Bug#970308: marked as done (qt4-x11: CVE-2020-17507)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sat, 19 Sep 2020 10:17:10 +0000
with message-id <E1kJZva-000Dy7-RA@fasolo.debian.org>
and subject line Bug#970308: fixed in qt4-x11 4:4.8.7+dfsg-18+deb10u1
has caused the Debian Bug report #970308,
regarding qt4-x11: CVE-2020-17507
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
970308: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970308
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: qtbase-opensource-src: CVE-2020-17507
• From: Salvatore Bonaccorso <carnil@debian.org>
• Date: Sat, 15 Aug 2020 14:51:48 +0200
• Message-id: <159749590823.903042.1806333713846126868.reportbug@eldamar.local>

Source: qtbase-opensource-src
Version: 5.14.2+dfsg-5
Severity: important
Tags: security upstream
X-Debbugs-Cc: carnil@debian.org, Debian Security Team <team@security.debian.org>
Control: found -1 5.14.2+dfsg-4
Control: found -1 5.11.3+dfsg1-1+deb10u3 
Control: found -1 5.11.3+dfsg1-1

Hi,

The following vulnerability was published for qtbase-opensource-src.

CVE-2020-17507[0]:
| An issue was discovered in Qt through 5.12.9, and 5.13.x through
| 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a
| buffer over-read.


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-17507
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-17507
[1] https://codereview.qt-project.org/c/qt/qtbase/+/308436
[2] https://codereview.qt-project.org/c/qt/qtbase/+/308495
[3] https://codereview.qt-project.org/c/qt/qtbase/+/308496

Please adjust the affected versions in the BTS as needed.

Regards,
Salvatore

--- End Message ---

--- Begin Message ---

• To: 970308-close@bugs.debian.org
• Subject: Bug#970308: fixed in qt4-x11 4:4.8.7+dfsg-18+deb10u1
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sat, 19 Sep 2020 10:17:10 +0000
• Message-id: <E1kJZva-000Dy7-RA@fasolo.debian.org>
• Reply-to: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>

Source: qt4-x11
Source-Version: 4:4.8.7+dfsg-18+deb10u1
Done: =?utf-8?q?Lisandro_Dami=C3=A1n_Nicanor_P=C3=A9rez_Meyer?= <lisandro@debian.org>

We believe that the bug you reported is fixed in the latest version of
qt4-x11, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 970308@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org> (supplier of updated qt4-x11 package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

Format: 1.8
Date: Mon, 14 Sep 2020 10:56:35 -0300
Source: qt4-x11
Architecture: source
Version: 4:4.8.7+dfsg-18+deb10u1
Distribution: buster
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>
Closes: 970308
Changes:
 qt4-x11 (4:4.8.7+dfsg-18+deb10u1) buster; urgency=medium
 .
   * Backport upstream patch to fix buffer overflow in XBM parser, CVE-2020-17507
     (Closes: #970308).
Checksums-Sha1:
 e642e5ffe7a513c4c306af9bdfe6ca273fbfc1d6 6082 qt4-x11_4.8.7+dfsg-18+deb10u1.dsc
 f0b765231be95ca4fd06a645f77358c76291375f 328840 qt4-x11_4.8.7+dfsg-18+deb10u1.debian.tar.xz
 7b0a67650b1919d92b8fc9863c993587733a34f7 10070 qt4-x11_4.8.7+dfsg-18+deb10u1_source.buildinfo
Checksums-Sha256:
 0aabfdaf70ab55a669035a87f7dccb099a1aad68f01d3a7c7e60267e967c8fec 6082 qt4-x11_4.8.7+dfsg-18+deb10u1.dsc
 dff555a4995b661876e224fadd47dc90d603e4862841c0101d924159e492b657 328840 qt4-x11_4.8.7+dfsg-18+deb10u1.debian.tar.xz
 e57bdb42e53bee255d33bc34b26f1dbb02a6144978ecc85cb9cd3869372d9012 10070 qt4-x11_4.8.7+dfsg-18+deb10u1_source.buildinfo
Files:
 f92ff22344558d3cdf04189d31007d5c 6082 oldlibs optional qt4-x11_4.8.7+dfsg-18+deb10u1.dsc
 ff65617ebca1c017ce8c924e0506982d 328840 oldlibs optional qt4-x11_4.8.7+dfsg-18+deb10u1.debian.tar.xz
 2be4b51adbc3f41b3ea7633549924cf5 10070 oldlibs optional qt4-x11_4.8.7+dfsg-18+deb10u1_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJIBAEBCAAyFiEEEt36hKwjsrvwSzE8q2RfQGKGp9AFAl9ffeQUHGxpc2FuZHJv
QGRlYmlhbi5vcmcACgkQq2RfQGKGp9Dp8A/+NelJLCwlUGU6EqitY3rb1jHE+DwZ
pNHisaxNLB1rPOPBn5RVqoueySHQhTsHx0i8dra63Ot/bXJtt+mpnie73p9xf8rD
QBXBwBFp5Qf0+PqXen/nLt2twoUBFH6YflfeZwvLbeJMavZrWqEPAowdMYvI2Uwf
OYCELTVf9WKjOSGQK+It4mj4KXNO4GImYD1iv97SWmqkoMw6NlPc9qSofq3WY1NS
qjV9BNkV4uFqTzii/3L013ckZTEfQ0gzXsgNZ0i9KZeVMIrMRQmCOWapD9nCbARH
2mD20o//FGuispVO6SGiqVA9pXKQ46PVmjnoIXmIguj0RXcwSdKEMggbK461raRK
DMm4Co7EZ1Fsu5BKz/xKwR1RNb1QAdGRxcF9/Dwfe/mAxR0rVUZ0m8knAbS8tNK3
egabdY/I6RHx0oZwdBA9gLSRkbFacTXPv/l2bEA1gv3fUap3N6MjoKDXXc3ZQhPL
MDeEi++rMTw7x6G3sZnJ62xFO2ag6/Rc/qh+uOFbubIl9LchJEPeUtNkCv3zkqdR
/UmmPr5aMqNyOHAiSBvibw9XUr19CXl0AEia9fBRiDOhIy2H57Hfa8Zm0nzhu0Zx
gfMLbr34LtHHR9M0E9hTVJMlc1vTEV7Zk1ackqgwK+PJJDIYZTsSI/EyLOtJGk0l
7FPjwrwRJ4JE7c0=
=MCA/
-----END PGP SIGNATURE-----

--- End Message ---