29014 – qt4 and qtsvg5 new security issue CVE-2021-3481

Bug 29014 - qt4 and qtsvg5 new security issue CVE-2021-3481

Summary: qt4 and qtsvg5 new security issue CVE-2021-3481

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	8
Hardware:	All Linux

Priority:	Normal Severity: major
Target Milestone:	---
Assignee:	QA Team
QA Contact:	Sec team

URL:
Whiteboard:	MGA7TOO MGA7-64-OK MGA8-64-OK
Keywords:	advisory, validated_update

Depends on:
Blocks:

Reported:	2021-05-29 18:40 CEST by David Walser
Modified:	2021-06-16 22:24 CEST (History)
CC List:	6 users (show)

See Also:
Source RPM:	qtsvg5-5.15.2-1.mga8.src.rpm, qt4-4.8.7-35.mga8.src.rpm
CVE:	CVE-2021-3481
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2021-05-29 18:40:10 CEST

Fedora has issued an advisory on March 17:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O57HZYEVZNCW5L74PDD7K44E7XZEBXRK/

The issue is fixed upstream in 5.12.11 and 5.15.4.

Mageia 7 and Mageia 8 are also affected.

David Walser 2021-05-29 18:40:25 CEST

Whiteboard: (none) => MGA8TOO, MGA7TOO
Status comment: (none) => Fixed upstream in 5.12.11 and 5.15.4

Comment 1 David Walser 2021-05-29 20:10:24 CEST

qt4 is also affected.

Fedora has issued an advisory for this on March 25:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GOBQ75US43TETW2OID6APHQRENDFK4BO/

Summary: qtsvg5 new security issue CVE-2021-3481 => qt4 and qtsvg5 new security issue CVE-2021-3481
Source RPM: qtsvg5-5.15.2-1.mga8.src.rpm => qtsvg5-5.15.2-1.mga8.src.rpm, qt4-4.8.7-36.mga9.src.rpm

Comment 2 David GEIGER 2021-06-07 12:27:54 CEST

Done for Cauldron, mga8 and mga7!

CC: (none) => geiger.david68210

Comment 3 David Walser 2021-06-09 01:50:57 CEST

RPMS:
qt4-common-4.8.7-26.3.mga7
libqtxml4-4.8.7-26.3.mga7
libqtscripttools4-4.8.7-26.3.mga7
libqtxmlpatterns4-4.8.7-26.3.mga7
libqtsql4-4.8.7-26.3.mga7
libqtnetwork4-4.8.7-26.3.mga7
libqtscript4-4.8.7-26.3.mga7
libqtgui4-4.8.7-26.3.mga7
libqtsvg4-4.8.7-26.3.mga7
libqttest4-4.8.7-26.3.mga7
libqthelp4-4.8.7-26.3.mga7
libqtclucene4-4.8.7-26.3.mga7
libqtcore4-4.8.7-26.3.mga7
libqt3support4-4.8.7-26.3.mga7
libqtopengl4-4.8.7-26.3.mga7
libqtdesigner4-4.8.7-26.3.mga7
libqtdbus4-4.8.7-26.3.mga7
libqtmultimedia4-4.8.7-26.3.mga7
qt4-qtdbus-4.8.7-26.3.mga7
libqtdeclarative4-4.8.7-26.3.mga7
qt4-qmlviewer-4.8.7-26.3.mga7
libqt4-devel-4.8.7-26.3.mga7
qt4-devel-private-4.8.7-26.3.mga7
qt4-xmlpatterns-4.8.7-26.3.mga7
qt4-qtconfig-4.8.7-26.3.mga7
qt4-doc-4.8.7-26.3.mga7
qt4-demos-4.8.7-26.3.mga7
qt4-examples-4.8.7-26.3.mga7
qt4-linguist-4.8.7-26.3.mga7
qt4-assistant-4.8.7-26.3.mga7
libqt4-database-plugin-mysql-4.8.7-26.3.mga7
libqt4-database-plugin-sqlite-4.8.7-26.3.mga7
libqt4-database-plugin-tds-4.8.7-26.3.mga7
libqt4-database-plugin-pgsql-4.8.7-26.3.mga7
qt4-graphicssystems-plugin-4.8.7-26.3.mga7
qt4-accessibility-plugin-4.8.7-26.3.mga7
qt4-designer-4.8.7-26.3.mga7
qt4-designer-plugin-webkit-4.8.7-26.3.mga7
qt4-designer-plugin-qt3support-4.8.7-26.3.mga7
qt4-qvfb-4.8.7-26.3.mga7
qt4-qdoc3-4.8.7-26.3.mga7
qtsvg5-5.12.6-1.1.mga7
qtsvg5-doc-5.12.6-1.1.mga7
libqt5svg5-5.12.6-1.1.mga7
libqt5svg-devel-5.12.6-1.1.mga7
qt4-common-4.8.7-35.1.mga8
qt4-examples-4.8.7-35.1.mga8
libqt4-devel-4.8.7-35.1.mga8
qt4-doc-4.8.7-35.1.mga8
qt4-demos-4.8.7-35.1.mga8
libqtgui4-4.8.7-35.1.mga8
libqtdesigner4-4.8.7-35.1.mga8
qt4-devel-private-4.8.7-35.1.mga8
libqtdeclarative4-4.8.7-35.1.mga8
libqtxmlpatterns4-4.8.7-35.1.mga8
libqtcore4-4.8.7-35.1.mga8
libqt3support4-4.8.7-35.1.mga8
qt4-qvfb-4.8.7-35.1.mga8
libqtscript4-4.8.7-35.1.mga8
qt4-linguist-4.8.7-35.1.mga8
qt4-designer-4.8.7-35.1.mga8
qt4-assistant-4.8.7-35.1.mga8
qt4-qdoc3-4.8.7-35.1.mga8
qt4-qmlviewer-4.8.7-35.1.mga8
libqtnetwork4-4.8.7-35.1.mga8
libqtclucene4-4.8.7-35.1.mga8
libqtopengl4-4.8.7-35.1.mga8
libqtscripttools4-4.8.7-35.1.mga8
libqtdbus4-4.8.7-35.1.mga8
libqthelp4-4.8.7-35.1.mga8
qt4-qtconfig-4.8.7-35.1.mga8
qt4-accessibility-plugin-4.8.7-35.1.mga8
libqtsvg4-4.8.7-35.1.mga8
libqtxml4-4.8.7-35.1.mga8
qt4-designer-plugin-qt3support-4.8.7-35.1.mga8
libqtsql4-4.8.7-35.1.mga8
libqttest4-4.8.7-35.1.mga8
qt4-qtdbus-4.8.7-35.1.mga8
libqtmultimedia4-4.8.7-35.1.mga8
libqt4-database-plugin-pgsql-4.8.7-35.1.mga8
libqt4-database-plugin-mysql-4.8.7-35.1.mga8
qt4-xmlpatterns-4.8.7-35.1.mga8
libqt4-database-plugin-tds-4.8.7-35.1.mga8
libqt4-database-plugin-sqlite-4.8.7-35.1.mga8
qt4-graphicssystems-plugin-4.8.7-35.1.mga8
qtsvg5-5.15.2-1.1.mga8
qtsvg5-doc-5.15.2-1.1.mga8
libqt5svg5-5.15.2-1.1.mga8
libqt5svg-devel-5.15.2-1.1.mga8

from SRPMS:
qt4-4.8.7-26.3.mga7.src.rpm
qtsvg5-5.12.6-1.1.mga7.src.rpm
qt4-4.8.7-35.1.mga8.src.rpm
qtsvg5-5.15.2-1.1.mga8.src.rpm

Version: Cauldron => 8
Assignee: kde => qa-bugs
Whiteboard: MGA8TOO, MGA7TOO => MGA7TOO
Status comment: Fixed upstream in 5.12.11 and 5.15.4 => (none)

Comment 4 Brian Rockwell 2021-06-10 17:59:23 CEST

MGA7 - 64, Plasma

Installed QT4-Common - since that is the only object installed

Nothing failing yet.

CC: (none) => brtians1

Comment 5 Morgan Leijström 2021-06-10 21:06:50 CEST

mga8 -64, plasma, nvidia-current, kernel desktop 5.12.8
Updated all relevant packages, quite a few here.
Almost everything else from testing installed too.
No added problem noted while using nor in journal.

CC: (none) => fri

Comment 6 Herman Viaene 2021-06-15 22:35:30 CEST

MGA7-64 Plasma on Lenovo B50
No installation issues.
# urpmq --whatrequires lib64qt5svg5
listed loads of packages
Tried marble and ksudoku : work OK
No other immediate ill effects.

CC: (none) => herman.viaene

Comment 7 Aurelien Oudelet 2021-06-15 22:57:20 CEST

Advisory:
========================

Updated qt4 and qtsvg5 packages fix a security vulnerability:

An out of bounds read in function QRadialFetchSimd from crafted svg file may
lead to information disclosure or other potential consequences. This update
includes the backported upstream fix and should resolve the security issue (CVE-2021-3481).

References:
 - https://bugs.mageia.org/show_bug.cgi?id=29014
 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3481
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O57HZYEVZNCW5L74PDD7K44E7XZEBXRK/
 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GOBQ75US43TETW2OID6APHQRENDFK4BO/
========================

Updated packages in 7/core/updates_testing:
========================
lib(64)qt3support4-4.8.7-26.3.mga7
lib(64)qt4-database-plugin-mysql-4.8.7-26.3.mga7
lib(64)qt4-database-plugin-pgsql-4.8.7-26.3.mga7
lib(64)qt4-database-plugin-sqlite-4.8.7-26.3.mga7
lib(64)qt4-database-plugin-tds-4.8.7-26.3.mga7
lib(64)qt4-devel-4.8.7-26.3.mga7
lib(64)qt5svg-devel-5.12.6-1.1.mga7
lib(64)qt5svg5-5.12.6-1.1.mga7
lib(64)qtclucene4-4.8.7-26.3.mga7
lib(64)qtcore4-4.8.7-26.3.mga7
lib(64)qtdbus4-4.8.7-26.3.mga7
lib(64)qtdeclarative4-4.8.7-26.3.mga7
lib(64)qtdesigner4-4.8.7-26.3.mga7
lib(64)qtgui4-4.8.7-26.3.mga7
lib(64)qthelp4-4.8.7-26.3.mga7
lib(64)qtmultimedia4-4.8.7-26.3.mga7
lib(64)qtnetwork4-4.8.7-26.3.mga7
lib(64)qtopengl4-4.8.7-26.3.mga7
lib(64)qtscript4-4.8.7-26.3.mga7
lib(64)qtscripttools4-4.8.7-26.3.mga7
lib(64)qtsql4-4.8.7-26.3.mga7
lib(64)qtsvg4-4.8.7-26.3.mga7
lib(64)qttest4-4.8.7-26.3.mga7
lib(64)qtxml4-4.8.7-26.3.mga7
lib(64)qtxmlpatterns4-4.8.7-26.3.mga7
qt4-accessibility-plugin-4.8.7-26.3.mga7
qt4-assistant-4.8.7-26.3.mga7
qt4-common-4.8.7-26.3.mga7
qt4-demos-4.8.7-26.3.mga7
qt4-designer-4.8.7-26.3.mga7
qt4-designer-plugin-qt3support-4.8.7-26.3.mga7
qt4-designer-plugin-webkit-4.8.7-26.3.mga7
qt4-devel-private-4.8.7-26.3.mga7
qt4-doc-4.8.7-26.3.mga7
qt4-examples-4.8.7-26.3.mga7
qt4-graphicssystems-plugin-4.8.7-26.3.mga7
qt4-linguist-4.8.7-26.3.mga7
qt4-qdoc3-4.8.7-26.3.mga7
qt4-qmlviewer-4.8.7-26.3.mga7
qt4-qtconfig-4.8.7-26.3.mga7
qt4-qtdbus-4.8.7-26.3.mga7
qt4-qvfb-4.8.7-26.3.mga7
qt4-xmlpatterns-4.8.7-26.3.mga7
qtsvg5-5.12.6-1.1.mga7
qtsvg5-doc-5.12.6-1.1.mga7

from SRPMs:
qt4-4.8.7-26.3.mga7.src.rpm
qtsvg5-5.12.6-1.1.mga7.src.rpm

========================

Updated packages in 8/core/updates_testing:
========================
lib(64)qt3support4-4.8.7-35.1.mga8
lib(64)qt4-database-plugin-mysql-4.8.7-35.1.mga8
lib(64)qt4-database-plugin-pgsql-4.8.7-35.1.mga8
lib(64)qt4-database-plugin-sqlite-4.8.7-35.1.mga8
lib(64)qt4-database-plugin-tds-4.8.7-35.1.mga8
lib(64)qt4-devel-4.8.7-35.1.mga8
lib(64)qt5svg-devel-5.15.2-1.1.mga8
lib(64)qt5svg5-5.15.2-1.1.mga8
lib(64)qtclucene4-4.8.7-35.1.mga8
lib(64)qtcore4-4.8.7-35.1.mga8
lib(64)qtdbus4-4.8.7-35.1.mga8
lib(64)qtdeclarative4-4.8.7-35.1.mga8
lib(64)qtdesigner4-4.8.7-35.1.mga8
lib(64)qtgui4-4.8.7-35.1.mga8
lib(64)qthelp4-4.8.7-35.1.mga8
lib(64)qtmultimedia4-4.8.7-35.1.mga8
lib(64)qtnetwork4-4.8.7-35.1.mga8
lib(64)qtopengl4-4.8.7-35.1.mga8
lib(64)qtscript4-4.8.7-35.1.mga8
lib(64)qtscripttools4-4.8.7-35.1.mga8
lib(64)qtsql4-4.8.7-35.1.mga8
lib(64)qtsvg4-4.8.7-35.1.mga8
lib(64)qttest4-4.8.7-35.1.mga8
lib(64)qtxml4-4.8.7-35.1.mga8
lib(64)qtxmlpatterns4-4.8.7-35.1.mga8
qt4-accessibility-plugin-4.8.7-35.1.mga8
qt4-assistant-4.8.7-35.1.mga8
qt4-common-4.8.7-35.1.mga8
qt4-demos-4.8.7-35.1.mga8
qt4-designer-4.8.7-35.1.mga8
qt4-designer-plugin-qt3support-4.8.7-35.1.mga8
qt4-devel-private-4.8.7-35.1.mga8
qt4-doc-4.8.7-35.1.mga8
qt4-examples-4.8.7-35.1.mga8
qt4-graphicssystems-plugin-4.8.7-35.1.mga8
qt4-linguist-4.8.7-35.1.mga8
qt4-qdoc3-4.8.7-35.1.mga8
qt4-qmlviewer-4.8.7-35.1.mga8
qt4-qtconfig-4.8.7-35.1.mga8
qt4-qtdbus-4.8.7-35.1.mga8
qt4-qvfb-4.8.7-35.1.mga8
qt4-xmlpatterns-4.8.7-35.1.mga8
qtsvg5-5.15.2-1.1.mga8
qtsvg5-doc-5.15.2-1.1.mga8

from SRPMs:
qt4-4.8.7-35.1.mga8.src.rpm
qtsvg5-5.15.2-1.1.mga8.src.rpm
========================

CC: (none) => ouaurelien

Comment 8 Aurelien Oudelet 2021-06-15 23:06:06 CEST

MGA8 64 Plasma

Testing this since day one.
No issue.
No complain under journal.

Added upstream bug in adv:
https://bugreports.qt.io/browse/QTBUG-91507

The patch contains the appropriate fix.

Validating.

Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK MGA8-64-OK
CC: (none) => sysadmin-bugs
CVE: (none) => CVE-2021-3481
Source RPM: qtsvg5-5.15.2-1.mga8.src.rpm, qt4-4.8.7-36.mga9.src.rpm => qtsvg5-5.15.2-1.mga8.src.rpm, qt4-4.8.7-35.mga8.src.rpm
Keywords: (none) => advisory, validated_update

Comment 9 Mageia Robot 2021-06-16 22:24:09 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0262.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Note You need to log in before you can comment on or make changes to this bug.