Fedora has issued an advisory on March 17: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O57HZYEVZNCW5L74PDD7K44E7XZEBXRK/ The issue is fixed upstream in 5.12.11 and 5.15.4. Mageia 7 and Mageia 8 are also affected.
Whiteboard: (none) => MGA8TOO, MGA7TOOStatus comment: (none) => Fixed upstream in 5.12.11 and 5.15.4
qt4 is also affected. Fedora has issued an advisory for this on March 25: https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GOBQ75US43TETW2OID6APHQRENDFK4BO/
Summary: qtsvg5 new security issue CVE-2021-3481 => qt4 and qtsvg5 new security issue CVE-2021-3481Source RPM: qtsvg5-5.15.2-1.mga8.src.rpm => qtsvg5-5.15.2-1.mga8.src.rpm, qt4-4.8.7-36.mga9.src.rpm
Done for Cauldron, mga8 and mga7!
CC: (none) => geiger.david68210
RPMS: qt4-common-4.8.7-26.3.mga7 libqtxml4-4.8.7-26.3.mga7 libqtscripttools4-4.8.7-26.3.mga7 libqtxmlpatterns4-4.8.7-26.3.mga7 libqtsql4-4.8.7-26.3.mga7 libqtnetwork4-4.8.7-26.3.mga7 libqtscript4-4.8.7-26.3.mga7 libqtgui4-4.8.7-26.3.mga7 libqtsvg4-4.8.7-26.3.mga7 libqttest4-4.8.7-26.3.mga7 libqthelp4-4.8.7-26.3.mga7 libqtclucene4-4.8.7-26.3.mga7 libqtcore4-4.8.7-26.3.mga7 libqt3support4-4.8.7-26.3.mga7 libqtopengl4-4.8.7-26.3.mga7 libqtdesigner4-4.8.7-26.3.mga7 libqtdbus4-4.8.7-26.3.mga7 libqtmultimedia4-4.8.7-26.3.mga7 qt4-qtdbus-4.8.7-26.3.mga7 libqtdeclarative4-4.8.7-26.3.mga7 qt4-qmlviewer-4.8.7-26.3.mga7 libqt4-devel-4.8.7-26.3.mga7 qt4-devel-private-4.8.7-26.3.mga7 qt4-xmlpatterns-4.8.7-26.3.mga7 qt4-qtconfig-4.8.7-26.3.mga7 qt4-doc-4.8.7-26.3.mga7 qt4-demos-4.8.7-26.3.mga7 qt4-examples-4.8.7-26.3.mga7 qt4-linguist-4.8.7-26.3.mga7 qt4-assistant-4.8.7-26.3.mga7 libqt4-database-plugin-mysql-4.8.7-26.3.mga7 libqt4-database-plugin-sqlite-4.8.7-26.3.mga7 libqt4-database-plugin-tds-4.8.7-26.3.mga7 libqt4-database-plugin-pgsql-4.8.7-26.3.mga7 qt4-graphicssystems-plugin-4.8.7-26.3.mga7 qt4-accessibility-plugin-4.8.7-26.3.mga7 qt4-designer-4.8.7-26.3.mga7 qt4-designer-plugin-webkit-4.8.7-26.3.mga7 qt4-designer-plugin-qt3support-4.8.7-26.3.mga7 qt4-qvfb-4.8.7-26.3.mga7 qt4-qdoc3-4.8.7-26.3.mga7 qtsvg5-5.12.6-1.1.mga7 qtsvg5-doc-5.12.6-1.1.mga7 libqt5svg5-5.12.6-1.1.mga7 libqt5svg-devel-5.12.6-1.1.mga7 qt4-common-4.8.7-35.1.mga8 qt4-examples-4.8.7-35.1.mga8 libqt4-devel-4.8.7-35.1.mga8 qt4-doc-4.8.7-35.1.mga8 qt4-demos-4.8.7-35.1.mga8 libqtgui4-4.8.7-35.1.mga8 libqtdesigner4-4.8.7-35.1.mga8 qt4-devel-private-4.8.7-35.1.mga8 libqtdeclarative4-4.8.7-35.1.mga8 libqtxmlpatterns4-4.8.7-35.1.mga8 libqtcore4-4.8.7-35.1.mga8 libqt3support4-4.8.7-35.1.mga8 qt4-qvfb-4.8.7-35.1.mga8 libqtscript4-4.8.7-35.1.mga8 qt4-linguist-4.8.7-35.1.mga8 qt4-designer-4.8.7-35.1.mga8 qt4-assistant-4.8.7-35.1.mga8 qt4-qdoc3-4.8.7-35.1.mga8 qt4-qmlviewer-4.8.7-35.1.mga8 libqtnetwork4-4.8.7-35.1.mga8 libqtclucene4-4.8.7-35.1.mga8 libqtopengl4-4.8.7-35.1.mga8 libqtscripttools4-4.8.7-35.1.mga8 libqtdbus4-4.8.7-35.1.mga8 libqthelp4-4.8.7-35.1.mga8 qt4-qtconfig-4.8.7-35.1.mga8 qt4-accessibility-plugin-4.8.7-35.1.mga8 libqtsvg4-4.8.7-35.1.mga8 libqtxml4-4.8.7-35.1.mga8 qt4-designer-plugin-qt3support-4.8.7-35.1.mga8 libqtsql4-4.8.7-35.1.mga8 libqttest4-4.8.7-35.1.mga8 qt4-qtdbus-4.8.7-35.1.mga8 libqtmultimedia4-4.8.7-35.1.mga8 libqt4-database-plugin-pgsql-4.8.7-35.1.mga8 libqt4-database-plugin-mysql-4.8.7-35.1.mga8 qt4-xmlpatterns-4.8.7-35.1.mga8 libqt4-database-plugin-tds-4.8.7-35.1.mga8 libqt4-database-plugin-sqlite-4.8.7-35.1.mga8 qt4-graphicssystems-plugin-4.8.7-35.1.mga8 qtsvg5-5.15.2-1.1.mga8 qtsvg5-doc-5.15.2-1.1.mga8 libqt5svg5-5.15.2-1.1.mga8 libqt5svg-devel-5.15.2-1.1.mga8 from SRPMS: qt4-4.8.7-26.3.mga7.src.rpm qtsvg5-5.12.6-1.1.mga7.src.rpm qt4-4.8.7-35.1.mga8.src.rpm qtsvg5-5.15.2-1.1.mga8.src.rpm
Version: Cauldron => 8Assignee: kde => qa-bugsWhiteboard: MGA8TOO, MGA7TOO => MGA7TOOStatus comment: Fixed upstream in 5.12.11 and 5.15.4 => (none)
MGA7 - 64, Plasma Installed QT4-Common - since that is the only object installed Nothing failing yet.
CC: (none) => brtians1
mga8 -64, plasma, nvidia-current, kernel desktop 5.12.8 Updated all relevant packages, quite a few here. Almost everything else from testing installed too. No added problem noted while using nor in journal.
CC: (none) => fri
MGA7-64 Plasma on Lenovo B50 No installation issues. # urpmq --whatrequires lib64qt5svg5 listed loads of packages Tried marble and ksudoku : work OK No other immediate ill effects.
CC: (none) => herman.viaene
Advisory: ======================== Updated qt4 and qtsvg5 packages fix a security vulnerability: An out of bounds read in function QRadialFetchSimd from crafted svg file may lead to information disclosure or other potential consequences. This update includes the backported upstream fix and should resolve the security issue (CVE-2021-3481). References: - https://bugs.mageia.org/show_bug.cgi?id=29014 - https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-3481 - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/O57HZYEVZNCW5L74PDD7K44E7XZEBXRK/ - https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/GOBQ75US43TETW2OID6APHQRENDFK4BO/ ======================== Updated packages in 7/core/updates_testing: ======================== lib(64)qt3support4-4.8.7-26.3.mga7 lib(64)qt4-database-plugin-mysql-4.8.7-26.3.mga7 lib(64)qt4-database-plugin-pgsql-4.8.7-26.3.mga7 lib(64)qt4-database-plugin-sqlite-4.8.7-26.3.mga7 lib(64)qt4-database-plugin-tds-4.8.7-26.3.mga7 lib(64)qt4-devel-4.8.7-26.3.mga7 lib(64)qt5svg-devel-5.12.6-1.1.mga7 lib(64)qt5svg5-5.12.6-1.1.mga7 lib(64)qtclucene4-4.8.7-26.3.mga7 lib(64)qtcore4-4.8.7-26.3.mga7 lib(64)qtdbus4-4.8.7-26.3.mga7 lib(64)qtdeclarative4-4.8.7-26.3.mga7 lib(64)qtdesigner4-4.8.7-26.3.mga7 lib(64)qtgui4-4.8.7-26.3.mga7 lib(64)qthelp4-4.8.7-26.3.mga7 lib(64)qtmultimedia4-4.8.7-26.3.mga7 lib(64)qtnetwork4-4.8.7-26.3.mga7 lib(64)qtopengl4-4.8.7-26.3.mga7 lib(64)qtscript4-4.8.7-26.3.mga7 lib(64)qtscripttools4-4.8.7-26.3.mga7 lib(64)qtsql4-4.8.7-26.3.mga7 lib(64)qtsvg4-4.8.7-26.3.mga7 lib(64)qttest4-4.8.7-26.3.mga7 lib(64)qtxml4-4.8.7-26.3.mga7 lib(64)qtxmlpatterns4-4.8.7-26.3.mga7 qt4-accessibility-plugin-4.8.7-26.3.mga7 qt4-assistant-4.8.7-26.3.mga7 qt4-common-4.8.7-26.3.mga7 qt4-demos-4.8.7-26.3.mga7 qt4-designer-4.8.7-26.3.mga7 qt4-designer-plugin-qt3support-4.8.7-26.3.mga7 qt4-designer-plugin-webkit-4.8.7-26.3.mga7 qt4-devel-private-4.8.7-26.3.mga7 qt4-doc-4.8.7-26.3.mga7 qt4-examples-4.8.7-26.3.mga7 qt4-graphicssystems-plugin-4.8.7-26.3.mga7 qt4-linguist-4.8.7-26.3.mga7 qt4-qdoc3-4.8.7-26.3.mga7 qt4-qmlviewer-4.8.7-26.3.mga7 qt4-qtconfig-4.8.7-26.3.mga7 qt4-qtdbus-4.8.7-26.3.mga7 qt4-qvfb-4.8.7-26.3.mga7 qt4-xmlpatterns-4.8.7-26.3.mga7 qtsvg5-5.12.6-1.1.mga7 qtsvg5-doc-5.12.6-1.1.mga7 from SRPMs: qt4-4.8.7-26.3.mga7.src.rpm qtsvg5-5.12.6-1.1.mga7.src.rpm ======================== Updated packages in 8/core/updates_testing: ======================== lib(64)qt3support4-4.8.7-35.1.mga8 lib(64)qt4-database-plugin-mysql-4.8.7-35.1.mga8 lib(64)qt4-database-plugin-pgsql-4.8.7-35.1.mga8 lib(64)qt4-database-plugin-sqlite-4.8.7-35.1.mga8 lib(64)qt4-database-plugin-tds-4.8.7-35.1.mga8 lib(64)qt4-devel-4.8.7-35.1.mga8 lib(64)qt5svg-devel-5.15.2-1.1.mga8 lib(64)qt5svg5-5.15.2-1.1.mga8 lib(64)qtclucene4-4.8.7-35.1.mga8 lib(64)qtcore4-4.8.7-35.1.mga8 lib(64)qtdbus4-4.8.7-35.1.mga8 lib(64)qtdeclarative4-4.8.7-35.1.mga8 lib(64)qtdesigner4-4.8.7-35.1.mga8 lib(64)qtgui4-4.8.7-35.1.mga8 lib(64)qthelp4-4.8.7-35.1.mga8 lib(64)qtmultimedia4-4.8.7-35.1.mga8 lib(64)qtnetwork4-4.8.7-35.1.mga8 lib(64)qtopengl4-4.8.7-35.1.mga8 lib(64)qtscript4-4.8.7-35.1.mga8 lib(64)qtscripttools4-4.8.7-35.1.mga8 lib(64)qtsql4-4.8.7-35.1.mga8 lib(64)qtsvg4-4.8.7-35.1.mga8 lib(64)qttest4-4.8.7-35.1.mga8 lib(64)qtxml4-4.8.7-35.1.mga8 lib(64)qtxmlpatterns4-4.8.7-35.1.mga8 qt4-accessibility-plugin-4.8.7-35.1.mga8 qt4-assistant-4.8.7-35.1.mga8 qt4-common-4.8.7-35.1.mga8 qt4-demos-4.8.7-35.1.mga8 qt4-designer-4.8.7-35.1.mga8 qt4-designer-plugin-qt3support-4.8.7-35.1.mga8 qt4-devel-private-4.8.7-35.1.mga8 qt4-doc-4.8.7-35.1.mga8 qt4-examples-4.8.7-35.1.mga8 qt4-graphicssystems-plugin-4.8.7-35.1.mga8 qt4-linguist-4.8.7-35.1.mga8 qt4-qdoc3-4.8.7-35.1.mga8 qt4-qmlviewer-4.8.7-35.1.mga8 qt4-qtconfig-4.8.7-35.1.mga8 qt4-qtdbus-4.8.7-35.1.mga8 qt4-qvfb-4.8.7-35.1.mga8 qt4-xmlpatterns-4.8.7-35.1.mga8 qtsvg5-5.15.2-1.1.mga8 qtsvg5-doc-5.15.2-1.1.mga8 from SRPMs: qt4-4.8.7-35.1.mga8.src.rpm qtsvg5-5.15.2-1.1.mga8.src.rpm ========================
CC: (none) => ouaurelien
MGA8 64 Plasma Testing this since day one. No issue. No complain under journal. Added upstream bug in adv: https://bugreports.qt.io/browse/QTBUG-91507 The patch contains the appropriate fix. Validating.
Whiteboard: MGA7TOO => MGA7TOO MGA7-64-OK MGA8-64-OKCC: (none) => sysadmin-bugsCVE: (none) => CVE-2021-3481Source RPM: qtsvg5-5.15.2-1.mga8.src.rpm, qt4-4.8.7-36.mga9.src.rpm => qtsvg5-5.15.2-1.mga8.src.rpm, qt4-4.8.7-35.mga8.src.rpmKeywords: (none) => advisory, validated_update
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2021-0262.html
Status: NEW => RESOLVEDResolution: (none) => FIXED