Bug#1059302: marked as done (qt6-base: CVE-2023-37369)

To: Thorsten Alteholz <debian@alteholz.de>
Subject: Bug#1059302: marked as done (qt6-base: CVE-2023-37369)
From: "Debian Bug Tracking System" <owner@bugs.debian.org>
Date: Mon, 13 May 2024 19:36:03 +0000
Message-id: <[🔎] handler.1059302.D1059302.1715628778230379.ackdone@bugs.debian.org>
Reply-to: 1059302@bugs.debian.org
References: <E1s6bPr-005V9P-JO@fasolo.debian.org> <ZYWKYwHfzL94sTwX@pisco.westfalen.local>

Your message dated Mon, 13 May 2024 19:32:55 +0000
with message-id <E1s6bPr-005V9P-JO@fasolo.debian.org>
and subject line Bug#1059302: fixed in qtbase-opensource-src 5.15.2+dfsg-9+deb11u1
has caused the Debian Bug report #1059302,
regarding qt6-base: CVE-2023-37369
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1059302: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1059302
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

To: submit@bugs.debian.org
Subject: qt6-base: CVE-2023-37369
From: Moritz Mühlenhoff <jmm@inutil.org>
Date: Fri, 22 Dec 2023 14:08:51 +0100
Message-id: <ZYWKYwHfzL94sTwX@pisco.westfalen.local>

Source: qt6-base
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for qt6-base.

CVE-2023-37369[0]:
| In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x
| before 6.5.2, there can be an application crash in QXmlStreamReader
| via a crafted XML string that triggers a situation in which a prefix
| is greater than a length.

https://www.qt.io/blog/security-advisory-qxmlstreamreader
https://codereview.qt-project.org/c/qt/qtbase/+/455027

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-37369
    https://www.cve.org/CVERecord?id=CVE-2023-37369

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

To: 1059302-close@bugs.debian.org
Subject: Bug#1059302: fixed in qtbase-opensource-src 5.15.2+dfsg-9+deb11u1
From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
Date: Mon, 13 May 2024 19:32:55 +0000
Message-id: <E1s6bPr-005V9P-JO@fasolo.debian.org>
Reply-to: Thorsten Alteholz <debian@alteholz.de>

Source: qtbase-opensource-src
Source-Version: 5.15.2+dfsg-9+deb11u1
Done: Thorsten Alteholz <debian@alteholz.de>

We believe that the bug you reported is fixed in the latest version of
qtbase-opensource-src, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1059302@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Thorsten Alteholz <debian@alteholz.de> (supplier of updated qtbase-opensource-src package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 28 Apr 2024 22:48:02 +0200
Source: qtbase-opensource-src
Architecture: source
Version: 5.15.2+dfsg-9+deb11u1
Distribution: bullseye
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Thorsten Alteholz <debian@alteholz.de>
Closes: 1031872 1036702 1036848 1037210 1041105 1059302 1060694 1064053
Changes:
 qtbase-opensource-src (5.15.2+dfsg-9+deb11u1) bullseye; urgency=medium
 .
   * Non-maintainer upload by the LTS Team.
   * CVE-2024-25580 (Closes: #1064053)
     fix buffer overflow due to crafted KTX image file
   * CVE-2023-32763 (Closes: #1036702)
     fix QTextLayout buffer overflow due to crafted SVG file
   * CVE-2022-25255
     prevent QProcess from execution of a binary from the current working
     directory when not found in the PATH
   * CVE-2023-24607 (Closes: #1031872)
     fix denial of service via a crafted string when the SQL ODBC driver
     plugin is used
   * fix regression caused by patch for CVE-2023-24607
   * CVE-2023-32762
     prevent incorrect parsing of the strict-transport-security (HSTS) header
   * CVE-2023-51714 (Closes: #1060694)
     fix incorrect HPack integer overflow check.
   * CVE-2023-38197 (Closes: #1041105)
     fix infinite loop in recursive entity expansion
   * CVE-2023-37369 (Closes: #1059302)
     fix crash of application in QXmlStreamReader due to crafted XML string
   * CVE-2023-34410 (Closes: #1037210)
     fix checking during TLS whether root of the chain really is a
     configured CA certificate
   * CVE-2023-33285 (Closes: #1036848)
     fix buffer overflow in QDnsLookup
Checksums-Sha1:
 6e16146f78475c11c4dda7d6f2f65e57fdb0e29e 5641 qtbase-opensource-src_5.15.2+dfsg-9+deb11u1.dsc
 130e02045fc0817e521a5e979e5c4791ea32bb2b 48055144 qtbase-opensource-src_5.15.2+dfsg.orig.tar.xz
 1a9ee70661e4c9b81869966c55677c155a2bd2e0 273028 qtbase-opensource-src_5.15.2+dfsg-9+deb11u1.debian.tar.xz
 ff4c258d3f2f37754a5c2ca3a0821f9bb80c49ee 35848 qtbase-opensource-src_5.15.2+dfsg-9+deb11u1_amd64.buildinfo
Checksums-Sha256:
 c0a433401e556ecc90f4aac049cd95a054b3ba736f325039edc367c76b3d8eb1 5641 qtbase-opensource-src_5.15.2+dfsg-9+deb11u1.dsc
 9ed5e0ab96a04daec5383a5e642d0308ca8246359a4c857a73a5c58d806237bb 48055144 qtbase-opensource-src_5.15.2+dfsg.orig.tar.xz
 29a9be7d1ed654ea53c5f01d00c613a3d2c44e515f4fefc01340167c9c8c0fa8 273028 qtbase-opensource-src_5.15.2+dfsg-9+deb11u1.debian.tar.xz
 271951118c9e6b1ee010cd091253437342dc3277439981de3a5cd592cfca9fca 35848 qtbase-opensource-src_5.15.2+dfsg-9+deb11u1_amd64.buildinfo
Files:
 165f1cc5e44cc75dc0ebf13a249f8a0f 5641 libs optional qtbase-opensource-src_5.15.2+dfsg-9+deb11u1.dsc
 c0e684ed6ee9d24e4509d64ceb9764cf 48055144 libs optional qtbase-opensource-src_5.15.2+dfsg.orig.tar.xz
 f84b2a84c64c6cec1b2c6d2c0dc4bc05 273028 libs optional qtbase-opensource-src_5.15.2+dfsg-9+deb11u1.debian.tar.xz
 68690ed0fe2e8e2abd2b08c3723a1dde 35848 libs optional qtbase-opensource-src_5.15.2+dfsg-9+deb11u1_amd64.buildinfo

-----BEGIN PGP SIGNATURE-----

iQKnBAEBCgCRFiEEYgH7/9u94Hgi6ruWlvysDTh7WEcFAmZA2mpfFIAAAAAALgAo
aXNzdWVyLWZwckBub3RhdGlvbnMub3BlbnBncC5maWZ0aGhvcnNlbWFuLm5ldDYy
MDFGQkZGREJCREUwNzgyMkVBQkI5Njk2RkNBQzBEMzg3QjU4NDcTHGRlYmlhbkBh
bHRlaG9sei5kZQAKCRCW/KwNOHtYR+cJD/9Y5SmHa87XNkeyEkVJEG7y7G/ZPs4d
alpPnnrgKEDau1IFhaa5kEM6K3mWZG0krpOkHc9mNo6tSU5OrY21xvpgCt1URLur
SSipqijUnTtbqEdiMJI1QLhzHobWThwpkmRoq1ENA4zTilPQE1b1Aqzuh26HZKKw
P4lGfL64YjaXqNrzajWWINBXYWIt7xp6R9Lv0coxGvv0Z+yyLgL3vqObf38O7/Fx
FG5WDQr+sOSy5V6giqNDDao1bsEoBI3E9xRyAOGtV8+bqNUTrpCHZpm1y7L9vRIP
sZiSwgLmYpSyWLsSaCPd1cC52YBYSuXh3Mo1Cj/81reeCehMs4nrc9KocukjJPS/
JNSCugNyqlSYFActfBpJr5GDezdXiUzjPu9h8KAsMFnIqjLG59vW8qgBUCLsoWzc
GJN1F2cDyaA8CU4UKhNhGgQXxYNllOfsspa8i0EQe/5NJrWg/B8Z79QinywPkTwQ
2ScerdgvVzFwlpi+txLJUk//7sh+8Ai7UigIsC0gcRLrOAt8xFuaU/KtLUhcF5TL
JPi0zSuBmIB29WgbwhF5IltmyWJ2xDduWCkLXBzskIqYqJSS6+V7pqobmHV3gLc+
sP/q9n/QlNNZLVw9AGTY2PqN9BIuNZHoLOXorwfPFmFTuX++rlfLP/oUlgUjGhZy
aRn2aSVwPXotBA==
=9HiB
-----END PGP SIGNATURE-----

Attachment: pgplx8YhFqsjA.pgp
Description: PGP signature

--- End Message ---

Reply to:

Prev by Date: qtbase-opensource-src_5.15.2+dfsg-9+deb11u1_source.changes ACCEPTED into oldstable-proposed-updates
Next by Date: Processing of kf6-kio_6.0.0-1_amd64.changes
Previous by thread: qtbase-opensource-src_5.15.2+dfsg-9+deb11u1_source.changes ACCEPTED into oldstable-proposed-updates
Next by thread: Processing of kf6-kio_6.0.0-1_amd64.changes
Index(es):
- Date
- Thread