[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: CVE-2021-38595 incorrectly marked as not affecting Qt 5?

On Sun, 28 Nov 2021 21:02:16 +0100
Salvatore Bonaccorso <carnil@debian.org> wrote:

> Hi Adrian, Neil,
> 
> One additional point:
> 
> On Sun, Nov 28, 2021 at 08:56:57PM +0100, Salvatore Bonaccorso wrote:
> > Hi,
> > 
> > On Sun, Nov 28, 2021 at 05:32:07PM +0200, Adrian Bunk wrote:  
> > > On Tue, Aug 31, 2021 at 09:15:15AM +0000, Raphaël Hertzog
> > > (@hertzog) wrote:  
> > > >...
> > > > Commits:
> > > > 63957298 by Neil Williams at 2021-08-31T10:11:30+01:00
> > > > CVE-2021-38593/qt vulnerable code introduced later
> > > >...
> > > > Changes:
> > > > 
> > > > =====================================
> > > > data/CVE/list
> > > > =====================================
> > > > @@ -3785,8 +3785,8 @@ CVE-2021-38595
> > > >  CVE-2021-38594
> > > >  	RESERVED
> > > >  CVE-2021-38593 (Qt 5.0.0 through 6.1.2 has an out-of-bounds
> > > > write in QOutlineMapper::c ...)
> > > > -	- qtbase-opensource-src <unfixed>
> > > > -	- qtbase-opensource-src-gles <unfixed>
> > > > +	- qtbase-opensource-src <not-affected> (Vulnerable
> > > > code introduced later)
> > > > +	- qtbase-opensource-src-gles <not-affected>
> > > > (Vulnerable code introduced later) NOTE:
> > > > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35566
> > > > NOTE:
> > > > https://github.com/google/oss-fuzz-vulns/blob/main/vulns/qt/OSV-2021-903.yaml
> > > > NOTE:
> > > > https://github.com/qt/qtbase/commit/1ca02cf2879a5e1511a2f2109f0925cf4c892862
> > > > (6.1)
> > > >...  
> > > 
> > > Hi Neil,
> > > 
> > > can you double-check that?
> > > 
> > > Upload [1] makes me wonder whether the not-affected is correct,
> > > and "Qt 5.0.0 through 6.1.2" also implies all versions of
> > > qtbase-opensource-src{,-gles} would be affected.  
> > 
> > I currently think the tracking from Neil was correct. The Issue was
> > introduced  by the commit
> > 2https://github.com/qt/qtbase/commit/6869d2463a2e0d71bd04dbc82f5d6ef4933dc510
> > . 
> > 
> > Now the maintainer has today uploaded
> > https://tracker.debian.org/news/1281817/accepted-qtbase-opensource-src-5152dfsg-14-source-into-unstable/
> > claiming it fixes CVE-2021-38593. But looking at the changes it
> > looks that the debian/patches/CVE-2021-38593.diff patch both used
> > https://code.qt.io/cgit/qt/qtbase.git/commit/?id=f4d791b330d02777
> > introducing the needed "breaking" change, and then as well the fix.
> > 
> > See as well https://bugzilla.suse.com/show_bug.cgi?id=1189652#c2
> > arguing in the same direction.
> > 
> > We should recheck, but currently tend to that the tracking is
> > already correct.  
> 
> https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1950193
> contains some further information from Ubuntu's side. Does the test
> there triggers the exact out-of-bounds write issue from the CVE?

After testing with 5.15.2+dfsg-14 (unstable) and 5.15.2+dfsg-13
(bookworm):

The specific test program from the Launchpad bug **does** exhibit the
behaviour, in bookworm, that the Launchpad bug describes as "you might
be affected".

The same test on unstable passes without incident. It's not clear why
at this point.

I'll check on bullseye later.

> This as an additional check to be made for double checking if our
> tracking is correct or we need to update.

It needs more investigation. I'll pick that up.

-- 
Neil Williams
=============
https://linux.codehelp.co.uk/

Attachment: pgpqL6k3ZYfoc.pgp
Description: OpenPGP digital signature

Reply to: