Your message dated Sun, 29 Jun 2025 20:36:35 +0000 with message-id <E1uVylP-000ZEh-BQ@fasolo.debian.org> and subject line Bug#1108475: fixed in qtbase-opensource-src 5.15.15+dfsg-6 has caused the Debian Bug report #1108475, regarding qtbase-opensource-src: CVE-2025-5455 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1108475: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108475 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: qtbase-opensource-src: CVE-2025-5455
- From: Moritz Mühlenhoff <jmm@inutil.org>
- Date: Sun, 29 Jun 2025 14:07:16 +0200
- Message-id: <[🔎] aGEsdPC-4XsRTIrR@pisco.westfalen.local>
Package: qtbase-opensource-src X-Debbugs-CC: team@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qtbase-opensource-src. CVE-2025-5455[0]: | An issue was found in the private API function qDecodeDataUrl() in | QtCore, which is used in QTextDocument and QNetworkReply, and, | potentially, in user code. If the function was called with | malformed data, for example, an URL that contained a "charset" | parameter that lacked a value (such as "data:charset,"), and Qt was | built with assertions enabled, then it would hit an assertion, | resulting in a denial of service (abort). This impacts Qt up to | 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed | in 5.15.19, 6.5.9, 6.8.4 and 6.9.1. https://codereview.qt-project.org/c/qt/qtbase/+/642006 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-5455 https://www.cve.org/CVERecord?id=CVE-2025-5455 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
- To: 1108475-close@bugs.debian.org
- Subject: Bug#1108475: fixed in qtbase-opensource-src 5.15.15+dfsg-6
- From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
- Date: Sun, 29 Jun 2025 20:36:35 +0000
- Message-id: <E1uVylP-000ZEh-BQ@fasolo.debian.org>
- Reply-to: Dmitry Shachnev <mitya57@debian.org>
Source: qtbase-opensource-src Source-Version: 5.15.15+dfsg-6 Done: Dmitry Shachnev <mitya57@debian.org> We believe that the bug you reported is fixed in the latest version of qtbase-opensource-src, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1108475@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dmitry Shachnev <mitya57@debian.org> (supplier of updated qtbase-opensource-src package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmaster@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 29 Jun 2025 22:50:45 +0300 Source: qtbase-opensource-src Architecture: source Version: 5.15.15+dfsg-6 Distribution: unstable Urgency: medium Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> Changed-By: Dmitry Shachnev <mitya57@debian.org> Closes: 1108475 Changes: qtbase-opensource-src (5.15.15+dfsg-6) unstable; urgency=medium . * Backport upstream patch to fix assertion errors in data: URL parsing (CVE-2025-5455, closes: #1108475). Checksums-Sha1: 564e6524a6b33ad9f36e3ffc4cc970c158a19a8f 5322 qtbase-opensource-src_5.15.15+dfsg-6.dsc 19d6384e20afbefca5843097a3fc19ce855135d4 230140 qtbase-opensource-src_5.15.15+dfsg-6.debian.tar.xz c7ec9c83eac8ef1a0bb3170b410ef8d48c39df0f 17351 qtbase-opensource-src_5.15.15+dfsg-6_source.buildinfo Checksums-Sha256: c64b8c10cd2c66440df4fbc610e86c09d629943058dcdd91c4d1ea31ec08ca40 5322 qtbase-opensource-src_5.15.15+dfsg-6.dsc 304869c85b542df5b77e2df8dca781ef7e4be6f08450c5737c6f3d093d4029bb 230140 qtbase-opensource-src_5.15.15+dfsg-6.debian.tar.xz 0ca9becb4ad4b43f41c601beeac89b91b2c330edf83d5ed972b425e44bbd5c8f 17351 qtbase-opensource-src_5.15.15+dfsg-6_source.buildinfo Files: 8fc0fb46a33c44288d10af16828324f8 5322 libs optional qtbase-opensource-src_5.15.15+dfsg-6.dsc 0b444cac8dc8811a68548dbf26bd0571 230140 libs optional qtbase-opensource-src_5.15.15+dfsg-6.debian.tar.xz 1ddf53b5c7812888dbb6879c9aa1e0dc 17351 libs optional qtbase-opensource-src_5.15.15+dfsg-6_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEq2sdvrA0LydXHe1qsmYUtFL0RrYFAmhhmagTHG1pdHlhNTdA ZGViaWFuLm9yZwAKCRCyZhS0UvRGtq9qD/9Zz4yJ93SHuIfshNYz5u5FScaNsSjC H4/KX+IBfWsoPjxffMm7bLegJHk4EN/qnJ191KWYWsoI0+fh+RG+rHupzFvlItlQ 8rSoUMVxz/p5jfxnfMsdT6iV1FUZkT4CuJCQxALP80bLIJZ9x2dS6Y+r1ahwQVHF ihk2qJT9LVkncVKzsUxqSXCKwZNXb78MTZSD9p060xc0rCu/I49bFCasjoPYzMTy Gnb9AKnRZAZcL/0Q11sdAP26YYdQsciydOAUa4kqnqjsqGT7zsAIG0HAlZnXhLZJ zo0l/my1tjN5PH7F7ooTVgxRghmjgcA4TfdYJ/Im2cKdgNYCMa7cdrva15gmoE1x UFleWSHGNTyLoleKGiNq01YyGVoZoBWNLq2Jr53u9AlnmrOZyV1hvViQ0n65iX5R ZDxutKuR8ZkjcbMdcpj7SzOEjqEI1Qg0uOlmVRLhxm135No4SK4IXLGQBF20vUGZ +z66O5BFWGILG8lOlIW5Mec4zljk7UhiTmyrcXZKh6CegtOG/2tSLB8nMEXW2pqK W6cW9ji0xyHQkJYVWblVYxjzYzE+0jDTEBFfak07knWkvTj/jXwf8NfhwuGVfweB 70Pz/nDcbQPdh5I8sGWZDnKnNqiWoeYgc+OXiqYZfFTRNcglgRqrJvgQcxBk4agY 98ueI2asrG2JOg== =rWh8 -----END PGP SIGNATURE-----Attachment: pgp6ZP69DRDje.pgp
Description: PGP signature
--- End Message ---