On Wed, 1 Dec 2021 13:38:48 +0000
Neil Williams <codehelp@debian.org> wrote:
> On Sun, 28 Nov 2021 21:02:16 +0100
> Salvatore Bonaccorso <carnil@debian.org> wrote:
>
> > Hi Adrian, Neil,
> >
> > One additional point:
> >
> > On Sun, Nov 28, 2021 at 08:56:57PM +0100, Salvatore Bonaccorso
> > wrote:
> > > Hi,
> > >
> > > > > =====================================
> > > > > data/CVE/list
> > > > > =====================================
> > > > > @@ -3785,8 +3785,8 @@ CVE-2021-38595
> > > > > CVE-2021-38594
> > > > > RESERVED
> > > > > CVE-2021-38593 (Qt 5.0.0 through 6.1.2 has an out-of-bounds
> > > > > write in QOutlineMapper::c ...)
> > > > > - - qtbase-opensource-src <unfixed>
> > > > > - - qtbase-opensource-src-gles <unfixed>
> > > > > + - qtbase-opensource-src <not-affected> (Vulnerable
> > > > > code introduced later)
> > > > > + - qtbase-opensource-src-gles <not-affected>
> > > > > (Vulnerable code introduced later) NOTE:
> > > > > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35566
> > > > > NOTE:
> > > > > https://github.com/google/oss-fuzz-vulns/blob/main/vulns/qt/OSV-2021-903.yaml
> > > > > NOTE:
> > > > > https://github.com/qt/qtbase/commit/1ca02cf2879a5e1511a2f2109f0925cf4c892862
> > > > > (6.1)
> > > > >...
> > > >
> > > > Hi Neil,
> > > >
> > > > can you double-check that?
> > > >
> > > > Upload [1] makes me wonder whether the not-affected is correct,
> > > > and "Qt 5.0.0 through 6.1.2" also implies all versions of
> > > > qtbase-opensource-src{,-gles} would be affected.
> > >
> > > I currently think the tracking from Neil was correct. The Issue
> > > was introduced by the commit
> > > 2https://github.com/qt/qtbase/commit/6869d2463a2e0d71bd04dbc82f5d6ef4933dc510
> > > .
> > >
> > > Now the maintainer has today uploaded
> > > https://tracker.debian.org/news/1281817/accepted-qtbase-opensource-src-5152dfsg-14-source-into-unstable/
> > > claiming it fixes CVE-2021-38593. But looking at the changes it
> > > looks that the debian/patches/CVE-2021-38593.diff patch both used
> > > https://code.qt.io/cgit/qt/qtbase.git/commit/?id=f4d791b330d02777
> > > introducing the needed "breaking" change, and then as well the
> > > fix.
> > >
> > > See as well https://bugzilla.suse.com/show_bug.cgi?id=1189652#c2
> > > arguing in the same direction.
> > >
> > > We should recheck, but currently tend to that the tracking is
> > > already correct.
> >
> > https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1950193
> > contains some further information from Ubuntu's side. Does the test
> > there triggers the exact out-of-bounds write issue from the CVE?
In summary, no, I do not see an out of bounds write with the Launchpad
test, either with or without the fix uploaded to unstable. The change
in unstable does fix the issue reported in Launchpad but I don't see
how that is meant to match against the CVE.
> After testing with 5.15.2+dfsg-14 (unstable) and 5.15.2+dfsg-13
> (bookworm):
>
> The specific test program from the Launchpad bug **does** exhibit the
> behaviour, in bookworm, that the Launchpad bug describes as "you might
> be affected".
>
Bullseye shows the original bug - that the test SVG simply does not get
shown & the test program continues, taking up 100% of 1 core until
killed by the user. The program does not die without intervention, as it
does in bookworm.
Bullseye: gdb reports no termination
Bookworm: gdb reports "Program terminated with signal SIGKILL, Killed"
The code referenced in the fixes for the CVE in unstable does not exist
in bookworm or bullseye. Some other change is responsible for the
effects shown when using the test SVG from Launchpad in bookworm.
It looks like there is a long-standing bug in Qt5 that this type of SVG
will trigger, causing Qt5 to stall, hogging 1 CPU at 100%. With the
changes in bookworm, this bug now causes program termination *but gdb
does not show any evidence of an out-of-bounds write*, just that the
QApplication terminates. The vulnerable code from the CVE does not
exist in bookworm.
In bookworm, there is a change in behaviour which will be fixed
when the package from unstable migrates in a few days. This temporary
issue does not look like CVE-2021-38595 - it looks like a different bug.
IMHO the Launchpad bug conflates two different issues:
- CVE-2021-38593 - an out-of-bounds write - Qt6
- the Launchpad svg file will block one core at 100% and occupy much
memory
I don't see that these are the same problem. The CVE was introduced in
Qt6 code. The code to trigger the stalling bug still exists in Qt5
after the fix for the CVE is applied, it's just that the CVE fix
introduces *new* code that tries to handle the specially crafted
test SVG, then falls back to the old stalling code if the new code is
not called.
Bullseye has the original bug
Bookworm has a new bug which causes the test program to crash & still
has the original bug.
unstable fixes the test program crash from bookworm but still has the
original bug, it just works around it for the tested SVG. It is not
clear whether another crafted SVG would skip the fix from unstable and
execute the original code flow.
The commits added to unstable address the Launchpad issue of consuming
100% of one core using the provided test SVG. IMHO the commits do not
address the CVE because the vulnerable code of that CVE does not exist.
* Backport four upstream commits to fix massive memory consumption
when rendering specially crafted SVG files (CVE-2021-38593, LP:
#1950193).
As noted in https://bugzilla.suse.com/show_bug.cgi?id=1189652#c2,
it was only applied to very recent 5.15(at least not for 5.15.2,
possibly does exist in 5.15.3 but 5.15.3 and above are for commercial
license user only) and 6.x series,
If a different SVG is supplied which doesn't trigger the new code, Qt5
in bookworm would use the same slow code as bullseye & the same is true
in unstable - the slow code path still exists there too.
https://sources.debian.org/src/qtbase-opensource-src/5.15.2+dfsg-14/src/gui/painting/qpaintengineex.cpp/#L438
https://sources.debian.org/src/qtbase-opensource-src/5.15.2+dfsg-13/src/gui/painting/qpaintengineex.cpp/#L406
https://sources.debian.org/src/qtbase-opensource-src/5.15.2+dfsg-9/src/gui/painting/qpaintengineex.cpp/#L406
Overall, I see no vulnerable code in Qt5 for CVE-2021-38595 and the
reported fix appears to be addressing a different bug to handle a
specific test SVG.
> The same test on unstable passes without incident. It's not clear why
> at this point.
>
> I'll check on bullseye later.
>
> > This as an additional check to be made for double checking if our
> > tracking is correct or we need to update.
>
> It needs more investigation. I'll pick that up.
>
> --
> Neil Williams
> =============
> https://linux.codehelp.co.uk/
--
Neil Williams
=============
https://linux.codehelp.co.uk/
Attachment:
pgptEaLT4TvJj.pgp
Description: OpenPGP digital signature