Bug#1068454: marked as done (qt6-base: CVE-2024-30161)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Mon, 08 Apr 2024 09:12:48 -0300
with message-id <4656997.FDCN7LgBLZ@gryffindor>
and subject line Re: qt6-base: CVE-2024-30161
has caused the Debian Bug report #1068454,
regarding qt6-base: CVE-2024-30161
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1068454: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1068454
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: qt6-base: CVE-2024-30161
• From: Moritz Mühlenhoff <jmm@inutil.org>
• Date: Fri, 5 Apr 2024 16:47:22 +0200
• Message-id: <[🔎] ZhAO+oZvjyft2opr@pisco.westfalen.local>

Source: qt6-base
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for qt6-base.

CVE-2024-30161[0]:
| In Qt before 6.5.6 and 6.6.x before 6.6.3, the wasm component may
| access QNetworkReply header data via a dangling pointer.

https://codereview.qt-project.org/c/qt/qtbase/+/544314
https://codereview.qt-project.org/gitweb?p=qt%2Fqtbase.git;a=commit;h=a5b00cefef12999e9a213943855abe6bc0ab5365


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2024-30161
    https://www.cve.org/CVERecord?id=CVE-2024-30161

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

• To: Moritz Mühlenhoff <jmm@inutil.org>, 1068454-done@bugs.debian.org
• Subject: Re: qt6-base: CVE-2024-30161
• From: "Lisandro Pérez Meyer" <lpmeyer@ics.com>
• Date: Mon, 08 Apr 2024 09:12:48 -0300
• Message-id: <4656997.FDCN7LgBLZ@gryffindor>
• In-reply-to: <[🔎] ZhAO+oZvjyft2opr@pisco.westfalen.local>
• References: <[🔎] ZhAO+oZvjyft2opr@pisco.westfalen.local>

Hi Moritz!

El viernes, 5 de abril de 2024 11:47:22 -03 Moritz Mühlenhoff escribió:
> Source: qt6-base
> X-Debbugs-CC: team@security.debian.org
> Severity: important
> Tags: security
> 
> Hi,
> 
> The following vulnerability was published for qt6-base.
> 
> CVE-2024-30161[0]:
> | In Qt before 6.5.6 and 6.6.x before 6.6.3, the wasm component may
> | access QNetworkReply header data via a dangling pointer.
> 
> https://codereview.qt-project.org/c/qt/qtbase/+/544314
> https://codereview.qt-project.org/gitweb?p=qt%2Fqtbase.git;a=commit;h=a5b00cefef12999e9a213943855abe6bc0ab5365

To the best of my knowledge we do not use the wasm (web assembly) at all, so as discussed on IRC, I am closing this bug.

Thanks for your work!!!! 

-- 
Lisandro Pérez Meyer
Embedded Platform Engineer

--- End Message ---