Debian Bug report logs -
#1036702
qtbase-opensource-src-gles: CVE-2023-32763
Reported by: Moritz Mühlenhoff <jmm@inutil.org>
Date: Wed, 24 May 2023 13:54:02 UTC
Severity: important
Tags: security, upstream
Fixed in version qtbase-opensource-src-gles/5.15.8+dfsg-3
Done: Dmitry Shachnev <mitya57@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#1036702; Package src:qtbase-opensource-src-gles.
(Wed, 24 May 2023 13:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>.
(Wed, 24 May 2023 13:54:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: qtbase-opensource-src-gles
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for qtbase-opensource-src-gles.
CVE-2023-32762[0]:
https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
Per IRC thus likely also affects the -gles variant
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-32762
https://www.cve.org/CVERecord?id=CVE-2023-32762
Please adjust the affected versions in the BTS as needed.
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#1036702; Package src:qtbase-opensource-src-gles.
(Wed, 24 May 2023 14:03:02 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Extra info received and forwarded to list. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>.
(Wed, 24 May 2023 14:03:02 GMT) (full text, mbox, link).
Message #10 received at 1036702@bugs.debian.org (full text, mbox, reply):
Am Wed, May 24, 2023 at 03:50:06PM +0200 schrieb Moritz Mühlenhoff:
> Source: qtbase-opensource-src-gles
> X-Debbugs-CC: team@security.debian.org
> Severity: important
> Tags: security
>
> Hi,
>
> The following vulnerability was published for qtbase-opensource-src-gles.
>
> CVE-2023-32762[0]:
> https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305
>
> Per IRC thus likely also affects the -gles variant
Confused the CVE IDs, this is for CVE-2023-32763, which is the SVG issue.
CVE-2023-32762 being about HSTS should not affect -gles.
Cheers,
Moritz
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Wed, 24 May 2023 14:06:11 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#1036702; Package src:qtbase-opensource-src-gles.
(Wed, 24 May 2023 17:54:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Dmitry Shachnev <mitya57@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>.
(Wed, 24 May 2023 17:54:03 GMT) (full text, mbox, link).
Message #17 received at 1036702@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
Control: retitle -1 qtbase-opensource-src-gles: CVE-2023-32763
On Wed, May 24, 2023 at 04:00:31PM +0200, Moritz Mühlenhoff wrote:
> Confused the CVE IDs, this is for CVE-2023-32763, which is the SVG issue.
> CVE-2023-32762 being about HSTS should not affect -gles.
Right. Retitling accordingly.
--
Dmitry Shachnev
[signature.asc (application/pgp-signature, inline)]
Changed Bug title to 'qtbase-opensource-src-gles: CVE-2023-32763' from 'qtbase-opensource-src-gles: CVE-2023-32762'.
Request was from Dmitry Shachnev <mitya57@debian.org>
to 1036702-submit@bugs.debian.org.
(Wed, 24 May 2023 17:54:03 GMT) (full text, mbox, link).
Message sent on
to Moritz Mühlenhoff <jmm@inutil.org>:
Bug#1036702.
(Wed, 24 May 2023 18:03:12 GMT) (full text, mbox, link).
Message #22 received at 1036702-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #1036702 in qtbase-opensource-src reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/qt-kde-team/qt/qtbase/-/commit/a67f62c5b3043ff9db4d0a9adad783fd09611ea8
------------------------------------------------------------------------
Add a patch to fix CVE-2023-32763: buffer overflow in Qt SVG.
Closes: #1036702.
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/1036702
Added tag(s) pending.
Request was from Dmitry Shachnev <noreply@salsa.debian.org>
to 1036702-submitter@bugs.debian.org.
(Wed, 24 May 2023 18:03:13 GMT) (full text, mbox, link).
Reply sent
to Dmitry Shachnev <mitya57@debian.org>:
You have taken responsibility.
(Wed, 24 May 2023 18:24:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Wed, 24 May 2023 18:24:03 GMT) (full text, mbox, link).
Message #29 received at 1036702-close@bugs.debian.org (full text, mbox, reply):
Source: qtbase-opensource-src-gles
Source-Version: 5.15.8+dfsg-3
Done: Dmitry Shachnev <mitya57@debian.org>
We believe that the bug you reported is fixed in the latest version of
qtbase-opensource-src-gles, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1036702@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dmitry Shachnev <mitya57@debian.org> (supplier of updated qtbase-opensource-src-gles package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Wed, 24 May 2023 20:52:26 +0300
Source: qtbase-opensource-src-gles
Architecture: source
Version: 5.15.8+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Dmitry Shachnev <mitya57@debian.org>
Closes: 1036702
Changes:
qtbase-opensource-src-gles (5.15.8+dfsg-3) unstable; urgency=medium
.
* Add a patch to fix CVE-2023-32763: buffer overflow in Qt SVG
(closes: #1036702).
Checksums-Sha1:
c8f4f6e031cf918e6601cfaa08e76fe7eed16752 3701 qtbase-opensource-src-gles_5.15.8+dfsg-3.dsc
9c32fc55f9c3fc51ab3873c4ad45c59ba41c8dd9 133408 qtbase-opensource-src-gles_5.15.8+dfsg-3.debian.tar.xz
a4966d992b62e03f95f685e303df9b4cc95bc25b 15795 qtbase-opensource-src-gles_5.15.8+dfsg-3_source.buildinfo
Checksums-Sha256:
2a7ea9a0e5ef1b7c6ece338dd7cf4d50d2d1f61454611207f85bc2ab40c717cf 3701 qtbase-opensource-src-gles_5.15.8+dfsg-3.dsc
e10a9129f932e977bceca25fa6469dd36213994f9903094c2172957bce0d9e6e 133408 qtbase-opensource-src-gles_5.15.8+dfsg-3.debian.tar.xz
cbd7077d8afbfa2e2d417da0dcefcbfcc912d5b7e95419649fa6c15ce37a63e5 15795 qtbase-opensource-src-gles_5.15.8+dfsg-3_source.buildinfo
Files:
edf458fe576bb0d9b171148a03b263e3 3701 libs optional qtbase-opensource-src-gles_5.15.8+dfsg-3.dsc
21d405cd000591a9fd8810a5f5300eb9 133408 libs optional qtbase-opensource-src-gles_5.15.8+dfsg-3.debian.tar.xz
28dd3d1a7e55ef9818305cfcc7f35b47 15795 libs optional qtbase-opensource-src-gles_5.15.8+dfsg-3_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCgAxFiEE5688gqe4PSusUZcLZkYmW1hrg8sFAmRuUEkTHG1pdHlhNTdA
ZGViaWFuLm9yZwAKCRBmRiZbWGuDy+v9EACAS1NkORcdEo/Wn0eMNS9rK/eVTW1L
nkNrwKjCVTsNrzUPGRAef8snx+toAt6z4NGmeD1apCud2BSKHDwsGfPLixrpYgds
EkxuHo+4BTPx/tX7LmbX2VUExRozpPtlQDkUo0kzR5Y/voqigJMkCWNHqSZbEnMi
LUuvjevk5PkTKFj0OlercfCxtRyi3m7pQaKEZK9djlIPvvpCBax1gT8uq20PRCC3
7t5xQQSr8/23Ab9qAYekJYkCWLFdGSSq38flqVWrLm73OKCXstIV9JaOnYMeXPlk
vjzy7uTNrpGCbwgbhwpy+7AqZOIlVtmwr/BxQRrsn7nAEzpovOt1/8OjoUxAMEwl
oU4bkJKIRFJhU1wDUT/foJVrWr60CLgaOP1IwqN2vYLeEQE93r9YYc+7rAnXYSF9
zxNC+nX/j96OYvTvFOZ3sNC1FTF4/9nXPizUEMXpfBSsDgmLNdSraDgr6400n6Gj
HAkdiCnQVU/TVDwjnc5K/zzHwgr/vxTTCsvHy0REG2mLnBDjZyt2yQofE+Ip8lQI
+S/A0vXpf+D4afuXoEUaoIrognPlfA2JkJ0dYctOEfIgDH8s5X/nPMJaNRITZb9v
EX1hifQF+hdEaQ8x3h4PJ1zqPgyfF2uId0KbL1dg3u8O7a0HtklsW72m2A5dd1Z8
1OqfAbx5zlu+vg==
=g5L2
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Thu May 25 13:13:34 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon