Bug#750141: libqt4-xml: vulnerable to billion laughs attack
On Mon, Jun 09, 2014 at 09:01:46PM +1000, Hamish Moffatt wrote:
> On 09/06/14 15:17, Salvatore Bonaccorso wrote:
>> Hi,
>>
>> On Sun, Jun 01, 2014 at 11:30:15PM -0300, Lisandro Damián Nicanor Pérez Meyer wrote:
>>> tag 750141 moreinfo
>>> thanks
>>>
>>> On Monday 02 June 2014 11:19:05 Hamish Moffatt wrote:
>>>> Package: libqt4-xml
>>>> Severity: serious
>>>> Tags: security
>>>> Justification: security
>>>>
>>>> Qt 4.8.6 has a fix for a denial of service attack due to XML entity
>>>> expansion ("billion laughs attack"). This fix doesn't seem to be in the
>>>> wheezy packages yet.
>>>>
>>>> http://blog.qt.digia.com/blog/2014/04/24/qt-4-8-6-released/
>>>>
>>>> Ubuntu patched their 4.8.4;
>>>>
>>>> https://bugs.launchpad.net/ubuntu/+source/qt4-x11/+bug/1259577
>>> Hi Hamish! I patched Qt4 for jessie at that time but IIRC (I might be mixing
>>> CVEs here) when I asked someone from the security team over IRC (or maybe by
>>> mail, I don't remember now) they told me it wasn't too important to get an
>>> update in stable.
>> Yep, perl mail It was on 2013-12-06, where Moritz had written:
>>
>> Hi Lisandro,
>> this doesn't warrant a DSA. It can be fixed through a point update, though
>> or we can line it up for a future QT DSA.
>>
>> Cheers,
>> Moritz
>>
>> For the BTS, I think this was fixed in 4:4.8.5+git192-g085f851+dfsg-1.
>>
>
> Hi. OK I guess I can understand it not being too important to update
> stable; while there are quite a lot of rdepends for libqt4-xml I don't
> see many daemons among them. Depends on whether libqt4-xml is just being
> used for config or whether to decode wire protocols, ie those apps could
> be vulnerable to remote denial of service. mumble-server is one daemon I
> notice..
If someone wants to see this fixed, please handle this through a Wheezy point
update:
https://www.debian.org/doc/manuals/developers-reference/pkgs.html#upload-stable
Cheers,
Moritz
Reply to: