Bug#1108475: marked as done (qtbase-opensource-src: CVE-2025-5455)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 29 Jun 2025 20:36:35 +0000
with message-id <E1uVylP-000ZEh-BQ@fasolo.debian.org>
and subject line Bug#1108475: fixed in qtbase-opensource-src 5.15.15+dfsg-6
has caused the Debian Bug report #1108475,
regarding qtbase-opensource-src: CVE-2025-5455
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1108475: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108475
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: qtbase-opensource-src: CVE-2025-5455
• From: Moritz Mühlenhoff <jmm@inutil.org>
• Date: Sun, 29 Jun 2025 14:07:16 +0200
• Message-id: <[🔎] aGEsdPC-4XsRTIrR@pisco.westfalen.local>

Package: qtbase-opensource-src
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for qtbase-opensource-src.

CVE-2025-5455[0]:
| An issue was found in the private API function qDecodeDataUrl() in
| QtCore, which is used in QTextDocument and QNetworkReply, and,
| potentially, in user code.  If the function was called with
| malformed data, for example, an URL that contained a "charset"
| parameter that lacked a value (such as "data:charset,"), and Qt was
| built with assertions enabled, then it would hit an assertion,
| resulting in a denial of service (abort).  This impacts Qt up to
| 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed
| in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.

https://codereview.qt-project.org/c/qt/qtbase/+/642006


If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-5455
    https://www.cve.org/CVERecord?id=CVE-2025-5455

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

• To: 1108475-close@bugs.debian.org
• Subject: Bug#1108475: fixed in qtbase-opensource-src 5.15.15+dfsg-6
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sun, 29 Jun 2025 20:36:35 +0000
• Message-id: <E1uVylP-000ZEh-BQ@fasolo.debian.org>
• Reply-to: Dmitry Shachnev <mitya57@debian.org>

Source: qtbase-opensource-src
Source-Version: 5.15.15+dfsg-6
Done: Dmitry Shachnev <mitya57@debian.org>

We believe that the bug you reported is fixed in the latest version of
qtbase-opensource-src, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1108475@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dmitry Shachnev <mitya57@debian.org> (supplier of updated qtbase-opensource-src package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 29 Jun 2025 22:50:45 +0300
Source: qtbase-opensource-src
Architecture: source
Version: 5.15.15+dfsg-6
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Dmitry Shachnev <mitya57@debian.org>
Closes: 1108475
Changes:
 qtbase-opensource-src (5.15.15+dfsg-6) unstable; urgency=medium
 .
   * Backport upstream patch to fix assertion errors in data: URL parsing
     (CVE-2025-5455, closes: #1108475).
Checksums-Sha1:
 564e6524a6b33ad9f36e3ffc4cc970c158a19a8f 5322 qtbase-opensource-src_5.15.15+dfsg-6.dsc
 19d6384e20afbefca5843097a3fc19ce855135d4 230140 qtbase-opensource-src_5.15.15+dfsg-6.debian.tar.xz
 c7ec9c83eac8ef1a0bb3170b410ef8d48c39df0f 17351 qtbase-opensource-src_5.15.15+dfsg-6_source.buildinfo
Checksums-Sha256:
 c64b8c10cd2c66440df4fbc610e86c09d629943058dcdd91c4d1ea31ec08ca40 5322 qtbase-opensource-src_5.15.15+dfsg-6.dsc
 304869c85b542df5b77e2df8dca781ef7e4be6f08450c5737c6f3d093d4029bb 230140 qtbase-opensource-src_5.15.15+dfsg-6.debian.tar.xz
 0ca9becb4ad4b43f41c601beeac89b91b2c330edf83d5ed972b425e44bbd5c8f 17351 qtbase-opensource-src_5.15.15+dfsg-6_source.buildinfo
Files:
 8fc0fb46a33c44288d10af16828324f8 5322 libs optional qtbase-opensource-src_5.15.15+dfsg-6.dsc
 0b444cac8dc8811a68548dbf26bd0571 230140 libs optional qtbase-opensource-src_5.15.15+dfsg-6.debian.tar.xz
 1ddf53b5c7812888dbb6879c9aa1e0dc 17351 libs optional qtbase-opensource-src_5.15.15+dfsg-6_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEEq2sdvrA0LydXHe1qsmYUtFL0RrYFAmhhmagTHG1pdHlhNTdA
ZGViaWFuLm9yZwAKCRCyZhS0UvRGtq9qD/9Zz4yJ93SHuIfshNYz5u5FScaNsSjC
H4/KX+IBfWsoPjxffMm7bLegJHk4EN/qnJ191KWYWsoI0+fh+RG+rHupzFvlItlQ
8rSoUMVxz/p5jfxnfMsdT6iV1FUZkT4CuJCQxALP80bLIJZ9x2dS6Y+r1ahwQVHF
ihk2qJT9LVkncVKzsUxqSXCKwZNXb78MTZSD9p060xc0rCu/I49bFCasjoPYzMTy
Gnb9AKnRZAZcL/0Q11sdAP26YYdQsciydOAUa4kqnqjsqGT7zsAIG0HAlZnXhLZJ
zo0l/my1tjN5PH7F7ooTVgxRghmjgcA4TfdYJ/Im2cKdgNYCMa7cdrva15gmoE1x
UFleWSHGNTyLoleKGiNq01YyGVoZoBWNLq2Jr53u9AlnmrOZyV1hvViQ0n65iX5R
ZDxutKuR8ZkjcbMdcpj7SzOEjqEI1Qg0uOlmVRLhxm135No4SK4IXLGQBF20vUGZ
+z66O5BFWGILG8lOlIW5Mec4zljk7UhiTmyrcXZKh6CegtOG/2tSLB8nMEXW2pqK
W6cW9ji0xyHQkJYVWblVYxjzYzE+0jDTEBFfak07knWkvTj/jXwf8NfhwuGVfweB
70Pz/nDcbQPdh5I8sGWZDnKnNqiWoeYgc+OXiqYZfFTRNcglgRqrJvgQcxBk4agY
98ueI2asrG2JOg==
=rWh8
-----END PGP SIGNATURE-----

Attachment: pgp6ZP69DRDje.pgp
Description: PGP signature

--- End Message ---