Re: CVE-2021-38595 incorrectly marked as not affecting Qt 5?

To: Adrian Bunk <bunk@debian.org>
Cc: Neil Williams <codehelp@debian.org>, debian-lts@lists.debian.org, team@security.debian.org
Subject: Re: CVE-2021-38595 incorrectly marked as not affecting Qt 5?
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 28 Nov 2021 20:56:55 +0100
Message-id: <YaPfB1HYYi9/fJu6@eldamar.lan>
Mail-followup-to: Adrian Bunk <bunk@debian.org>, Neil Williams <codehelp@debian.org>, debian-lts@lists.debian.org, team@security.debian.org
In-reply-to: <[🔎] 20211128153207.GB10281@localhost>
References: <612df323b31c0_3f1ef2e62c16015cb@godard.mail> <[🔎] 20211128153207.GB10281@localhost>

Hi,

On Sun, Nov 28, 2021 at 05:32:07PM +0200, Adrian Bunk wrote:
> On Tue, Aug 31, 2021 at 09:15:15AM +0000, Raphaël Hertzog (@hertzog) wrote:
> >...
> > Commits:
> > 63957298 by Neil Williams at 2021-08-31T10:11:30+01:00
> > CVE-2021-38593/qt vulnerable code introduced later
> >...
> > Changes:
> > 
> > =====================================
> > data/CVE/list
> > =====================================
> > @@ -3785,8 +3785,8 @@ CVE-2021-38595
> >  CVE-2021-38594
> >  	RESERVED
> >  CVE-2021-38593 (Qt 5.0.0 through 6.1.2 has an out-of-bounds write in QOutlineMapper::c ...)
> > -	- qtbase-opensource-src <unfixed>
> > -	- qtbase-opensource-src-gles <unfixed>
> > +	- qtbase-opensource-src <not-affected> (Vulnerable code introduced later)
> > +	- qtbase-opensource-src-gles <not-affected> (Vulnerable code introduced later)
> >  	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35566
> >  	NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/qt/OSV-2021-903.yaml
> >  	NOTE: https://github.com/qt/qtbase/commit/1ca02cf2879a5e1511a2f2109f0925cf4c892862 (6.1)
> >...
> 
> Hi Neil,
> 
> can you double-check that?
> 
> Upload [1] makes me wonder whether the not-affected is correct,
> and "Qt 5.0.0 through 6.1.2" also implies all versions of
> qtbase-opensource-src{,-gles} would be affected.

I currently think the tracking from Neil was correct. The Issue was
introduced  by the commit
2https://github.com/qt/qtbase/commit/6869d2463a2e0d71bd04dbc82f5d6ef4933dc510
. 

Now the maintainer has today uploaded
https://tracker.debian.org/news/1281817/accepted-qtbase-opensource-src-5152dfsg-14-source-into-unstable/
claiming it fixes CVE-2021-38593. But looking at the changes it looks
that the debian/patches/CVE-2021-38593.diff patch both used
https://code.qt.io/cgit/qt/qtbase.git/commit/?id=f4d791b330d02777
introducing the needed "breaking" change, and then as well the fix.

See as well https://bugzilla.suse.com/show_bug.cgi?id=1189652#c2
arguing in the same direction.

We should recheck, but currently tend to that the tracking is already
correct.

Regards,
Salvatore

Reply to:

Follow-Ups:
- Re: CVE-2021-38595 incorrectly marked as not affecting Qt 5?
  - From: Salvatore Bonaccorso <carnil@debian.org>

References:
- CVE-2021-38595 incorrectly marked as not affecting Qt 5?
  - From: Adrian Bunk <bunk@debian.org>

Prev by Date: CVE-2021-38595 incorrectly marked as not affecting Qt 5?
Next by Date: Re: CVE-2021-38595 incorrectly marked as not affecting Qt 5?
Previous by thread: CVE-2021-38595 incorrectly marked as not affecting Qt 5?
Next by thread: Re: CVE-2021-38595 incorrectly marked as not affecting Qt 5?
Index(es):
- Date
- Thread