Bug#750141: marked as done (libqt4-xml: vulnerable to billion laughs attack (CVE-2013-4549))

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Tue, 29 Jan 2019 14:45:19 +0100
with message-id <82c43972-8d2e-7200-08c5-e6c41f92a64d@debian.org>
and subject line Re: Bug#750141: libqt4-xml: vulnerable to billion laughs attack
has caused the Debian Bug report #750141,
regarding libqt4-xml: vulnerable to billion laughs attack (CVE-2013-4549)
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
750141: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=750141
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: Debian Bug Tracking System <submit@bugs.debian.org>
• Subject: libqt4-xml: vulnerable to billion laughs attack
• From: Hamish Moffatt <hamish@debian.org>
• Date: Mon, 02 Jun 2014 11:19:05 +1000
• Message-id: <20140602011905.1285.27539.reportbug@quokka.cloud.net.au>

Package: libqt4-xml
Severity: serious
Tags: security
Justification: security

Qt 4.8.6 has a fix for a denial of service attack due to XML entity
expansion ("billion laughs attack"). This fix doesn't seem to be in the
wheezy packages yet.

http://blog.qt.digia.com/blog/2014/04/24/qt-4-8-6-released/

Ubuntu patched their 4.8.4;

https://bugs.launchpad.net/ubuntu/+source/qt4-x11/+bug/1259577



Hamish


-- System Information:
Debian Release: 7.5
  APT prefers stable-updates
  APT policy: (500, 'stable-updates'), (500, 'stable')
Architecture: amd64 (x86_64)
Foreign Architectures: i386

Kernel: Linux 3.13-0.bpo.1-amd64 (SMP w/4 CPU cores)
Locale: LANG=en_AU.UTF-8, LC_CTYPE=en_AU.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/dash

--- End Message ---

--- Begin Message ---

• To: 750141-done@bugs.debian.org
• Subject: Re: Bug#750141: libqt4-xml: vulnerable to billion laughs attack
• From: Emilio Pozuelo Monfort <pochu@debian.org>
• Date: Tue, 29 Jan 2019 14:45:19 +0100
• Message-id: <82c43972-8d2e-7200-08c5-e6c41f92a64d@debian.org>

Version: 4:4.8.5+git192-g085f851+dfsg-1

On Mon, 9 Jun 2014 07:17:04 +0200 Salvatore Bonaccorso <carnil@debian.org> wrote:
> Hi,
> 
> On Sun, Jun 01, 2014 at 11:30:15PM -0300, Lisandro Damián Nicanor Pérez Meyer wrote:
> > tag 750141 moreinfo
> > thanks
> > 
> > On Monday 02 June 2014 11:19:05 Hamish Moffatt wrote:
> > > Package: libqt4-xml
> > > Severity: serious
> > > Tags: security
> > > Justification: security
> > > 
> > > Qt 4.8.6 has a fix for a denial of service attack due to XML entity
> > > expansion ("billion laughs attack"). This fix doesn't seem to be in the
> > > wheezy packages yet.
> > > 
> > > http://blog.qt.digia.com/blog/2014/04/24/qt-4-8-6-released/
> > > 
> > > Ubuntu patched their 4.8.4;
> > > 
> > > https://bugs.launchpad.net/ubuntu/+source/qt4-x11/+bug/1259577
> > 
> > Hi Hamish! I patched Qt4 for jessie at that time but IIRC (I might be mixing 
> > CVEs here) when I asked someone from the security team over IRC (or maybe by 
> > mail, I don't remember now) they told me it wasn't too important to get an 
> > update in stable.
> 
> Yep, perl mail It was on 2013-12-06, where Moritz had written:
> 
> Hi Lisandro,
> this doesn't warrant a DSA. It can be fixed through a point update, though
> or we can line it up for a future QT DSA.
> 
> Cheers,
>         Moritz
> 
> For the BTS, I think this was fixed in 4:4.8.5+git192-g085f851+dfsg-1.

Closing as this is fixed in unstable. Also wheezy is EOL so there's no point in
keeping this bug open anymore.

Emilio

--- End Message ---