Ubuntu has issued an advisory on January 19: https://ubuntu.com/security/notices/USN-5241-1 Mageia 8 is also affected.
Whiteboard: (none) => MGA8TOO
Fedora has issued an advisory for this today (January 21): https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/V75XNX4GDB64N5BSOAN474RUXXS5OHRU/
Status comment: (none) => Patch available from Fedora
This also affects qt4; Debian-LTS advisory from January 24: https://www.debian.org/lts/security/2022/dla-2895
Summary: qtsvg5 new security issue CVE-2021-45930 => qt4 and qtsvg5 new security issue CVE-2021-45930Status comment: Patch available from Fedora => Patches available from Fedora and Debian
As of "Qt SVG in Qt 5.0.0 through 5.15.2 and 6.0.0 through 6.2.1" It is fixed on cauldron for qtsvg5 and qtsvg6! And also now fixed for mga8 with qtsvg5-5.15.2-1.3.mga8: Package in 8/Core/Updates_testing: ===================== qtsvg5-5.15.2-1.3.mga8 lib64qt5svg-devel-5.15.2-1.3.mga8 lib64qt5svg5-5.15.2-1.3.mga8 libqt5svg-devel-5.15.2-1.3.mga8 libqt5svg5-5.15.2-1.3.mga8 qtsvg5-doc-5.15.2-1.3.mga8.noarch.rpm From SRPMS: qtsvg5-5.15.2-1.3.mga8.src.rpm
CC: (none) => geiger.david68210
And now fixed for qt4: Packages in 9/Core/Updates_testing: ====================== qt4-qmlviewer-4.8.7-45.mga9 qt4-common-4.8.7-45.mga9 qt4-graphicssystems-plugin-4.8.7-45.mga9 libqtmultimedia4-4.8.7-45.mga9 libqtdesigner4-4.8.7-45.mga9 lib64qtmultimedia4-4.8.7-45.mga9 lib64qtdesigner4-4.8.7-45.mga9 qt4-accessibility-plugin-4.8.7-45.mga9 qt4-qtconfig-4.8.7-45.mga9 libqt3support4-4.8.7-45.mga9 libqt4-database-plugin-tds-4.8.7-45.mga9 libqtxmlpatterns4-4.8.7-45.mga9 lib64qt3support4-4.8.7-45.mga9 lib64qt4-database-plugin-tds-4.8.7-45.mga9 lib64qtxmlpatterns4-4.8.7-45.mga9 qt4-designer-4.8.7-45.mga9 qt4-qdoc3-4.8.7-45.mga9 qt4-linguist-4.8.7-45.mga9 libqtscript4-4.8.7-45.mga9 libqthelp4-4.8.7-45.mga9 lib64qtscript4-4.8.7-45.mga9 lib64qthelp4-4.8.7-45.mga9 qt4-demos-4.8.7-45.mga9 libqt4-devel-4.8.7-45.mga9 lib64qt4-devel-4.8.7-45.mga9 qt4-examples-4.8.7-45.mga9 libqt4-database-plugin-sqlite-4.8.7-45.mga9 libqt4-database-plugin-pgsql-4.8.7-45.mga9 libqtxml4-4.8.7-45.mga9 libqtclucene4-4.8.7-45.mga9 lib64qt4-database-plugin-sqlite-4.8.7-45.mga9 lib64qt4-database-plugin-pgsql-4.8.7-45.mga9 lib64qtxml4-4.8.7-45.mga9 lib64qtclucene4-4.8.7-45.mga9 qt4-designer-plugin-qt3support-4.8.7-45.mga9 libqtgui4-4.8.7-45.mga9 lib64qtgui4-4.8.7-45.mga9 qt4-qtdbus-4.8.7-45.mga9 libqtsvg4-4.8.7-45.mga9 libqtcore4-4.8.7-45.mga9 libqtscripttools4-4.8.7-45.mga9 lib64qtsvg4-4.8.7-45.mga9 lib64qtcore4-4.8.7-45.mga9 lib64qtscripttools4-4.8.7-45.mga9 qt4-qvfb-4.8.7-45.mga9 lib64qtsql4-4.8.7-45.mga9 qt4-assistant-4.8.7-45.mga9 libqtdbus4-4.8.7-45.mga9 libqtopengl4-4.8.7-45.mga9 libqtdeclarative4-4.8.7-45.mga9 libqttest4-4.8.7-45.mga9 libqt4-database-plugin-mysql-4.8.7-45.mga9 libqtnetwork4-4.8.7-45.mga9 lib64qtdbus4-4.8.7-45.mga9 lib64qtopengl4-4.8.7-45.mga9 lib64qtdeclarative4-4.8.7-45.mga9 lib64qttest4-4.8.7-45.mga9 lib64qt4-database-plugin-mysql-4.8.7-45.mga9 lib64qtnetwork4-4.8.7-45.mga9 qt4-xmlpatterns-4.8.7-45.mga9 qt4-doc-4.8.7-45.mga9.noarch.rpm qt4-devel-private-4.8.7-45.mga9.noarch.rpm Packages in 8/Core/Updates_testing: ====================== qt4-qmlviewer-4.8.7-35.3.mga8 qt4-common-4.8.7-35.3.mga8 qt4-graphicssystems-plugin-4.8.7-35.mga8 libqtmultimedia4-4.8.7-35.3.mga8 ibqtdesigner4-4.8.7-35.3.mga8 lib64qtmultimedia4-4.8.7-35.3.mga8 lib64qtdesigner4-4.8.7-35.3.mga8 qt4-accessibility-plugin-4.8.7-35.3.mga8 qt4-qtconfig-4.8.7-35.3.mga8 libqt3support4-4.8.7-35.3.mga8 libqt4-database-plugin-tds-4.8.7-35.3.mga8 libqtxmlpatterns4-4.8.7-35.3.mga8 lib64qt3support4-4.8.7-35.3.mga8 lib64qt4-database-plugin-tds-4.8.7-35.3.mga8 lib64qtxmlpatterns4-4.8.7-35.3.mga8 qt4-designer-4.8.7-35.3.mga8 qt4-qdoc3-4.8.7-35.3.mga8 qt4-linguist-4.8.7-35.3.mga8 libqtscript4-4.8.7-35.3.mga8 libqthelp4-4.8.7-35.3.mga8 lib64qtscript4-4.8.7-35.3.mga8 lib64qthelp4-4.8.7-35.3.mga8 qt4-demos-4.8.7-35.3.mga8 libqt4-devel-4.8.7-35.3.mga8 lib64qt4-devel-4.8.7-35.3.mga8 qt4-examples-4.8.7-35.3.mga8 libqt4-database-plugin-sqlite-4.8.7-35.3.mga8 libqt4-database-plugin-pgsql-4.8.7-35.3.mga8 libqtxml4-4.8.7-35.3.mga8 libqtclucene4-4.8.7-35.3.mga8 lib64qt4-database-plugin-sqlite-4.8.7-35.3.mga8 lib64qt4-database-plugin-pgsql-4.8.7-35.3.mga8 lib64qtxml4-4.8.7-35.3.mga8 lib64qtclucene4-4.8.7-35.3.mga8 qt4-designer-plugin-qt3support-4.8.7-35.3.mga8 libqtgui4-4.8.7-35.3.mga8 lib64qtgui4-4.8.7-35.3.mga8 qt4-qtdbus-4.8.7-35.3.mga8 libqtsvg4-4.8.7-35.3.mga8 libqtcore4-4.8.7-35.3.mga8 libqtscripttools4-4.8.7-35.3.mga8 lib64qtsvg4-4.8.7-35.3.mga8 lib64qtcore4-4.8.7-35.3.mga8 lib64qtscripttools4-4.8.7-35.3.mga8 qt4-qvfb-4.8.7-35.3.mga8 lib64qtsql4-4.8.7-35.3.mga8 qt4-assistant-4.8.7-35.3.mga8 libqtdbus4-4.8.7-35.3.mga8 libqtopengl4-4.8.7-35.3.mga8 libqtdeclarative4-4.8.7-35.3.mga8 libqttest4-4.8.7-35.3.mga8 libqt4-database-plugin-mysql-4.8.7-35.3.mga8 libqtnetwork4-4.8.7-35.3.mga8 lib64qtdbus4-4.8.7-35.3.mga8 lib64qtopengl4-4.8.7-35.3.mga8 lib64qtdeclarative4-4.8.7-35.3.mga8 lib64qttest4-4.8.7-35.3.mga8 lib64qt4-database-plugin-mysql-4.8.7-35.3.mga8 lib64qtnetwork4-4.8.7-35.3.mga8 qt4-xmlpatterns-4.8.7-35.3.mga8 qt4-doc-4.8.7-35.3.mga8.noarch.rpm qt4-devel-private-4.8.7-35.3.mga8.noarch.rpm From SRPMS: qt4-4.8.7-45.mga9.src.rpm qt4-4.8.7-35.3.mga8.src.rpm
Depends on: (none) => 31950
Assigning to QA.
Assignee: kde => qa-bugs
To be (hopefully) clear, qt4, qtsvg5, and qtsvg6 are fixing both CVE-2021-45390 and CVE-2023-32573. All three SRPMS are in Cauldron, and the first two are in Mageia 8.
Status comment: Patches available from Fedora and Debian => (none)
Fixed now for cauldron after packages moving!
Version: Cauldron => 8Whiteboard: MGA8TOO => (none)
Mageia8, x86_64 Installed all the Core packages and explored demos using qtdemo and Qt Assistant. Tried to update and hit this: qt4-graphicssystems-plugin-4.8.7-35.mga8 not found in the remote repository llib64qtmultimedia4-4.8.7-35.3.mga8 not found in the remote repository
CC: (none) => tarazed25
Correction - spelling mistake in my list. The problem reduces to qt4-graphicssystems-plugin-4.8.7-35.mga8 not found in the remote repository Note also the missing leading 'l' for ibqtdesigner4-4.8.7-35.3.mga8 in comment 4, which does not affect the 64-bit test.
Using "qt4-graph*" in qarepo comes up with this: qt4-graphicssystems-plugin-4.8.7-35.3.mga8.x86_64.rpm Note the ".3" at the end of the version number is missing from the spelling in the list of comment 4.
CC: (none) => andrewsfarm
Well spotted that man! Tried again and came up with another error. Got a little further after the error had been corrected and hit another. With a list like this it is understandable that spelling mistakes would creep in. Going to try your fuzzy approach TJ.
This is the list as it stands: qt4-qmlviewer-4.8.7-35.3.mga8 qt4-common-4.8.7-35.3.mga8 qt4-graphicssystems-plugin-4.8.7-35.3.mga8 llib64qt3multimedia4-4.8.7-35.3.mga8 lib64qtdesigner4-4.8.7-35.3.mga8 qt4-accessibility-plugin-4.8.7-35.3.mga8 qt4-qtconfig-4.8.7-35.3.mga8 lib64qt3support4-4.8.7-35.3.mga8 lib64qt4-database-plugin-tds-4.8.7-35.3.mga8 lib64qtxmlpatterns4-4.8.7-35.3.mga8 qt4-designer-4.8.7-35.3.mga8 qt4-qdoc3-4.8.7-35.3.mga8 qt4-linguist-4.8.7-35.3.mga8 lib64qtscript4-4.8.7-35.3.mga8 lib64qthelp4-4.8.7-35.3.mga8 qt4-demos-4.8.7-35.3.mga8 lib64qt4-devel-4.8.7-35.3.mga8 qt4-examples-4.8.7-35.3.mga8 lib64qt4-database-plugin-sqlite-4.8.7-35.3.mga8 lib64qt4-database-plugin-pgsql-4.8.7-35.3.mga8 lib64qtxml4-4.8.7-35.3.mga8 lib64qtclucene4-4.8.7-35.3.mga8 qt4-designer-plugin-qt3support-4.8.7-35.3.mga8 lib64qtgui4-4.8.7-35.3.mga8 qt4-qtdbus-4.8.7-35.3.mga8 lib64qtsvg4-4.8.7-35.3.mga8 lib64qtcore4-4.8.7-35.3.mga8 lib64qtscripttools4-4.8.7-35.3.mga8 qt4-qvfb-4.8.7-35.3.mga8 lib64qtsql4-4.8.7-35.3.mga8 qt4-assistant-4.8.7-35.3.mga8 lib64qtdbus4-4.8.7-35.3.mga8 lib64qtopengl4-4.8.7-35.3.mga8 lib64qtdeclarative4-4.8.7-35.3.mga8 lib64qttest4-4.8.7-35.3.mga8 lib64qt4-database-plugin-mysql-4.8.7-35.3.mga8 lib64qtnetwork4-4.8.7-35.3.mga8 qt4-xmlpatterns-4.8.7-35.3.mga8 qt4-doc-4.8.7-35.3.mga8.noarch.rpm qt4-devel-private-4.8.7-35.3.mga8.noarch.rpm And that worked - clean update. Thanks TJ. The only question now is how did the initial pre-update list work as a skeleton? skeleton = original package names (with version, release and subrel tags removed). Need to check that all the packages WERE installed.
Noticed a spelling mistake in that list, otherwise all the packages were installed excluding the lib packages. All the lib64 packages seem to have been updated.
Would it work to just do *<version>-<release>* in qarepo, to make sure you get everything, regardless of what the rpms are named?
@David re comment 14. I am not sure but could try it on another system. Meanwhile I am posting this report: Testing this is a bit of a challenge. Started qmlviewer from the cli and it presented a gui for a few options. Tried to open some of the myriad qml source files on the system but nothing happened. From hints on line switched to the /usr/lib64/qt4/demos/declarative/photoviewer/qml/photoviewer directory and ran the qml file with the viewer and saw the demo appear: a window with several icons with a rotating wheel in each, labelled 'Prague', ... These could be removed singly via the edit command. Dummy items could be added also. Clicking on any of the icons opened a dummy folder with many similar icons and a Back option. That is about as far as we can go. The system looks like a programming framework (python) for Qt graphics. If anybody else has any ideas they are welcome to try this collection but I would say it is ready for use.
Copied list to another machine for a quick install of the Core packages and yes indeed - qarepo accepted *-4.8.7-35.3.mga8.* Those packages all updated cleanly. The whole thing was lightning fast. Thanks for the suggestion David.
lib64qt3multimedia4-4.8.7-35.3.mga8 not found in the remote repository
CC: (none) => herman.viaene
For qt4-4.8.7-35.3.mga8.src.rpm lib64qt3support4-4.8.7-35.3.mga8 lib64qt4-database-plugin-mysql-4.8.7-35.3.mga8 lib64qt4-database-plugin-pgsql-4.8.7-35.3.mga8 lib64qt4-database-plugin-sqlite-4.8.7-35.3.mga8 lib64qt4-database-plugin-tds-4.8.7-35.3.mga8 lib64qt4-devel-4.8.7-35.3.mga8 lib64qtclucene4-4.8.7-35.3.mga8 lib64qtcore4-4.8.7-35.3.mga8 lib64qtdbus4-4.8.7-35.3.mga8 lib64qtdeclarative4-4.8.7-35.3.mga8 lib64qtdesigner4-4.8.7-35.3.mga8 lib64qtgui4-4.8.7-35.3.mga8 lib64qthelp4-4.8.7-35.3.mga8 lib64qtmultimedia4-4.8.7-35.3.mga8 lib64qtnetwork4-4.8.7-35.3.mga8 lib64qtopengl4-4.8.7-35.3.mga8 lib64qtscript4-4.8.7-35.3.mga8 lib64qtscripttools4-4.8.7-35.3.mga8 lib64qtsql4-4.8.7-35.3.mga8 lib64qtsvg4-4.8.7-35.3.mga8 lib64qttest4-4.8.7-35.3.mga8 lib64qtxml4-4.8.7-35.3.mga8 lib64qtxmlpatterns4-4.8.7-35.3.mga8 qt4-accessibility-plugin-4.8.7-35.3.mga8 qt4-assistant-4.8.7-35.3.mga8 qt4-common-4.8.7-35.3.mga8 qt4-demos-4.8.7-35.3.mga8 qt4-designer-4.8.7-35.3.mga8 qt4-designer-plugin-qt3support-4.8.7-35.3.mga8 qt4-devel-private-4.8.7-35.3.mga8 qt4-doc-4.8.7-35.3.mga8 qt4-examples-4.8.7-35.3.mga8 qt4-graphicssystems-plugin-4.8.7-35.3.mga8 qt4-linguist-4.8.7-35.3.mga8 qt4-qdoc3-4.8.7-35.3.mga8 qt4-qmlviewer-4.8.7-35.3.mga8 qt4-qtconfig-4.8.7-35.3.mga8 qt4-qtdbus-4.8.7-35.3.mga8 qt4-qvfb-4.8.7-35.3.mga8 qt4-xmlpatterns-4.8.7-35.3.mga8 For qtwebengine5-5.15.8-1.1.mga8.src.rpm lib64qt5pdf5-5.15.8-1.1.mga8 lib64qt5pdfwidgets5-5.15.8-1.1.mga8 lib64qt5webengine5-5.15.8-1.1.mga8 lib64qt5webenginecore5-5.15.8-1.1.mga8 lib64qt5webenginewidgets5-5.15.8-1.1.mga8 lib64qt5webengine-devel-5.15.8-1.1.mga8 qtwebengine5-5.15.8-1.1.mga8 qtwebengine5-doc-5.15.8-1.1.mga8
CC: (none) => davidwhodgins
Thanks Dave. @Herman - correct - another mistake. And my test missed the qtsvg5 stuff. And the qtwebengine packages. Looks like a restart is needed.
Oops. qtwebengine is not for this update. I copy/pasted the wrong line from http://mirror.math.princeton.edu/pub/mageia/distrib/8/SRPMS/core/updates_testing/ For qtsvg5-5.15.2-1.3.mga8.src.rpm ... qtsvg5-doc-5.15.2-1.3.mga8 qtsvg5-5.15.2-1.3.mga8 lib64qt5svg-devel-5.15.2-1.3.mga8 lib64qt5svg5-5.15.2-1.3.mga8
MGA8-64 MATE on Acer Aspire 5253 No installation issues. Ref bug 29014 used marble and ksudoku, both run OK. And # urpmq --whatrequires lib64qt3support4 returns a.o. kdftool Used that one to extract a single page from a multi-page pdf file. Works OK. Seems OK to me unless someone else wants other tests.
Whiteboard: (none) => MGA8-64-OK
Installed qtsvg5 and lib64qt5svg5 and tested without issues. Tested by using gwenview to view several svg files and confirming that the updated libraries are loaded using strace. Also using the Plasma DE and LXQt DE and after a session restart all was as expected. No graphical issues. System: Mageia 8, x86_64, Plasma DE, LXQt DE, AMD Ryzen 5 5600G with Radeon Graphics. $ uname -a Linux jupiter 6.1.34-desktop-2.mga8 #1 SMP PREEMPT_DYNAMIC Wed Jun 14 19:14:11 UTC 2023 x86_64 x86_64 x86_64 GNU/Linux $ rpm -qa | grep -iP 'qt.*svg5.*5.15.2' lib64qt5svg5-5.15.2-1.3.mga8 qtsvg5-5.15.2-1.3.mga8 $ rpm -ql $(rpm -qa | grep -iP 'qt.*svg5.*5.15.2') | grep -v build-id | sort /usr/lib64/libQt5Svg.so.5 /usr/lib64/libQt5Svg.so.5.15 /usr/lib64/libQt5Svg.so.5.15.2 /usr/lib64/qt5/plugins/iconengines/libqsvgicon.so /usr/lib64/qt5/plugins/imageformats/libqsvg.so $ strace -o ~/tmp/strace.log gwenview <SNIP> $ grep -iP '^openat.*lib.*svg' ~/tmp/strace.log | grep -v ENOENT | sort -u openat(AT_FDCWD, "/lib64/libQt5Svg.so.5", O_RDONLY|O_CLOEXEC) = 3 openat(AT_FDCWD, "/usr/lib64/qt5/plugins/iconengines/libqsvgicon.so", O_RDONLY|O_CLOEXEC) = 6 openat(AT_FDCWD, "/usr/lib64/qt5/plugins/imageformats/libqsvg.so", O_RDONLY|O_CLOEXEC) = 11
CC: (none) => mageiaWhiteboard: MGA8-64-OK => (none)
Just restoring the MGA8-64-OK removed by my mistake. :-)
Thanks again Dave. Using updated list installation of the extra packages worked. A random selection from the Qt demos ran without problems before the update. Update was successful. $ /usr/lib64/qt4/bin/qtdemo The demo program provided many samples and examples which all worked AFAICS. I am going to give this the OK. Midair collision.
Validating.
CC: (none) => sysadmin-bugsKeywords: (none) => validated_update
Keywords: (none) => advisory
Blocks: (none) => 31950Depends on: 31950 => (none)
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2023-0231.html
Status: NEW => RESOLVEDResolution: (none) => FIXED