------------------------------------------------------------------------- Debian LTS Advisory DLA-3539-1 debian-lts@lists.debian.org https://www.debian.org/lts/security/ Roberto C. Sánchez August 22, 2023 https://wiki.debian.org/LTS ------------------------------------------------------------------------- Package : qt4-x11 Version : 4:4.8.7+dfsg-18+deb10u2 CVE ID : CVE-2021-3481 CVE-2021-45930 CVE-2023-32573 CVE-2023-32763 CVE-2023-34410 CVE-2023-37369 CVE-2023-38197 Several vulnerabilities have been found in qt4-x11, a graphical windowing toolkit. CVE-2021-3481 While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability. CVE-2021-45930 An out-of-bounds write in QtPrivate::QCommonArrayOps<QPainterPath::Element>::growAppend (called from QPainterPath::addPath and QPathClipper::intersect). CVE-2023-32573 Uninitialized variable usage in m_unitsPerEm. CVE-2023-32763 An application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length. CVE-2023-34410 Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate. CVE-2023-37369 There can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length. CVE-2023-38197 There are infinite loops in recursive entity expansion. For Debian 10 buster, these problems have been fixed in version 4:4.8.7+dfsg-18+deb10u2. We recommend that you upgrade your qt4-x11 packages. For the detailed security status of qt4-x11 please refer to its security tracker page at: https://security-tracker.debian.org/tracker/qt4-x11 Further information about Debian LTS security advisories, how to apply these updates to your system and frequently asked questions can be found at: https://wiki.debian.org/LTS
Attachment:
signature.asc
Description: PGP signature