SUSE has issued an advisory on August 27: https://lists.suse.com/pipermail/sle-security-updates/2020-August/007309.html The issue is fixed upstream in 5.12.9: https://bugreports.qt.io/browse/QTBUG-83450 If the "fix another buffer overflow (oss-fuzz-23988)" from Cauldron applies, we should add that too.
openSUSE has issued an advisory for this on September 1: https://lists.opensuse.org/opensuse-security-announce/2020-09/msg00004.html
RedHat has issued an advisory for this on November 3: https://access.redhat.com/errata/RHSA-2020:4690
0002-OpenSSL-handle-SSL_shutdown-s-errors-properly.patch in openSUSE fixes this. They also have other possibly security-relevant patches. See: https://build.opensuse.org/package/view_file/openSUSE:Leap:15.2:Update/libqt5-qtbase/libqt5-qtbase.changes?expand=1 https://build.opensuse.org/package/show/openSUSE:Leap:15.2:Update/libqt5-qtbase
Status comment: (none) => Patch available from openSUSE
patch 0002-OpenSSL-handle-SSL_shutdown-s-errors-properly.patch added in mga7 src: - qtbase5-5.12.6-4.1.mga7
CC: (none) => mageiaAssignee: kde => qa-bugs
Did you look at the other patches? Package list: qtbase5-common-5.12.6-4.1.mga7 qtbase5-common-devel-5.12.6-4.1.mga7 qtbase5-examples-5.12.6-4.1.mga7 qtbase5-doc-5.12.6-4.1.mga7 libqt5core5-5.12.6-4.1.mga7 libqt5core-devel-5.12.6-4.1.mga7 libqt5concurrent5-5.12.6-4.1.mga7 libqt5concurrent-devel-5.12.6-4.1.mga7 libqt5dbus5-5.12.6-4.1.mga7 libqt5dbus-devel-5.12.6-4.1.mga7 libqt5eglfsdeviceintegration5-5.12.6-4.1.mga7 libqt5eglfsdeviceintegration-devel-5.12.6-4.1.mga7 libqt5eglfskmssupport5-5.12.6-4.1.mga7 libqt5eglfskmssupport-devel-5.12.6-4.1.mga7 libqt5gui5-5.12.6-4.1.mga7 libqt5gui-devel-5.12.6-4.1.mga7 libqt5network5-5.12.6-4.1.mga7 libqt5network-devel-5.12.6-4.1.mga7 libqt5opengl5-5.12.6-4.1.mga7 libqt5opengl-devel-5.12.6-4.1.mga7 libqt5platformsupport-devel-5.12.6-4.1.mga7 libqt5printsupport5-5.12.6-4.1.mga7 libqt5printsupport-devel-5.12.6-4.1.mga7 libqt5sql5-5.12.6-4.1.mga7 libqt5sql-devel-5.12.6-4.1.mga7 libqt5test5-5.12.6-4.1.mga7 libqt5test-devel-5.12.6-4.1.mga7 libqt5widgets5-5.12.6-4.1.mga7 libqt5widgets-devel-5.12.6-4.1.mga7 libqt5xcbqpa5-5.12.6-4.1.mga7 libqt5xcbqpa-devel-5.12.6-4.1.mga7 libqt5xml5-5.12.6-4.1.mga7 libqt5xml-devel-5.12.6-4.1.mga7 libqt5base5-devel-5.12.6-4.1.mga7 libqt5accessibilitysupport-static-devel-5.12.6-4.1.mga7 libqt5linuxaccessibilitysupport-static-devel-5.12.6-4.1.mga7 libqt5bootstrap-static-devel-5.12.6-4.1.mga7 libqt5devicediscoverysupport-static-devel-5.12.6-4.1.mga7 libqt5eglsupport-static-devel-5.12.6-4.1.mga7 libqt5eventdispatchersupport-static-devel-5.12.6-4.1.mga7 libqt5fbsupport-static-devel-5.12.6-4.1.mga7 libqt5fontdatabasesupport-static-devel-5.12.6-4.1.mga7 libqt5glxsupport-static-devel-5.12.6-4.1.mga7 libqt5inputsupport-static-devel-5.12.6-4.1.mga7 libqt5kmssupport-static-devel-5.12.6-4.1.mga7 libqt5platformcompositorsupport-static-devel-5.12.6-4.1.mga7 libqt5servicesupport-static-devel-5.12.6-4.1.mga7 libqt5edid-devel-5.12.6-4.1.mga7 libqt5themesupport-static-devel-5.12.6-4.1.mga7 libqt5-database-plugin-odbc-5.12.6-4.1.mga7 libqt5-database-plugin-mysql-5.12.6-4.1.mga7 libqt5-database-plugin-sqlite-5.12.6-4.1.mga7 libqt5-database-plugin-tds-5.12.6-4.1.mga7 libqt5-database-plugin-ibase-5.12.6-4.1.mga7 libqt5-database-plugin-pgsql-5.12.6-4.1.mga7
Keywords: (none) => feedbackStatus comment: Patch available from openSUSE => (none)
Yes, i think i will do an other update with only fixes patches ( this allow to let this security issue go faster online ).
(In reply to Nicolas Lécureuil from comment #6) > Yes, i think i will do an other update with only fixes patches ( this allow > to let this security issue go faster online ). Please file a new bug now with this so it isn't forgotten: They also have other possibly security-relevant patches. See: https://build.opensuse.org/package/view_file/openSUSE:Leap:15.2:Update/libqt5-qtbase/libqt5-qtbase.changes?expand=1 https://build.opensuse.org/package/show/openSUSE:Leap:15.2:Update/libqt5-qtbase
(In reply to David Walser from comment #7) > (In reply to Nicolas Lécureuil from comment #6) > > Yes, i think i will do an other update with only fixes patches ( this allow > > to let this security issue go faster online ). > > Please file a new bug now with this so it isn't forgotten: > They also have other possibly security-relevant patches. See: > https://build.opensuse.org/package/view_file/openSUSE:Leap:15.2:Update/ > libqt5-qtbase/libqt5-qtbase.changes?expand=1 > https://build.opensuse.org/package/show/openSUSE:Leap:15.2:Update/libqt5- > qtbase Ping...
Current advisory if no other fixes are added... Advisory: ======================== Updated qtbase5 packages fix security vulnerability: QSslSocket incorrectly calls SSL_shutdown() in OpenSSL mid-handshake causing denial of service in TLS applications (CVE-2020-13962). References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-13962 https://lists.opensuse.org/opensuse-security-announce/2020-09/msg00004.html https://access.redhat.com/errata/RHSA-2020:4690
(In reply to David Walser from comment #8) > (In reply to David Walser from comment #7) > > (In reply to Nicolas Lécureuil from comment #6) > > > Yes, i think i will do an other update with only fixes patches ( this allow > > > to let this security issue go faster online ). > > > > Please file a new bug now with this so it isn't forgotten: > > They also have other possibly security-relevant patches. See: > > https://build.opensuse.org/package/view_file/openSUSE:Leap:15.2:Update/ > > libqt5-qtbase/libqt5-qtbase.changes?expand=1 > > https://build.opensuse.org/package/show/openSUSE:Leap:15.2:Update/libqt5- > > qtbase > > Ping... i am working on it. Do we validate this one or do we wait for me more fixes ? ( i am ok in both cases)
I would just add the additional fixes here.
ok they are mostly ready
i took some patches: -> Check that the sizes are even representable when checking if clipping is necessary ( P300 ) -> Multiply instead of shifting, The shift operator is undefined for negative values. (P301) -> Check returns of hex2int in get_hex_rgb, Avoids undefined behavior when trying to shift negative values. (P302) -> Sanitize lengthValue in CSS parser, Limit the LengthData to the integer range before rounding it, taking into account that qRound() substracts 1 from negative values. (P303) -> QBezier: Don't try calculating a unit vector when length is null. It's undefined and causes a division by zero. (P304) -> Avoid potential ub in corrupt bmp file. biHeight may be int_min, in which case qAbs<int>() will not work. (P305) -> wasm: disable XDG_RUNTIME_DIR warning XDG is not very relevant on the Web platform. (P306) -> Use SOURCE_DATE_EPOCH. Use the standard variable name in addition to the QT-specific one to make builds reproducible out-of-the-box (P308) -> Fix notification of QDockWidget when it gets undocked (P309) -> Synthesize Enter/LeaveEvent for accepted QTabletEvent (P310) -> Fix crash when running QtCore: Stack is misaligned on x86-64 (P311) -> Add support for PostgreSQL 12 (P312) -> QStandardPaths: Correct handling for XDG_RUNTIME_DIR (P313) -> QStandardPaths/Unix: improve the XDG_RUNTIME_DIR creation/detection (P312) -> Add remote print queue support (P313) Cups servers which announce themselves on avahi will be shown in the printer dialog. This adds a delay the first time the print dialog is opened in order to search for print queues . Because of this delay, the remote print queue discovery is disabled by default and can be enabled by setting the QT_ENABLE_PRINTER_DISCOVERY environment variable to 1.
Does the KDE print dialog still correctly show remote printers?
this will be a test to do by QA Team. If you fear anything, we can remove it, and readd on a specific update
Updated qtbase5-common, and all lib64qt5* this system had yesterday, reboot. No regression noted, except initial Firefox quirk below. I will report again if i find more. This is my workstation. I have no remote printer. Firefox got hungry: First reboot after update i had several processes named "Web" that consumed full CPU and internet bandwidth. I have Firefox (and some other apps) started by script, but normally Firefox consumes comparatively very little even when hundred tabs are "open". When i shut down Firefox also the "web" processes vanished. I could not repeat that neither with just launching Firefox again nor full reboot. Just weird. Also now when running normally i have 8 processes "Web" (because 8 CPU?) all created by Firefox, but sitting there idle. I assume it is a quirk of firefox but did the qt5 update trig that or was it a coincidence? So maybe when you test this: watch CPU usage when you launch Firefox. Packages updated on this system: - lib64qt5-database-plugin-ibase-5.12.6-4.2.mga7.x86_64 - lib64qt5-database-plugin-mysql-5.12.6-4.2.mga7.x86_64 - lib64qt5-database-plugin-sqlite-5.12.6-4.2.mga7.x86_64 - lib64qt5concurrent5-5.12.6-4.2.mga7.x86_64 - lib64qt5core5-5.12.6-4.2.mga7.x86_64 - lib64qt5dbus5-5.12.6-4.2.mga7.x86_64 - lib64qt5eglfsdeviceintegration5-5.12.6-4.2.mga7.x86_64 - lib64qt5eglfskmssupport5-5.12.6-4.2.mga7.x86_64 - lib64qt5gui5-5.12.6-4.2.mga7.x86_64 - lib64qt5network5-5.12.6-4.2.mga7.x86_64 - lib64qt5opengl5-5.12.6-4.2.mga7.x86_64 - lib64qt5printsupport5-5.12.6-4.2.mga7.x86_64 - lib64qt5sql5-5.12.6-4.2.mga7.x86_64 - lib64qt5test5-5.12.6-4.2.mga7.x86_64 - lib64qt5widgets5-5.12.6-4.2.mga7.x86_64 - lib64qt5xcbqpa5-5.12.6-4.2.mga7.x86_64 - lib64qt5xml5-5.12.6-4.2.mga7.x86_64 - qtbase5-common-5.12.6-4.2.mga7.x86_64
CC: (none) => fri
(In reply to Morgan Leijström from comment #16) > Updated qtbase5-common, and all lib64qt5* this system had yesterday, reboot. > Firefox got hungry: First reboot after update i had several processes named > "Web" that consumed full CPU and internet bandwidth. I have Firefox (and > some other apps) started by script, but normally Firefox consumes > comparatively very little even when hundred tabs are "open". When i shut > down Firefox also the "web" processes vanished. I could not repeat that > neither with just launching Firefox again nor full reboot. Just weird. > > Also now when running normally i have 8 processes "Web" (because 8 CPU?) all > created by Firefox, but sitting there idle. I assume it is a quirk of > firefox but did the qt5 update trig that or was it a coincidence? > > So maybe when you test this: watch CPU usage when you launch Firefox. Firefox is a GTK application and as nothing to do related to St toolkit. Perhaps Plasma-browser-integration add-on that has something with Qt/Plasma thing. Note that this add-on provides filesystem Open/Save integration and systray notifications when downloading stuff. Better, a reboot is necessary when updating such heavy under-the-hood library.
CC: (none) => ouaurelien
Package list is now: qtbase5-common-5.12.6-4.2.mga7 qtbase5-common-devel-5.12.6-4.2.mga7 qtbase5-examples-5.12.6-4.2.mga7 qtbase5-doc-5.12.6-4.2.mga7 libqt5core5-5.12.6-4.2.mga7 libqt5core-devel-5.12.6-4.2.mga7 libqt5concurrent5-5.12.6-4.2.mga7 libqt5concurrent-devel-5.12.6-4.2.mga7 libqt5dbus5-5.12.6-4.2.mga7 libqt5dbus-devel-5.12.6-4.2.mga7 libqt5eglfsdeviceintegration5-5.12.6-4.2.mga7 libqt5eglfsdeviceintegration-devel-5.12.6-4.2.mga7 libqt5eglfskmssupport5-5.12.6-4.2.mga7 libqt5eglfskmssupport-devel-5.12.6-4.2.mga7 libqt5gui5-5.12.6-4.2.mga7 libqt5gui-devel-5.12.6-4.2.mga7 libqt5network5-5.12.6-4.2.mga7 libqt5network-devel-5.12.6-4.2.mga7 libqt5opengl5-5.12.6-4.2.mga7 libqt5opengl-devel-5.12.6-4.2.mga7 libqt5platformsupport-devel-5.12.6-4.2.mga7 libqt5printsupport5-5.12.6-4.2.mga7 libqt5printsupport-devel-5.12.6-4.2.mga7 libqt5sql5-5.12.6-4.2.mga7 libqt5sql-devel-5.12.6-4.2.mga7 libqt5test5-5.12.6-4.2.mga7 libqt5test-devel-5.12.6-4.2.mga7 libqt5widgets5-5.12.6-4.2.mga7 libqt5widgets-devel-5.12.6-4.2.mga7 libqt5xcbqpa5-5.12.6-4.2.mga7 libqt5xcbqpa-devel-5.12.6-4.2.mga7 libqt5xml5-5.12.6-4.2.mga7 libqt5xml-devel-5.12.6-4.2.mga7 libqt5base5-devel-5.12.6-4.2.mga7 libqt5accessibilitysupport-static-devel-5.12.6-4.2.mga7 libqt5linuxaccessibilitysupport-static-devel-5.12.6-4.2.mga7 libqt5bootstrap-static-devel-5.12.6-4.2.mga7 libqt5devicediscoverysupport-static-devel-5.12.6-4.2.mga7 libqt5eglsupport-static-devel-5.12.6-4.2.mga7 libqt5eventdispatchersupport-static-devel-5.12.6-4.2.mga7 libqt5fbsupport-static-devel-5.12.6-4.2.mga7 libqt5fontdatabasesupport-static-devel-5.12.6-4.2.mga7 libqt5glxsupport-static-devel-5.12.6-4.2.mga7 libqt5inputsupport-static-devel-5.12.6-4.2.mga7 libqt5kmssupport-static-devel-5.12.6-4.2.mga7 libqt5platformcompositorsupport-static-devel-5.12.6-4.2.mga7 libqt5servicesupport-static-devel-5.12.6-4.2.mga7 libqt5edid-devel-5.12.6-4.2.mga7 libqt5themesupport-static-devel-5.12.6-4.2.mga7 libqt5-database-plugin-odbc-5.12.6-4.2.mga7 libqt5-database-plugin-mysql-5.12.6-4.2.mga7 libqt5-database-plugin-sqlite-5.12.6-4.2.mga7 libqt5-database-plugin-tds-5.12.6-4.2.mga7 libqt5-database-plugin-ibase-5.12.6-4.2.mga7 libqt5-database-plugin-pgsql-5.12.6-4.2.mga7 from qtbase5-5.12.6-4.2.mga7.src.rpm
Keywords: feedback => (none)
Note to new 64-bit qarepo users: You will need to copy the above list and paste it into kwrite. Use "replace" to change all instances of "libqt" to "lib64qt" then copy the result and paste it into qarepo to download all the updates into your local repository. AMD Phenom II 910, AMD HD 8490 graphics, Atheros-based wifi. There is a "print to file" option on this hardware, but there are no actual printers installed. The following packages were updated: - lib64qt5-database-plugin-ibase-5.12.6-4.2.mga7.x86_64 - lib64qt5-database-plugin-mysql-5.12.6-4.2.mga7.x86_64 - lib64qt5-database-plugin-sqlite-5.12.6-4.2.mga7.x86_64 - lib64qt5concurrent5-5.12.6-4.2.mga7.x86_64 - lib64qt5core5-5.12.6-4.2.mga7.x86_64 - lib64qt5dbus5-5.12.6-4.2.mga7.x86_64 - lib64qt5eglfsdeviceintegration5-5.12.6-4.2.mga7.x86_64 - lib64qt5eglfskmssupport5-5.12.6-4.2.mga7.x86_64 - lib64qt5gui5-5.12.6-4.2.mga7.x86_64 - lib64qt5network5-5.12.6-4.2.mga7.x86_64 - lib64qt5opengl5-5.12.6-4.2.mga7.x86_64 - lib64qt5printsupport5-5.12.6-4.2.mga7.x86_64 - lib64qt5sql5-5.12.6-4.2.mga7.x86_64 - lib64qt5test5-5.12.6-4.2.mga7.x86_64 - lib64qt5widgets5-5.12.6-4.2.mga7.x86_64 - lib64qt5xcbqpa5-5.12.6-4.2.mga7.x86_64 - lib64qt5xml5-5.12.6-4.2.mga7.x86_64 - qtbase5-common-5.12.6-4.2.mga7.x86_64 No installation issues. After a reboot, did this and that, no issues noted. Ran ksysguard while running Firefox, no unusual cpu activity. Looks OK on this system.
CC: (none) => andrewsfarm
can someone test with remote printers ?
It would be nice if someone could fix qarepo so it could handle lib lists with or without the 64.
Created attachment 12516 [details] List of installed and available packages Upgraded since 03/18. No regression found no KDE Plasma. Ulrich
CC: (none) => bequimao.de
I asked on the QA ML for someone with a remote printer to test this, but it looks like no one is going to come forward. Shall we just send it on its way, anyway?
Do we really have nobody with two Mageia systems and a CUPS-shared printer that can test this?
I have multiple Mageia systems, but I have never set them up to share a printer. In fact, while the systems all use a common wifi/router, I have never really looked into getting them to communicate with each other at all.
So what does CUPS-shared printer mean? I have an HP wifi printer with an address and a hostname known to everything on the LAN. Each machine uses CUPS and HPLIP to access the printer, which requires a housekeeping job on every new installation. It does not take long but it is a chore.
CC: (none) => tarazed25
System-config-printer or the CUPS web interface allows you to make the printer browsable by other machines on the same LAN. If it's working, those printers should automatically show up if you print from a KDE application, or LibreOffice, for instance.
You also on the printer sharing machine need to checkmark "CUPS server" on MCC -> Security -> Personal firewall You should then be able to boot another computer on a Mageia Live ISO, connect to same network, and print without configuring that printer. I believe enough of printing system is installed per default on Live... ought to be...
Does this work for a standalone wifi printer though? Mine does not "belong" to any of the PCs and sharing does not seem to work.
This has to be tested with a remote/shared on network printer. AirPrint printer are supported this way, also self-networked printer. I don't have any Mageia 7 machines on my network. Will see to boot a Live USB and update it later in the coming week.
(In reply to Aurelien Oudelet from comment #30) > This has to be tested with a remote/shared on network printer. AirPrint > printer are supported this way, also self-networked printer. > > I don't have any Mageia 7 machines on my network. > Will see to boot a Live USB and update it later in the coming week. This is OK. A persistanced USB Mageia 7.1 updated to qtbase5 from above package. M7.1 Plasma x86_64. Shared Network printers are visible and usable. AirPrint (zeroconf advertised) printers are usable. Therefore, this is OK as long as you let zeroconf slp connections in Shorewall. Give is a definitive OK. Advisory pushed. type: security subject: Updated qtbase5 packages fix security vulnerability CVE: - CVE-2020-13962 src: 7: core: - qtbase5-5.12.6-4.2.mga7 description: | QSslSocket incorrectly calls SSL_shutdown() in OpenSSL mid-handshake causing denial of service in TLS applications (CVE-2020-13962) This update provides additionals fixes: - Check that the sizes are even representable when checking if clipping is necessary (P300) - Multiply instead of shifting, The shift operator is undefined for negative values. (P301) - Check returns of hex2int in get_hex_rgb, Avoids undefined behavior when trying to shift negative values. (P302) - Sanitize lengthValue in CSS parser, Limit the LengthData to the integer range before rounding it, taking into account that qRound() substracts 1 from negative values. (P303) - QBezier: Don't try calculating a unit vector when length is null. It's undefined and causes a division by zero. (P304) - Avoid potential ub in corrupt bmp file. biHeight may be int_min, in which case qAbs<int>() will not work. (P305) - wasm: disable XDG_RUNTIME_DIR warning XDG is not very relevant on the Web platform. (P306) - Use SOURCE_DATE_EPOCH. Use the standard variable name in addition to the QT-specific one to make builds reproducible out-of-the-box (P308) - Fix notification of QDockWidget when it gets undocked (P309) - Synthesize Enter/LeaveEvent for accepted QTabletEvent (P310) - Fix crash when running QtCore: Stack is misaligned on x86-64 (P311) - Add support for PostgreSQL 12 (P312) - QStandardPaths: Correct handling for XDG_RUNTIME_DIR (P313) - QStandardPaths/Unix: improve the XDG_RUNTIME_DIR creation/detection (P312) - Add remote print queue support (P313) references: - https://bugs.mageia.org/show_bug.cgi?id=27218 - https://lists.opensuse.org/opensuse-security-announce/2020-09/msg00004.html - https://access.redhat.com/errata/RHSA-2020:4690
CC: (none) => sysadmin-bugsWhiteboard: (none) => MGA7-64-OKKeywords: (none) => advisory, validated_updateCVE: (none) => CVE-2020-13962
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0200.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED