CVE-2021-38595 incorrectly marked as not affecting Qt 5?
On Tue, Aug 31, 2021 at 09:15:15AM +0000, Raphaël Hertzog (@hertzog) wrote:
>...
> Commits:
> 63957298 by Neil Williams at 2021-08-31T10:11:30+01:00
> CVE-2021-38593/qt vulnerable code introduced later
>...
> Changes:
>
> =====================================
> data/CVE/list
> =====================================
> @@ -3785,8 +3785,8 @@ CVE-2021-38595
> CVE-2021-38594
> RESERVED
> CVE-2021-38593 (Qt 5.0.0 through 6.1.2 has an out-of-bounds write in QOutlineMapper::c ...)
> - - qtbase-opensource-src <unfixed>
> - - qtbase-opensource-src-gles <unfixed>
> + - qtbase-opensource-src <not-affected> (Vulnerable code introduced later)
> + - qtbase-opensource-src-gles <not-affected> (Vulnerable code introduced later)
> NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35566
> NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/qt/OSV-2021-903.yaml
> NOTE: https://github.com/qt/qtbase/commit/1ca02cf2879a5e1511a2f2109f0925cf4c892862 (6.1)
>...
Hi Neil,
can you double-check that?
Upload [1] makes me wonder whether the not-affected is correct,
and "Qt 5.0.0 through 6.1.2" also implies all versions of
qtbase-opensource-src{,-gles} would be affected.
Thanks
Adrian
[1] https://tracker.debian.org/news/1281817/accepted-qtbase-opensource-src-5152dfsg-14-source-into-unstable/
Reply to: