Re: CVE-2021-38595 incorrectly marked as not affecting Qt 5?

To: Adrian Bunk <bunk@debian.org>, Neil Williams <codehelp@debian.org>
Cc: debian-lts@lists.debian.org, team@security.debian.org
Subject: Re: CVE-2021-38595 incorrectly marked as not affecting Qt 5?
From: Salvatore Bonaccorso <carnil@debian.org>
Date: Sun, 28 Nov 2021 21:02:16 +0100
Message-id: <[🔎] YaPgSOc4Mm08UUH1@eldamar.lan>
Mail-followup-to: Adrian Bunk <bunk@debian.org>, Neil Williams <codehelp@debian.org>, debian-lts@lists.debian.org, team@security.debian.org
In-reply-to: <YaPfB1HYYi9/fJu6@eldamar.lan>
References: <612df323b31c0_3f1ef2e62c16015cb@godard.mail> <[🔎] 20211128153207.GB10281@localhost> <YaPfB1HYYi9/fJu6@eldamar.lan>

Hi Adrian, Neil,

One additional point:

On Sun, Nov 28, 2021 at 08:56:57PM +0100, Salvatore Bonaccorso wrote:
> Hi,
> 
> On Sun, Nov 28, 2021 at 05:32:07PM +0200, Adrian Bunk wrote:
> > On Tue, Aug 31, 2021 at 09:15:15AM +0000, Raphaël Hertzog (@hertzog) wrote:
> > >...
> > > Commits:
> > > 63957298 by Neil Williams at 2021-08-31T10:11:30+01:00
> > > CVE-2021-38593/qt vulnerable code introduced later
> > >...
> > > Changes:
> > > 
> > > =====================================
> > > data/CVE/list
> > > =====================================
> > > @@ -3785,8 +3785,8 @@ CVE-2021-38595
> > >  CVE-2021-38594
> > >  	RESERVED
> > >  CVE-2021-38593 (Qt 5.0.0 through 6.1.2 has an out-of-bounds write in QOutlineMapper::c ...)
> > > -	- qtbase-opensource-src <unfixed>
> > > -	- qtbase-opensource-src-gles <unfixed>
> > > +	- qtbase-opensource-src <not-affected> (Vulnerable code introduced later)
> > > +	- qtbase-opensource-src-gles <not-affected> (Vulnerable code introduced later)
> > >  	NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35566
> > >  	NOTE: https://github.com/google/oss-fuzz-vulns/blob/main/vulns/qt/OSV-2021-903.yaml
> > >  	NOTE: https://github.com/qt/qtbase/commit/1ca02cf2879a5e1511a2f2109f0925cf4c892862 (6.1)
> > >...
> > 
> > Hi Neil,
> > 
> > can you double-check that?
> > 
> > Upload [1] makes me wonder whether the not-affected is correct,
> > and "Qt 5.0.0 through 6.1.2" also implies all versions of
> > qtbase-opensource-src{,-gles} would be affected.
> 
> I currently think the tracking from Neil was correct. The Issue was
> introduced  by the commit
> 2https://github.com/qt/qtbase/commit/6869d2463a2e0d71bd04dbc82f5d6ef4933dc510
> . 
> 
> Now the maintainer has today uploaded
> https://tracker.debian.org/news/1281817/accepted-qtbase-opensource-src-5152dfsg-14-source-into-unstable/
> claiming it fixes CVE-2021-38593. But looking at the changes it looks
> that the debian/patches/CVE-2021-38593.diff patch both used
> https://code.qt.io/cgit/qt/qtbase.git/commit/?id=f4d791b330d02777
> introducing the needed "breaking" change, and then as well the fix.
> 
> See as well https://bugzilla.suse.com/show_bug.cgi?id=1189652#c2
> arguing in the same direction.
> 
> We should recheck, but currently tend to that the tracking is already
> correct.

https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1950193
contains some further information from Ubuntu's side. Does the test
there triggers the exact out-of-bounds write issue from the CVE?

This as an additional check to be made for double checking if our
tracking is correct or we need to update.

Regards,
Salvatore

Reply to:

References:
- CVE-2021-38595 incorrectly marked as not affecting Qt 5?
  - From: Adrian Bunk <bunk@debian.org>
- Re: CVE-2021-38595 incorrectly marked as not affecting Qt 5?
  - From: Salvatore Bonaccorso <carnil@debian.org>

Prev by Date: Re: CVE-2021-38595 incorrectly marked as not affecting Qt 5?
Next by Date: Semi-automatic package unclaim after two weeks of inactivity
Previous by thread: Re: CVE-2021-38595 incorrectly marked as not affecting Qt 5?
Index(es):
- Date
- Thread