.

CC: (none) => ouaurelien

Comment 18 David Walser 2021-03-15 14:36:01 CET
Package list is now:
qtbase5-common-5.12.6-4.2.mga7
qtbase5-common-devel-5.12.6-4.2.mga7
qtbase5-examples-5.12.6-4.2.mga7
qtbase5-doc-5.12.6-4.2.mga7
libqt5core5-5.12.6-4.2.mga7
libqt5core-devel-5.12.6-4.2.mga7
libqt5concurrent5-5.12.6-4.2.mga7
libqt5concurrent-devel-5.12.6-4.2.mga7
libqt5dbus5-5.12.6-4.2.mga7
libqt5dbus-devel-5.12.6-4.2.mga7
libqt5eglfsdeviceintegration5-5.12.6-4.2.mga7
libqt5eglfsdeviceintegration-devel-5.12.6-4.2.mga7
libqt5eglfskmssupport5-5.12.6-4.2.mga7
libqt5eglfskmssupport-devel-5.12.6-4.2.mga7
libqt5gui5-5.12.6-4.2.mga7
libqt5gui-devel-5.12.6-4.2.mga7
libqt5network5-5.12.6-4.2.mga7
libqt5network-devel-5.12.6-4.2.mga7
libqt5opengl5-5.12.6-4.2.mga7
libqt5opengl-devel-5.12.6-4.2.mga7
libqt5platformsupport-devel-5.12.6-4.2.mga7
libqt5printsupport5-5.12.6-4.2.mga7
libqt5printsupport-devel-5.12.6-4.2.mga7
libqt5sql5-5.12.6-4.2.mga7
libqt5sql-devel-5.12.6-4.2.mga7
libqt5test5-5.12.6-4.2.mga7
libqt5test-devel-5.12.6-4.2.mga7
libqt5widgets5-5.12.6-4.2.mga7
libqt5widgets-devel-5.12.6-4.2.mga7
libqt5xcbqpa5-5.12.6-4.2.mga7
libqt5xcbqpa-devel-5.12.6-4.2.mga7
libqt5xml5-5.12.6-4.2.mga7
libqt5xml-devel-5.12.6-4.2.mga7
libqt5base5-devel-5.12.6-4.2.mga7
libqt5accessibilitysupport-static-devel-5.12.6-4.2.mga7
libqt5linuxaccessibilitysupport-static-devel-5.12.6-4.2.mga7
libqt5bootstrap-static-devel-5.12.6-4.2.mga7
libqt5devicediscoverysupport-static-devel-5.12.6-4.2.mga7
libqt5eglsupport-static-devel-5.12.6-4.2.mga7
libqt5eventdispatchersupport-static-devel-5.12.6-4.2.mga7
libqt5fbsupport-static-devel-5.12.6-4.2.mga7
libqt5fontdatabasesupport-static-devel-5.12.6-4.2.mga7
libqt5glxsupport-static-devel-5.12.6-4.2.mga7
libqt5inputsupport-static-devel-5.12.6-4.2.mga7
libqt5kmssupport-static-devel-5.12.6-4.2.mga7
libqt5platformcompositorsupport-static-devel-5.12.6-4.2.mga7
libqt5servicesupport-static-devel-5.12.6-4.2.mga7
libqt5edid-devel-5.12.6-4.2.mga7
libqt5themesupport-static-devel-5.12.6-4.2.mga7
libqt5-database-plugin-odbc-5.12.6-4.2.mga7
libqt5-database-plugin-mysql-5.12.6-4.2.mga7
libqt5-database-plugin-sqlite-5.12.6-4.2.mga7
libqt5-database-plugin-tds-5.12.6-4.2.mga7
libqt5-database-plugin-ibase-5.12.6-4.2.mga7
libqt5-database-plugin-pgsql-5.12.6-4.2.mga7

from qtbase5-5.12.6-4.2.mga7.src.rpm

Keywords: feedback => (none)

Comment 19 Thomas Andrews 2021-03-17 21:56:37 CET
Note to new 64-bit qarepo users: You will need to copy the above list and paste it into kwrite. Use "replace" to change all instances of "libqt" to "lib64qt" then copy the result and paste it into qarepo to download all the updates into your local repository.

AMD Phenom II 910, AMD HD 8490 graphics, Atheros-based wifi. There is a "print to file" option on this hardware, but there are no actual printers installed.

The following packages were updated:

- lib64qt5-database-plugin-ibase-5.12.6-4.2.mga7.x86_64
- lib64qt5-database-plugin-mysql-5.12.6-4.2.mga7.x86_64
- lib64qt5-database-plugin-sqlite-5.12.6-4.2.mga7.x86_64
- lib64qt5concurrent5-5.12.6-4.2.mga7.x86_64
- lib64qt5core5-5.12.6-4.2.mga7.x86_64
- lib64qt5dbus5-5.12.6-4.2.mga7.x86_64
- lib64qt5eglfsdeviceintegration5-5.12.6-4.2.mga7.x86_64
- lib64qt5eglfskmssupport5-5.12.6-4.2.mga7.x86_64
- lib64qt5gui5-5.12.6-4.2.mga7.x86_64
- lib64qt5network5-5.12.6-4.2.mga7.x86_64
- lib64qt5opengl5-5.12.6-4.2.mga7.x86_64
- lib64qt5printsupport5-5.12.6-4.2.mga7.x86_64
- lib64qt5sql5-5.12.6-4.2.mga7.x86_64
- lib64qt5test5-5.12.6-4.2.mga7.x86_64
- lib64qt5widgets5-5.12.6-4.2.mga7.x86_64
- lib64qt5xcbqpa5-5.12.6-4.2.mga7.x86_64
- lib64qt5xml5-5.12.6-4.2.mga7.x86_64
- qtbase5-common-5.12.6-4.2.mga7.x86_64

No installation issues. After a reboot, did this and that, no issues noted. Ran ksysguard while running Firefox, no unusual cpu activity.

Looks OK on this system.

CC: (none) => andrewsfarm

Comment 20 Nicolas Lécureuil 2021-03-17 23:05:11 CET
can someone test with remote printers ?
Comment 21 David Walser 2021-03-18 02:37:28 CET
It would be nice if someone could fix qarepo so it could handle lib lists with or without the 64.
Comment 22 Ulrich Beckmann 2021-03-25 20:03:13 CET
Created attachment 12516 [details]
List of installed and available packages

Upgraded since 03/18.

No regression found no KDE Plasma.

Ulrich

CC: (none) => bequimao.de

Comment 23 Thomas Andrews 2021-03-31 23:02:40 CEST
I asked on the QA ML for someone with a remote printer to test this, but it looks like no one is going to come forward. Shall we just send it on its way, anyway?
Comment 24 David Walser 2021-03-31 23:09:41 CEST
Do we really have nobody with two Mageia systems and a CUPS-shared printer that can test this?
Comment 25 Thomas Andrews 2021-03-31 23:46:09 CEST
I have multiple Mageia systems, but I have never set them up to share a printer. 

In fact, while the systems all use a common wifi/router, I have never really looked into getting them to communicate with each other at all.
Comment 26 Len Lawrence 2021-04-01 01:05:42 CEST
So what does CUPS-shared printer mean?  
I have an HP wifi printer with an address and a hostname known to everything on the LAN.  Each machine uses CUPS and HPLIP to access the printer, which requires a housekeeping job on every new installation.  It does not take long but it is a chore.

CC: (none) => tarazed25

Comment 27 David Walser 2021-04-01 01:44:01 CEST
System-config-printer or the CUPS web interface allows you to make the printer browsable by other machines on the same LAN.  If it's working, those printers should automatically show up if you print from a KDE application, or LibreOffice, for instance.
Comment 28 Morgan Leijström 2021-04-01 01:50:43 CEST
You also on the printer sharing machine need to checkmark "CUPS server" on MCC -> Security -> Personal firewall


You should then be able to boot another computer on a Mageia Live ISO, connect to same network, and print without configuring that printer.
I believe enough of printing system is installed per default on Live... ought to be...
Comment 29 Len Lawrence 2021-04-03 15:15:01 CEST
Does this work for a standalone wifi printer though?  Mine does not "belong" to any of the PCs and sharing does not seem to work.

Note You need to log in before you can comment on or make changes to this bug.