Debian Bug report logs -
#750141
libqt4-xml: vulnerable to billion laughs attack (CVE-2013-4549)
Reported by: Hamish Moffatt <hamish@debian.org>
Date: Mon, 2 Jun 2014 01:45:02 UTC
Severity: serious
Tags: moreinfo, security
Found in version qt4-x11/4:4.8.2+dfsg-11
Fixed in versions qt4-x11/4:4.8.5+git192-g085f851+dfsg-1, 4:4.8.5+git192-g085f851+dfsg-1
Done: Emilio Pozuelo Monfort <pochu@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
:
Bug#750141
; Package libqt4-xml
.
(Mon, 02 Jun 2014 01:45:06 GMT) (full text, mbox, link).
Acknowledgement sent
to Hamish Moffatt <hamish@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, secure-testing-team@lists.alioth.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
.
(Mon, 02 Jun 2014 01:45:06 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Package: libqt4-xml
Severity: serious
Tags: security
Justification: security
Qt 4.8.6 has a fix for a denial of service attack due to XML entity
expansion ("billion laughs attack"). This fix doesn't seem to be in the
wheezy packages yet.
http://blog.qt.digia.com/blog/2014/04/24/qt-4-8-6-released/
Ubuntu patched their 4.8.4;
https://bugs.launchpad.net/ubuntu/+source/qt4-x11/+bug/1259577
Hamish
-- System Information:
Debian Release: 7.5
APT prefers stable-updates
APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386
Kernel: Linux 3.13-0.bpo.1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
:
Bug#750141
; Package libqt4-xml
.
(Mon, 02 Jun 2014 02:33:04 GMT) (full text, mbox, link).
Acknowledgement sent
to 750141@bugs.debian.org
:
Extra info received and forwarded to list. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
.
(Mon, 02 Jun 2014 02:33:04 GMT) (full text, mbox, link).
Message #10 received at 750141@bugs.debian.org (full text, mbox, reply):
[Message part 1 (text/plain, inline)]
tag 750141 moreinfo
thanks
On Monday 02 June 2014 11:19:05 Hamish Moffatt wrote:
> Package: libqt4-xml
> Severity: serious
> Tags: security
> Justification: security
>
> Qt 4.8.6 has a fix for a denial of service attack due to XML entity
> expansion ("billion laughs attack"). This fix doesn't seem to be in the
> wheezy packages yet.
>
> http://blog.qt.digia.com/blog/2014/04/24/qt-4-8-6-released/
>
> Ubuntu patched their 4.8.4;
>
> https://bugs.launchpad.net/ubuntu/+source/qt4-x11/+bug/1259577
Hi Hamish! I patched Qt4 for jessie at that time but IIRC (I might be mixing
CVEs here) when I asked someone from the security team over IRC (or maybe by
mail, I don't remember now) they told me it wasn't too important to get an
update in stable.
Now if you can give me an example that shows it deserves an RC bug I can
prepare a fix.
Thanks, Lisandro.
--
16: De quien es Internet
* De DIOS dado que todas las cosas del mundo le pertenecen
Damian Nadales
http://mx.grulic.org.ar/lurker/message/20080307.141449.a70fb2fc.es.html
Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/
[signature.asc (application/pgp-signature, inline)]
Added tag(s) moreinfo.
Request was from "Lisandro Damián Nicanor Pérez Meyer" <perezmeyer@gmail.com>
to control@bugs.debian.org
.
(Mon, 02 Jun 2014 02:33:07 GMT) (full text, mbox, link).
Message sent on
to Hamish Moffatt <hamish@debian.org>
:
Bug#750141.
(Mon, 02 Jun 2014 02:33:11 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
:
Bug#750141
; Package libqt4-xml
.
(Mon, 09 Jun 2014 05:21:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Salvatore Bonaccorso <carnil@debian.org>
:
Extra info received and forwarded to list. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
.
(Mon, 09 Jun 2014 05:21:04 GMT) (full text, mbox, link).
Message #20 received at 750141@bugs.debian.org (full text, mbox, reply):
Hi,
On Sun, Jun 01, 2014 at 11:30:15PM -0300, Lisandro Damián Nicanor Pérez Meyer wrote:
> tag 750141 moreinfo
> thanks
>
> On Monday 02 June 2014 11:19:05 Hamish Moffatt wrote:
> > Package: libqt4-xml
> > Severity: serious
> > Tags: security
> > Justification: security
> >
> > Qt 4.8.6 has a fix for a denial of service attack due to XML entity
> > expansion ("billion laughs attack"). This fix doesn't seem to be in the
> > wheezy packages yet.
> >
> > http://blog.qt.digia.com/blog/2014/04/24/qt-4-8-6-released/
> >
> > Ubuntu patched their 4.8.4;
> >
> > https://bugs.launchpad.net/ubuntu/+source/qt4-x11/+bug/1259577
>
> Hi Hamish! I patched Qt4 for jessie at that time but IIRC (I might be mixing
> CVEs here) when I asked someone from the security team over IRC (or maybe by
> mail, I don't remember now) they told me it wasn't too important to get an
> update in stable.
Yep, perl mail It was on 2013-12-06, where Moritz had written:
Hi Lisandro,
this doesn't warrant a DSA. It can be fixed through a point update, though
or we can line it up for a future QT DSA.
Cheers,
Moritz
For the BTS, I think this was fixed in 4:4.8.5+git192-g085f851+dfsg-1.
Regards,
Salvatore
Changed Bug title to 'libqt4-xml: vulnerable to billion laughs attack (CVE-2013-4549)' from 'libqt4-xml: vulnerable to billion laughs attack'
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 09 Jun 2014 05:21:08 GMT) (full text, mbox, link).
Marked as fixed in versions qt4-x11/4:4.8.5+git192-g085f851+dfsg-1.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 09 Jun 2014 05:21:09 GMT) (full text, mbox, link).
Marked as found in versions qt4-x11/4:4.8.2+dfsg-11.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Mon, 09 Jun 2014 05:21:10 GMT) (full text, mbox, link).
Message sent on
to Hamish Moffatt <hamish@debian.org>
:
Bug#750141.
(Mon, 09 Jun 2014 05:21:19 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
:
Bug#750141
; Package libqt4-xml
.
(Mon, 09 Jun 2014 11:45:04 GMT) (full text, mbox, link).
Acknowledgement sent
to Hamish Moffatt <hamish@cloud.net.au>
:
Extra info received and forwarded to list. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
.
(Mon, 09 Jun 2014 11:45:04 GMT) (full text, mbox, link).
Message #34 received at 750141@bugs.debian.org (full text, mbox, reply):
On 09/06/14 15:17, Salvatore Bonaccorso wrote:
> Hi,
>
> On Sun, Jun 01, 2014 at 11:30:15PM -0300, Lisandro Damián Nicanor Pérez Meyer wrote:
>> tag 750141 moreinfo
>> thanks
>>
>> On Monday 02 June 2014 11:19:05 Hamish Moffatt wrote:
>>> Package: libqt4-xml
>>> Severity: serious
>>> Tags: security
>>> Justification: security
>>>
>>> Qt 4.8.6 has a fix for a denial of service attack due to XML entity
>>> expansion ("billion laughs attack"). This fix doesn't seem to be in the
>>> wheezy packages yet.
>>>
>>> http://blog.qt.digia.com/blog/2014/04/24/qt-4-8-6-released/
>>>
>>> Ubuntu patched their 4.8.4;
>>>
>>> https://bugs.launchpad.net/ubuntu/+source/qt4-x11/+bug/1259577
>> Hi Hamish! I patched Qt4 for jessie at that time but IIRC (I might be mixing
>> CVEs here) when I asked someone from the security team over IRC (or maybe by
>> mail, I don't remember now) they told me it wasn't too important to get an
>> update in stable.
> Yep, perl mail It was on 2013-12-06, where Moritz had written:
>
> Hi Lisandro,
> this doesn't warrant a DSA. It can be fixed through a point update, though
> or we can line it up for a future QT DSA.
>
> Cheers,
> Moritz
>
> For the BTS, I think this was fixed in 4:4.8.5+git192-g085f851+dfsg-1.
>
Hi. OK I guess I can understand it not being too important to update
stable; while there are quite a lot of rdepends for libqt4-xml I don't
see many daemons among them. Depends on whether libqt4-xml is just being
used for config or whether to decode wire protocols, ie those apps could
be vulnerable to remote denial of service. mumble-server is one daemon I
notice..
Thanks
Hamish
Information stored
:
Bug#750141
; Package libqt4-xml
.
(Mon, 09 Jun 2014 11:45:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Hamish Moffatt <hamish@cloud.net.au>
:
Extra info received and filed, but not forwarded.
(Mon, 09 Jun 2014 11:45:08 GMT) (full text, mbox, link).
Message sent on
to Hamish Moffatt <hamish@debian.org>
:
Bug#750141.
(Mon, 09 Jun 2014 11:45:12 GMT) (full text, mbox, link).
Information forwarded
to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
:
Bug#750141
; Package libqt4-xml
.
(Tue, 10 Jun 2014 16:13:18 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and forwarded to list. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
.
(Tue, 10 Jun 2014 16:13:18 GMT) (full text, mbox, link).
Message #47 received at 750141@bugs.debian.org (full text, mbox, reply):
On Mon, Jun 09, 2014 at 09:01:46PM +1000, Hamish Moffatt wrote:
> On 09/06/14 15:17, Salvatore Bonaccorso wrote:
>> Hi,
>>
>> On Sun, Jun 01, 2014 at 11:30:15PM -0300, Lisandro Damián Nicanor Pérez Meyer wrote:
>>> tag 750141 moreinfo
>>> thanks
>>>
>>> On Monday 02 June 2014 11:19:05 Hamish Moffatt wrote:
>>>> Package: libqt4-xml
>>>> Severity: serious
>>>> Tags: security
>>>> Justification: security
>>>>
>>>> Qt 4.8.6 has a fix for a denial of service attack due to XML entity
>>>> expansion ("billion laughs attack"). This fix doesn't seem to be in the
>>>> wheezy packages yet.
>>>>
>>>> http://blog.qt.digia.com/blog/2014/04/24/qt-4-8-6-released/
>>>>
>>>> Ubuntu patched their 4.8.4;
>>>>
>>>> https://bugs.launchpad.net/ubuntu/+source/qt4-x11/+bug/1259577
>>> Hi Hamish! I patched Qt4 for jessie at that time but IIRC (I might be mixing
>>> CVEs here) when I asked someone from the security team over IRC (or maybe by
>>> mail, I don't remember now) they told me it wasn't too important to get an
>>> update in stable.
>> Yep, perl mail It was on 2013-12-06, where Moritz had written:
>>
>> Hi Lisandro,
>> this doesn't warrant a DSA. It can be fixed through a point update, though
>> or we can line it up for a future QT DSA.
>>
>> Cheers,
>> Moritz
>>
>> For the BTS, I think this was fixed in 4:4.8.5+git192-g085f851+dfsg-1.
>>
>
> Hi. OK I guess I can understand it not being too important to update
> stable; while there are quite a lot of rdepends for libqt4-xml I don't
> see many daemons among them. Depends on whether libqt4-xml is just being
> used for config or whether to decode wire protocols, ie those apps could
> be vulnerable to remote denial of service. mumble-server is one daemon I
> notice..
If someone wants to see this fixed, please handle this through a Wheezy point
update:
https://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable
Cheers,
Moritz
Information stored
:
Bug#750141
; Package libqt4-xml
.
(Tue, 10 Jun 2014 16:13:31 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@inutil.org>
:
Extra info received and filed, but not forwarded.
(Tue, 10 Jun 2014 16:13:31 GMT) (full text, mbox, link).
Message sent on
to Hamish Moffatt <hamish@debian.org>
:
Bug#750141.
(Tue, 10 Jun 2014 16:13:34 GMT) (full text, mbox, link).
Reply sent
to Emilio Pozuelo Monfort <pochu@debian.org>
:
You have taken responsibility.
(Tue, 29 Jan 2019 13:48:06 GMT) (full text, mbox, link).
Notification sent
to Hamish Moffatt <hamish@debian.org>
:
Bug acknowledged by developer.
(Tue, 29 Jan 2019 13:48:06 GMT) (full text, mbox, link).
Message #60 received at 750141-done@bugs.debian.org (full text, mbox, reply):
Version: 4:4.8.5+git192-g085f851+dfsg-1
On Mon, 9 Jun 2014 07:17:04 +0200 Salvatore Bonaccorso <carnil@debian.org> wrote:
> Hi,
>
> On Sun, Jun 01, 2014 at 11:30:15PM -0300, Lisandro Damián Nicanor Pérez Meyer wrote:
> > tag 750141 moreinfo
> > thanks
> >
> > On Monday 02 June 2014 11:19:05 Hamish Moffatt wrote:
> > > Package: libqt4-xml
> > > Severity: serious
> > > Tags: security
> > > Justification: security
> > >
> > > Qt 4.8.6 has a fix for a denial of service attack due to XML entity
> > > expansion ("billion laughs attack"). This fix doesn't seem to be in the
> > > wheezy packages yet.
> > >
> > > http://blog.qt.digia.com/blog/2014/04/24/qt-4-8-6-released/
> > >
> > > Ubuntu patched their 4.8.4;
> > >
> > > https://bugs.launchpad.net/ubuntu/+source/qt4-x11/+bug/1259577
> >
> > Hi Hamish! I patched Qt4 for jessie at that time but IIRC (I might be mixing
> > CVEs here) when I asked someone from the security team over IRC (or maybe by
> > mail, I don't remember now) they told me it wasn't too important to get an
> > update in stable.
>
> Yep, perl mail It was on 2013-12-06, where Moritz had written:
>
> Hi Lisandro,
> this doesn't warrant a DSA. It can be fixed through a point update, though
> or we can line it up for a future QT DSA.
>
> Cheers,
> Moritz
>
> For the BTS, I think this was fixed in 4:4.8.5+git192-g085f851+dfsg-1.
Closing as this is fixed in unstable. Also wheezy is EOL so there's no point in
keeping this bug open anymore.
Emilio
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Wed, 27 Feb 2019 07:28:13 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 18:36:05 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.