Debian Bug report logs -
#923003
CVE-2018-19873 CVE-2018-19871 CVE-2018-19870
Reported by: Moritz Muehlenhoff <jmm@debian.org>
Date: Fri, 22 Feb 2019 22:15:01 UTC
Severity: grave
Tags: security, upstream
Found in version qt4-x11/4:4.8.7+dfsg-17
Fixed in version qt4-x11/4:4.8.7+dfsg-18
Done: Dmitry Shachnev <mitya57@debian.org>
Bug is archived. No further changes may be made.
Toggle useless messages
Report forwarded
to debian-bugs-dist@lists.debian.org, team@security.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
:
Bug#923003
; Package src:qt4-x11
.
(Fri, 22 Feb 2019 22:15:03 GMT) (full text, mbox, link).
Acknowledgement sent
to Moritz Muehlenhoff <jmm@debian.org>
:
New Bug report received and forwarded. Copy sent to team@security.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
.
(Fri, 22 Feb 2019 22:15:03 GMT) (full text, mbox, link).
Message #5 received at submit@bugs.debian.org (full text, mbox, reply):
Source: qt4-x11
Severity: grave
Tags: security
Three security issues fixed in QT5 also affect qt4-x11:
https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/
CVE-2018-19873:
https://github.com/qt/qtbase/commit/621ab8ab59901cc3f9bd98be709929c9eac997a8
CVE-2018-19871:
https://github.com/qt/qtimageformats/commit/7cfe47a8fe2f987fb2a066a696fb3d9d0afe4d65
(qt4-x11 affected in src/plugins/imageformats/tga/qtgafile.cpp)
CVE-2018-19870:
https://github.com/qt/qtbase/commit/2841e2b61e32f26900bde987d469c8b97ea31999
(qt4-x11 affected in src/gui/image/qgifhandler.cpp)
Cheers,
Moritz
Marked as found in versions qt4-x11/4:4.8.7+dfsg-17.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 22 Feb 2019 22:27:05 GMT) (full text, mbox, link).
Added tag(s) upstream.
Request was from Salvatore Bonaccorso <carnil@debian.org>
to control@bugs.debian.org
.
(Fri, 22 Feb 2019 22:27:06 GMT) (full text, mbox, link).
Message sent on
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug#923003.
(Thu, 11 Apr 2019 20:30:03 GMT) (full text, mbox, link).
Message #12 received at 923003-submitter@bugs.debian.org (full text, mbox, reply):
Control: tag -1 pending
Hello,
Bug #923003 in qt4-x11 reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:
https://salsa.debian.org/qt-kde-team/qt/qt4-x11/commit/7c6e5c7aeee9db8773bf9757e8c8b992eb3e7b6a
------------------------------------------------------------------------
Backport some vulnerability fixes from Qt 5.
Thanks to Alexander Volkov!
Closes: #923003.
------------------------------------------------------------------------
(this message was generated automatically)
--
Greetings
https://bugs.debian.org/923003
Added tag(s) pending.
Request was from Dmitry Shachnev <noreply@salsa.debian.org>
to 923003-submitter@bugs.debian.org
.
(Thu, 11 Apr 2019 20:30:03 GMT) (full text, mbox, link).
Reply sent
to Dmitry Shachnev <mitya57@debian.org>
:
You have taken responsibility.
(Fri, 12 Apr 2019 20:45:07 GMT) (full text, mbox, link).
Notification sent
to Moritz Muehlenhoff <jmm@debian.org>
:
Bug acknowledged by developer.
(Fri, 12 Apr 2019 20:45:07 GMT) (full text, mbox, link).
Message #19 received at 923003-close@bugs.debian.org (full text, mbox, reply):
Source: qt4-x11
Source-Version: 4:4.8.7+dfsg-18
We believe that the bug you reported is fixed in the latest version of
qt4-x11, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to 923003@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Dmitry Shachnev <mitya57@debian.org> (supplier of updated qt4-x11 package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Fri, 12 Apr 2019 23:10:28 +0300
Source: qt4-x11
Architecture: source
Version: 4:4.8.7+dfsg-18
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Dmitry Shachnev <mitya57@debian.org>
Closes: 923003
Changes:
qt4-x11 (4:4.8.7+dfsg-18) unstable; urgency=medium
.
* Team upload.
.
[ Edward Betts ]
* debian/NEWS: Replace UNRELEASED with unstable.
.
[ Alexander Volkov ]
* Backport some vulnerability fixes from Qt 5 (closes: #923003).
- CVE-2018-15518: double free or corruption in QXmlStreamReader.
- CVE-2018-19869: Qt Svg crash when parsing malformed url reference.
- CVE-2018-19870: NULL pointer dereference in QGifHandler.
- CVE-2018-19871: QTgaFile CPU exhaustion.
- CVE-2018-19872: crash when parsing a malformed PPM image.
- CVE-2018-19873: QBmpHandler segfault on malformed BMP file.
Checksums-Sha1:
8c60ce5ccb9566790121d04454f740d1bf18a707 6050 qt4-x11_4.8.7+dfsg-18.dsc
c36d8ec6dbf1ca0277df157bea2b8fa4006c31fb 328360 qt4-x11_4.8.7+dfsg-18.debian.tar.xz
c281f877990f6fee9621140d562544ff6e3f6ccf 13480 qt4-x11_4.8.7+dfsg-18_source.buildinfo
Checksums-Sha256:
094e2ec62f777e3377327c98d7d82274bff983b4a0bd1220143ba5ffd1bb3f39 6050 qt4-x11_4.8.7+dfsg-18.dsc
63eb69acb9b3cc57a2292e71e3affbf5d7378387e8f8ecd85bfee4e581c4fee9 328360 qt4-x11_4.8.7+dfsg-18.debian.tar.xz
2986770440eea9eb36e42a56fabb914ad335eba1ab9de38c0635d70adb29f27e 13480 qt4-x11_4.8.7+dfsg-18_source.buildinfo
Files:
8f3ee3c876d971e8b1cdec5f19375c73 6050 oldlibs optional qt4-x11_4.8.7+dfsg-18.dsc
9ade800670d889ae4c91bfd54dc4c244 328360 oldlibs optional qt4-x11_4.8.7+dfsg-18.debian.tar.xz
80658a5f2f372848c0cccb7bfea4cfdb 13480 oldlibs optional qt4-x11_4.8.7+dfsg-18_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQJHBAEBCgAxFiEE8kKZ/xu8kBi5BqTLYCaTbS8ciuAFAlyw8uQTHG1pdHlhNTdA
ZGViaWFuLm9yZwAKCRBgJpNtLxyK4JH5D/4i/kDi6DgW3x13uloD7sx6Wsz5AIGT
Ud5q3g3d3swaUOrfNgQWG693WM650CGIxDkw7ziUr7F4+yF0hP28xkAJbtAMsDcf
TtGJj3hoDZYBBLpM+EUfL2N92cjFWsWGpodW5D5K/0Lvj2tBOV1df6U9FyJ2+RGB
SZAOqnQJ5N0QNaXq6e5ux44z4phxEANMJtu5aRMazjiOs8CJt20OBv0PSVwAKn9O
xwVIb68fyvsrOTj9zTi8VHi/nOI5RisEFH84Kevl4oLQEYnmelFBKfE7fSrhwtvl
v5z7kF+8iTdt8fyBhRlHEfCopd8yTB9DdmZNfPthhu3SMythzz++7a3bbpW3OeXa
oZ7THc3aJjMstDMaht7Fks72WU44JTTMpo4OSxUMsHYpDirv24bQbf2cQVFBPhHS
9RLL0tQrrU1XkPi1y9Ky7MO7NtNIOpp/IOoLUhmQwnV9S/H+NZPtWxDiLI7ebp7E
1fepFLA87BNkBQsr4/jj9RpNSvzg6aNl3kfr9+9SqZzcPk9iEMQNyaMOax7OOVru
WqsJ8rB+NNRAm6QXQ+OGiBJ0TZRcjzDpBlgqU+FMZiFk8voDhk6aP9v3WGLzbmKN
niP+xbV4vdADsWHKuHKQ4dkcuQhO4Xf2Ru2A3YuQBw+m96uXsnBaACyNG+gDxXpU
tb7AiI3AzCyQ+g==
=/zyv
-----END PGP SIGNATURE-----
Bug archived.
Request was from Debbugs Internal Request <owner@bugs.debian.org>
to internal_control@bugs.debian.org
.
(Sat, 11 May 2019 07:25:05 GMT) (full text, mbox, link).
Send a report that this bug log contains spam.
Debian bug tracking system administrator <owner@bugs.debian.org>.
Last modified:
Wed Jun 19 17:46:20 2019;
Machine Name:
buxtehude
Debian Bug tracking system
Debbugs is free software and licensed under the terms of the GNU
Public License version 2. The current version can be obtained
from https://bugs.debian.org/debbugs-source/.
Copyright © 1999 Darren O. Benham,
1997,2003 nCipher Corporation Ltd,
1994-97 Ian Jackson,
2005-2017 Don Armstrong, and many other contributors.