Bug 33247 - qtnetworkauth5 and qtnetworkauth6 new security issue CVE-2024-36048
Summary: qtnetworkauth5 and qtnetworkauth6 new security issue CVE-2024-36048
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 9
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA9-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2024-05-27 16:52 CEST by Nicolas Salguero
Modified: 2024-05-29 20:09 CEST (History)
4 users (show)

See Also:
Source RPM: qtnetworkauth5, qtnetworkauth6
CVE: CVE-2024-36048
Status comment: Fixed upstream in 5.15.17 and 6.5.6 or 6.7.1 and patches available from openSUSE and upstream


Attachments
Install/Uninstall log (56.86 KB, text/plain)
2024-05-27 20:29 CEST, katnatek
Details

Description Nicolas Salguero 2024-05-27 16:52:22 CEST
openSUSE has issued an advisory on May 24:
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/55ZLZN7U7KUGQ7YANJIPQP7R7ESP6B3L/

Mageia 9 is also affected.
Nicolas Salguero 2024-05-27 16:53:43 CEST

Source RPM: (none) => qtnetworkauth5, qtnetworkauth6
Whiteboard: (none) => MGA9TOO
CVE: (none) => CVE-2024-36048
Status comment: (none) => Fixed upstream in 5.15.17 and 6.5.6 or 6.7.1 and patches available from openSUSE and upstream

Comment 1 David GEIGER 2024-05-27 19:32:09 CEST
Fixed for Cauldron both qtnetworkauth6 and qtnetworkauth5!

CC: (none) => geiger.david68210

Comment 2 David GEIGER 2024-05-27 19:35:37 CEST
Assigning to QA,

Packages in 9/Core/Updates_testing:
======================
libqt5networkauth-devel-5.15.7-1.1.mga9
libqt5networkauth5-5.15.7-1.1.mga9
lib64qt5networkauth-devel-5.15.7-1.1.mga9
lib64qt5networkauth5-5.15.7-1.1.mga9
qtnetworkauth5-doc-5.15.7-1.1.mga9.noarch.rpm


libqt6networkauth-devel-6.4.1-1.1.mga9
libqt6networkauth6-6.4.1-1.1.mga9
lib64qt6networkauth-devel-6.4.1-1.1.mga9
lib64qt6networkauth6-6.4.1-1.1.mga9

From SRPMS:
qtnetworkauth5-5.15.7-1.1.mga9.src.rpm
qtnetworkauth6-6.4.1-1.1.mga9.src.rpm

Assignee: bugsquad => qa-bugs
Version: Cauldron => 9
Whiteboard: MGA9TOO => (none)

katnatek 2024-05-27 19:59:50 CEST

Keywords: (none) => advisory

Comment 3 katnatek 2024-05-27 20:29:57 CEST
Created attachment 14551 [details]
Install/Uninstall log

RH mageia 9 x86_64

I just test install/uninstall

Feel free of test applications that depends on this

urpmq --whatrequires-recursive lib64qt5networkauth5|uniq
akonadi-kde
choqok
digikam
kaddressbook
kalarm
kalarm-handbook
kalendar
kbibtex
kdenlive
kdepim-addons
kmail
kmail-handbook
knotes
knotes-handbook
korganizer
korganizer-handbook
lib64choqok-devel
lib64gnusocialapihelper1
lib64kaddressbookprivate5
lib64kbibtex-devel
lib64kbibtex0
lib64kpim5addressbookimportexport5
lib64kpimaddressbookimportexport-devel
lib64qt5networkauth-devel
lib64qt5networkauth5
lib64twitterapihelper1
libkaddressbookprivate5
libkpim5addressbookimportexport5
libkpimaddressbookimportexport-devel
mscore
python3-qt5-networkauth
zanshin

urpmq --whatrequires-recursive lib64qt6networkauth6|uniq
calibre
eric7
lib64qt6networkauth-devel
lib64qt6networkauth6
python3-pyside6-networkauth
python3-qt6
python3-qt6-devel
python3-qt6-networkauth
python3-qt6-qscintilla
Comment 4 katnatek 2024-05-29 03:40:32 CEST
Give OK in base, a clean install and not additional test by the team

CC: (none) => andrewsfarm
Whiteboard: (none) => MGA9-64-OK

Comment 5 Herman Viaene 2024-05-29 14:33:38 CEST
MGA9-64 Plasma Wayland on HP-Pavillion
No installation issues.
Installed mscore and run it under strace, wrote a small score, saved it and found in the trace:
openat(AT_FDCWD, "/lib64/libQt5NetworkAuth.so.5", O_RDONLY|O_CLOEXEC) = 3

Installed and run eric7 under strace , run hello world and found in the trace:
openat(AT_FDCWD, "/lib64/libQt6Network.so.6", O_RDONLY|O_CLOEXEC) = 3

Should be OK

CC: (none) => herman.viaene

Comment 6 Thomas Andrews 2024-05-29 15:43:03 CEST
You beat me to it, Herman. I had a few minutes, so I thought I'd try it with Zanshin, described as "A Getting Things Done application which aims at getting your mind like water."

Not sure if I like that idea, but I installed and ran it under strace, anyway. Seems to be an app for maintaining a ToDo list. Being of an earlier generation, that's something I've always done with a pad in my pocket. No electronics involved.

Anyway, searching the trace showed three times where "/usr/lib64/libQt5Network.so.5.15.7" was invoked, and the application worked as it should (I guess), so that confirms the OK.

Validating.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2024-05-29 20:09:57 CEST
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2024-0197.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED


Note You need to log in before you can comment on or make changes to this bug.