Debian Bug report logs -
#1031871
qt6-base: CVE-2023-24607
Reported by: Moritz Mühlenhoff <jmm@inutil.org>
Date: Fri, 24 Feb 2023 16:03:06 UTC
Severity: important
Tags: security, upstream
Fixed in version qt6-base/6.4.2+dfsg-6
Done: Patrick Franz <deltaone@debian.org>
Reply or subscribe to this bug.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#1031871; Package src:qt6-base.
(Fri, 24 Feb 2023 16:03:08 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>.
(Fri, 24 Feb 2023 16:03:09 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: qt6-base
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security
Hi,
The following vulnerability was published for qt6-base.
CVE-2023-24607[0]:
When using the Qt SQL ODBC driver plugin, then it is possible to trigger a DOS with a specifically crafted string
https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d (6.4)
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2023-24607
https://www.cve.org/CVERecord?id=CVE-2023-24607
Please adjust the affected versions in the BTS as needed.
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org.
(Fri, 24 Feb 2023 16:48:07 GMT) (full text, mbox, link).
Reply sent
to Patrick Franz <deltaone@debian.org>:
You have taken responsibility.
(Fri, 24 Feb 2023 22:09:03 GMT) (full text, mbox, link).
Notification sent
to Moritz Mühlenhoff <jmm@inutil.org>:
Bug acknowledged by developer.
(Fri, 24 Feb 2023 22:09:03 GMT) (full text, mbox, link).
Message #12 received at 1031871-close@bugs.debian.org (full text, mbox, reply):
Source: qt6-base
Source-Version: 6.4.2+dfsg-6
Done: Patrick Franz <deltaone@debian.org>
We believe that the bug you reported is fixed in the latest version of
qt6-base, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 1031871@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Patrick Franz <deltaone@debian.org> (supplier of updated qt6-base package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 24 Feb 2023 22:31:24 +0100
Source: qt6-base
Architecture: source
Version: 6.4.2+dfsg-6
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Patrick Franz <deltaone@debian.org>
Closes: 1031871
Changes:
qt6-base (6.4.2+dfsg-6) unstable; urgency=medium
.
[ Patrick Franz ]
* Add patch to fix CVE-2023-24607 (Closes: #1031871).
Checksums-Sha1:
12c0d6c19151d8607add64e9382a3258be8abac3 4830 qt6-base_6.4.2+dfsg-6.dsc
6539239e28a1ce4bb72bf42b06bc77b32b09a863 177328 qt6-base_6.4.2+dfsg-6.debian.tar.xz
195ec438937675cbc95120232c4675f341a22e43 9348 qt6-base_6.4.2+dfsg-6_source.buildinfo
Checksums-Sha256:
8be0653c2558e83450a62009ca12983a3fdf05edec7bac963c071a074c91e8a6 4830 qt6-base_6.4.2+dfsg-6.dsc
d37fd43392ea74f8517b8d32cb1cef1f09987154a4a700dc6b83c3f6f4b67ab8 177328 qt6-base_6.4.2+dfsg-6.debian.tar.xz
753a52ce7c803eb88f7594e0166c6df9949b01dd7215bd9d443aae0e09cff3b6 9348 qt6-base_6.4.2+dfsg-6_source.buildinfo
Files:
170d22c33721e3d4c9aeea7036184ee4 4830 libs optional qt6-base_6.4.2+dfsg-6.dsc
36848b405e15079da5b86791ed167e43 177328 libs optional qt6-base_6.4.2+dfsg-6.debian.tar.xz
2e3d4fd63d033e447dc6112f9b3fec8b 9348 libs optional qt6-base_6.4.2+dfsg-6_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEYodBXDR68cxZHu3Knp96YDB3/lYFAmP5LMAACgkQnp96YDB3
/la3aA/+P7sh4miXG9qAu7rt0tz04kig7zThvwcUJMxMG2mNcMAX6kJg3MlrsXu5
dp6T0yLU8SxdR73XFetSbeBipGZEJi14HLAivEmpZ++1NTUwvKWKcwH33aGZ5Hk6
ZU1Y6XBHhPo1SBvkZkqBwk+GWSiDqLKrcNr+p01nPVSDO5ccutJw1PlOkj1V5X6B
3kt/r1WaVVoAQKJTYxuhWM/pTalx9y9O7jzY07asB6F+QhyYch+xR+8osd7fhpGo
4KUPCFmKpT9qQotuOhOeH8WbePzLI/i/WcdLNJHVRPjlx3urtvVeVbgOLXcaFQAJ
OpjnBozoY4jeAnS/PQ9XPIUa80SY9v626VJsaN9AECg4RsJsrs41MkzCXRSnUJwN
WpydFFXskq6KeC9yvTGZ+5PG9S6guz81UfswArQW5zVh94BWQ9jnxoJuuC2H6uv/
JuYU+/pjhazNg/kvW2kGaHpdr77cPWUqOoD2O4XMKtz65XOu0nWL7qNkEzwPkBd8
ddohFOWx+N5guvQqi1TXAQOMVzovKK2nLoT0bn1ZqNJ/4DQVhc2LalhPg3PjUWKq
c8ofg72waEgPACCpwZDMbFhJjURWnLRjB5gyM5zapegkTrq0OFtY17rOhXtlnn/w
9jAIERf7kNSADBIANsdBkqc5uTF+3pM9wdfZlv6Ewqm9ODaPyZU=
=oerm
-----END PGP SIGNATURE-----
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Sat Feb 25 13:07:35 2023;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.
Vulmon