Bug#1108474: marked as done (qt6-base: CVE-2025-5455)

["Debian Bug Tracking System" <owner@bugs.debian.org>]

Your message dated Sun, 29 Jun 2025 22:22:02 +0000
with message-id <E1uW0PS-000rLx-5X@fasolo.debian.org>
and subject line Bug#1108474: fixed in qt6-base 6.8.2+dfsg-8
has caused the Debian Bug report #1108474,
regarding qt6-base: CVE-2025-5455
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1108474: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108474
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems

--- Begin Message ---

• To: submit@bugs.debian.org
• Subject: qt6-base: CVE-2025-5455
• From: Moritz Mühlenhoff <jmm@inutil.org>
• Date: Sun, 29 Jun 2025 14:06:58 +0200
• Message-id: <[🔎] aGEsYgMhcvavnwbr@pisco.westfalen.local>

Package: qt6-base
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for qt6-base.

CVE-2025-5455[0]:
| An issue was found in the private API function qDecodeDataUrl() in
| QtCore, which is used in QTextDocument and QNetworkReply, and,
| potentially, in user code.  If the function was called with
| malformed data, for example, an URL that contained a "charset"
| parameter that lacked a value (such as "data:charset,"), and Qt was
| built with assertions enabled, then it would hit an assertion,
| resulting in a denial of service (abort).  This impacts Qt up to
| 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed
| in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.

https://codereview.qt-project.org/c/qt/qtbase/+/642006
	 

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2025-5455
    https://www.cve.org/CVERecord?id=CVE-2025-5455

Please adjust the affected versions in the BTS as needed.

--- End Message ---

--- Begin Message ---

• To: 1108474-close@bugs.debian.org
• Subject: Bug#1108474: fixed in qt6-base 6.8.2+dfsg-8
• From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
• Date: Sun, 29 Jun 2025 22:22:02 +0000
• Message-id: <E1uW0PS-000rLx-5X@fasolo.debian.org>
• Reply-to: Patrick Franz <deltaone@debian.org>

Source: qt6-base
Source-Version: 6.8.2+dfsg-8
Done: Patrick Franz <deltaone@debian.org>

We believe that the bug you reported is fixed in the latest version of
qt6-base, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1108474@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Patrick Franz <deltaone@debian.org> (supplier of updated qt6-base package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Sun, 29 Jun 2025 23:52:49 +0200
Source: qt6-base
Architecture: source
Version: 6.8.2+dfsg-8
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Patrick Franz <deltaone@debian.org>
Closes: 1108474
Changes:
 qt6-base (6.8.2+dfsg-8) unstable; urgency=medium
 .
   [ Patrick Franz ]
   * Backport patch to fix CVE-2025-5455 (Closes: #1108474).
Checksums-Sha1:
 cca681ccce2c015d2306f110ce4bd20f0eb70fe8 5470 qt6-base_6.8.2+dfsg-8.dsc
 4695a97249814114c2a7a39c1b0accf3c57403f4 195184 qt6-base_6.8.2+dfsg-8.debian.tar.xz
 2377f850143a4a81c08116c76a1cecca211f82d6 10561 qt6-base_6.8.2+dfsg-8_source.buildinfo
Checksums-Sha256:
 0481687e4cfb337f19b05fe1ffe4a819cca928ea15754a00473734d8b592a266 5470 qt6-base_6.8.2+dfsg-8.dsc
 2fcba2644bcafa2c997ff7b21e844bdc50680563824ba57ae448ba9ecb52007f 195184 qt6-base_6.8.2+dfsg-8.debian.tar.xz
 08b11cfc039ee76fb176b130c76416b45a44edf6992b0e449d1632d918288c0b 10561 qt6-base_6.8.2+dfsg-8_source.buildinfo
Files:
 50790a2a4f6068a56395e48a53879647 5470 libs optional qt6-base_6.8.2+dfsg-8.dsc
 eb90bab4fa77244be6545b66a838d0a9 195184 libs optional qt6-base_6.8.2+dfsg-8.debian.tar.xz
 0b14aa03eabd87465c21cabd5c2299b5 10561 libs optional qt6-base_6.8.2+dfsg-8_source.buildinfo

-----BEGIN PGP SIGNATURE-----

wsG7BAEBCgBvBYJoYbjNCRCen3pgMHf+VkcUAAAAAAAeACBzYWx0QG5vdGF0aW9u
cy5zZXF1b2lhLXBncC5vcmcPPDXzpf4PYIIU2vS+LkFeV+aLKrdzMY6QbJWx9xq5
QBYhBGKHQVw0evHMWR7typ6femAwd/5WAACp5BAArPzuQIPXSmw3vUt2wOBOEZMC
UaCQQC4OIo56Ooqlpb4A2rwSJ6U0h5qh/Oy4H3AGUKnNglsMbqXev7MbvgZQWyVS
RMePkkhDG4oB3aYepI/eXQmQholuE/RIJ31O8WS9refhFl4Juy1HgrSrHcrIIufk
+FCSh/p7iftl5MzU6FrRNOkcTH+15VgqTWLhR5HUbNwbHqT5NW4ITqJc988vkUsc
exNhcz4nxJOAwiRM/3JX85wv8KT1jqjWMjMzFlu4cJ5qif4oSkwFif67JN2T7A9R
f8zO5kGXiV6H/JjXjEGgz72iJgARL9zx1IqjIQbyaFATlyyNrArk8eW+3TGIyAuy
7N9H9FeAmJ4eTaZWn0Fk82hIwjfu7y8P4ZBNVKojZnaDUHzIc7X68IlBqhjAKwb6
VB0Zb/ZtFoFDR9jswmHohLfHoajbH9EV5WFDlmxYPUduzKdW22rjHZ9kYzZPrygK
7zyWb90HF9M8kfPYThp2Ov2FN6vPQkxgK1JRMpC81jrx+qTbPag0K87NLIKr0PXN
x7j5kRFoXTGwBZK867RkmUCA1023hMpbVdk0gqYQdPY5J1PF5InmR/foz0Kc2hfh
wh/LXYDhL+6qoWi+aeZZCn3yx/dBBWmXTBDbpFoYFs45TWJETc6hKa6V84qI8YqR
zb20IBSGD2CBcJ4nmpU=
=R7nA
-----END PGP SIGNATURE-----

Attachment: pgp_XQRgTNwxi.pgp
Description: PGP signature

--- End Message ---