Debian Bug report logs -
#1036848
qt6-base: CVE-2023-33285
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, carnil@debian.org, team@security.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#1036848; Package src:qt6-base.
(Sat, 27 May 2023 20:54:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>:
New Bug report received and forwarded. Copy sent to carnil@debian.org, team@security.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>.
(Sat, 27 May 2023 20:54:04 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: qt6-base
Version: 6.4.2+dfsg-9
Severity: important
Tags: security upstream
Forwarded: https://codereview.qt-project.org/c/qt/qtbase/+/477644
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Hi,
The following vulnerability was published for qt6-base.
CVE-2023-33285[0]:
| An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9,
| and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-
| read via a crafted reply from a DNS server.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-33285
https://www.cve.org/CVERecord?id=CVE-2023-33285
[1] https://codereview.qt-project.org/c/qt/qtbase/+/477644
[2] https://codereview.qt-project.org/gitweb?p=qt/qtbase.git;a=commitdiff;h=7dba2c87619d558a61a30eb30cc1d9c3fe6df94c
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
Reply sent
to Patrick Franz <deltaone@debian.org>:
You have taken responsibility.
(Sun, 28 May 2023 09:09:03 GMT) (full text, mbox, link).
Notification sent
to Salvatore Bonaccorso <carnil@debian.org>:
Bug acknowledged by developer.
(Sun, 28 May 2023 09:09:04 GMT) (full text, mbox, link).
Message #10 received at 1036848-close@bugs.debian.org (full text, mbox, reply):
Source: qt6-base
Source-Version: 6.4.2+dfsg-10
Done: Patrick Franz <deltaone@debian.org>
We believe that the bug you reported is fixed in the latest version of
qt6-base, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1036848@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Patrick Franz <deltaone@debian.org> (supplier of updated qt6-base package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sun, 28 May 2023 10:41:24 +0200
Source: qt6-base
Architecture: source
Version: 6.4.2+dfsg-10
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Patrick Franz <deltaone@debian.org>
Closes: 1036848
Changes:
qt6-base (6.4.2+dfsg-10) unstable; urgency=medium
.
[ Patrick Franz ]
* Add patch to fix CVE-2023-33285 (Closes: #1036848).
Checksums-Sha1:
f6f27bdc49ca5dd4aa981223656b7a3c4ae3404d 4834 qt6-base_6.4.2+dfsg-10.dsc
7653ce44de1bed824fb623b3a6aa50f2cc03228f 179044 qt6-base_6.4.2+dfsg-10.debian.tar.xz
581f27584e5a074f48e6110e3b796dda728ccb1b 9424 qt6-base_6.4.2+dfsg-10_source.buildinfo
Checksums-Sha256:
1b4b5c8610a553d4211fa81e268b1a3b0a6339ae5444fdb7e60d7616da651970 4834 qt6-base_6.4.2+dfsg-10.dsc
d1a2621b1acb1606db7274ccdb96654564cea04af836c5b86da94e150714d16c 179044 qt6-base_6.4.2+dfsg-10.debian.tar.xz
d98a5ad811ad65b95d5884f9dcd46d3d90761612b0d87744bc8d3294979d7cc5 9424 qt6-base_6.4.2+dfsg-10_source.buildinfo
Files:
3e5e9c2ff606c716f5eb33e2d8c5ddc0 4834 libs optional qt6-base_6.4.2+dfsg-10.dsc
3296c212aa60a48dff09aa42859443c9 179044 libs optional qt6-base_6.4.2+dfsg-10.debian.tar.xz
e157fca412ebd516c2c0e10993592b28 9424 libs optional qt6-base_6.4.2+dfsg-10_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEYodBXDR68cxZHu3Knp96YDB3/lYFAmRzFjsACgkQnp96YDB3
/lasGRAAompmcKZ52XTAALbns23+ggtilKKrLIPCLeQsRvyomF/uhirrjey0iZ/S
Y6EscRsNVeuaAHLuCsxnpz7k4Xvbb5ZqxwotZcAbM8nY22KXhwmh4vSHUAYgmYqo
3Lhw2DN/pDbMVHb6Bb1WZ29NRPOy39kQMBn1ECDRUJ3pq7JC96q4hYbzKQ1xB6iO
eQ1ngWPnwOk5wJnXNBKEIncvSyKz9Axy+rEV4wFqLlw4ywDOJD8kGIMfq6LuTPHM
JhExMMn2Jt5uDtomNAIv5YAy2Q7ytiDiB1OL0Wgoyko4sQftWJZ+Dj0pBih9Kpb3
BHnZz4T0oWSoOOs9iJCHxYnPNVF6nhEkNs42J7N2imClE5aA2DKmkthKj3lNTgDQ
cAZ1JJBgv/03y3bRsBxzD2q4SYE6aUe391zeEfB/qljXRRFbEx8pUzFle85l1Txx
+p2qu0mT50zzs8GJr83dR2QcoZnNJy8gfAyfWsXVIrK+ILNAe68m6kF3JZ57aMEC
BvbqKy8tF7U/p4wkkoS8ExlBjEtmFTLtEd7T9RD1zPURpk2GkTB1v7kGwoR3QINp
1ix1/9jiMcNkbN3IY1F97JDCAvOau/OSi+WiA/tvbUdOK99xbgJq2CS3ByZFBmuW
fyECvZ0oBaRYlmzAHPIG0R+99DMiWi2OjSWLW8WPPPbYnc4oSU0=
=OqBJ
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sun May 28 13:14:05 2023;
Machine Name:
bembo
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon