31950 – qt4, qtsvg5, qtsvg6 new security issue CVE-2023-32573

Bug 31950 - qt4, qtsvg5, qtsvg6 new security issue CVE-2023-32573

Summary: qt4, qtsvg5, qtsvg6 new security issue CVE-2023-32573

Status:	RESOLVED FIXED

Alias:	None

Product:	Mageia
Classification:	Unclassified
Component:	Security (show other bugs)
Version:	Cauldron
Hardware:	All Linux

Priority:	Normal Severity: normal
Target Milestone:	---
Assignee:	KDE maintainers
QA Contact:	Sec team

URL:
Whiteboard:	MGA8TOO
Keywords:

Depends on:	29913
Blocks:
	Show dependency tree / graph

Reported:	2023-05-22 14:04 CEST by David Walser
Modified:	2023-07-19 22:00 CEST (History)
CC List:	2 users (show)

See Also:
Source RPM:	qtsvg5-5.15.7-1.mga9.src.rpm, qtsvg6-6.4.1-2.mga9.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2023-05-22 14:04:16 CEST

A security issue in QtSvg:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2023-32573

has a patch:
https://download.qt.io/official_releases/qt/5.15/CVE-2023-32573-qtsvg-5.15.diff

Note that Qt4 is most likely also affected.

Mageia 8 is also affected.

David Walser 2023-05-22 14:04:30 CEST

CC: (none) => smelror
Whiteboard: (none) => MGA8TOO

Comment 1 David GEIGER 2023-05-22 19:52:01 CEST

Done for both mga8 and Cauldron!

Note that there is no qtsvg6 package for mga8.

CC: (none) => geiger.david68210

Comment 2 David Walser 2023-05-22 19:54:13 CEST

(In reply to David GEIGER from comment #1)
> Done for both mga8 and Cauldron!
> 
> Note that there is no qtsvg6 package for mga8.

Thanks, did you check Qt4?  Our previous qtsvg security updates have affected that too.

Comment 3 David Walser 2023-05-22 19:56:11 CEST

Mageia 8 updated packages for qtsvg5:
qtsvg5-doc-5.15.2-1.2.mga8
libqt5svg5-5.15.2-1.2.mga8
libqt5svg-devel-5.15.2-1.2.mga8
qtsvg5-5.15.2-1.2.mga8

from qtsvg5-5.15.2-1.2.mga8.src.rpm

David Walser 2023-05-22 19:56:28 CEST

Status comment: (none) => qt4 may also be affected, to be checked

David GEIGER 2023-06-28 19:26:01 CEST

Blocks: (none) => 29913

Comment 4 David GEIGER 2023-06-28 19:27:02 CEST

Fixed for both cauldron and mga8 in bug 29913!

Comment 5 David GEIGER 2023-06-29 06:29:33 CEST

Assigning to QA.

Assignee: kde => qa-bugs

Comment 6 David Walser 2023-06-29 23:33:44 CEST

Just noting here that you did indeed patch qt4 for this issue.

We don't assign two bugs to QA for the same update(s), so assigning this back to the KDE team and we'll handle this update in Bug 29913.  When that bug is closed, we'll close this one.

Status comment: qt4 may also be affected, to be checked => (none)
Summary: qtsvg5, qtsvg6 new security issue CVE-2023-32573 => qt4, qtsvg5, qtsvg6 new security issue CVE-2023-32573
Assignee: qa-bugs => kde

Thomas Backlund 2023-07-19 20:34:01 CEST

Depends on: (none) => 29913
Blocks: 29913 => (none)

Comment 7 Thomas Backlund 2023-07-19 22:00:45 CEST

An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2023-0231.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED

Note You need to log in before you can comment on or make changes to this bug.