Your message dated Mon, 30 Jun 2025 12:51:52 +0300 with message-id <aGJeOBfkG872uqNm@mitya57.me> and subject line Re: Bug#1108476: qtbase-opensource-src-gles: CVE-2025-5455 has caused the Debian Bug report #1108476, regarding qtbase-opensource-src-gles: CVE-2025-5455 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 1108476: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1108476 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: submit@bugs.debian.org
- Subject: qtbase-opensource-src-gles: CVE-2025-5455
- From: Moritz Mühlenhoff <jmm@inutil.org>
- Date: Sun, 29 Jun 2025 14:07:32 +0200
- Message-id: <[🔎] aGEshBsedSdEL9pE@pisco.westfalen.local>
Package: qtbase-opensource-src-gles X-Debbugs-CC: team@security.debian.org Severity: important Tags: security Hi, The following vulnerability was published for qtbase-opensource-src-gles. CVE-2025-5455[0]: | An issue was found in the private API function qDecodeDataUrl() in | QtCore, which is used in QTextDocument and QNetworkReply, and, | potentially, in user code. If the function was called with | malformed data, for example, an URL that contained a "charset" | parameter that lacked a value (such as "data:charset,"), and Qt was | built with assertions enabled, then it would hit an assertion, | resulting in a denial of service (abort). This impacts Qt up to | 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed | in 5.15.19, 6.5.9, 6.8.4 and 6.9.1. https://codereview.qt-project.org/c/qt/qtbase/+/642006 If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2025-5455 https://www.cve.org/CVERecord?id=CVE-2025-5455 Please adjust the affected versions in the BTS as needed.
--- End Message ---
--- Begin Message ---
- To: 1108476-close@bugs.debian.org
- Subject: Re: Bug#1108476: qtbase-opensource-src-gles: CVE-2025-5455
- From: Dmitry Shachnev <mitya57@debian.org>
- Date: Mon, 30 Jun 2025 12:51:52 +0300
- Message-id: <aGJeOBfkG872uqNm@mitya57.me>
- In-reply-to: <[🔎] aGEshBsedSdEL9pE@pisco.westfalen.local>
- References: <[🔎] aGEshBsedSdEL9pE@pisco.westfalen.local>
Hi Moritz, On Sun, Jun 29, 2025 at 02:07:32PM +0200, Moritz Mühlenhoff wrote: > Package: qtbase-opensource-src-gles > X-Debbugs-CC: team@security.debian.org > Severity: important > Tags: security > > Hi, > > The following vulnerability was published for qtbase-opensource-src-gles. > > CVE-2025-5455[0]: > | An issue was found in the private API function qDecodeDataUrl() in > | QtCore, which is used in QTextDocument and QNetworkReply, and, > | potentially, in user code. If the function was called with > | malformed data, for example, an URL that contained a "charset" > | parameter that lacked a value (such as "data:charset,"), and Qt was > | built with assertions enabled, then it would hit an assertion, > | resulting in a denial of service (abort). This impacts Qt up to > | 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed > | in 5.15.19, 6.5.9, 6.8.4 and 6.9.1. > > https://codereview.qt-project.org/c/qt/qtbase/+/642006 This does not need fixing in qtbase-opensource-src-gles. The vulnerability is in QtCore library, but the -gles source package does not build its own QtCore, it reuses one from qtbase-opensource-src. -- Dmitry ShachnevAttachment: signature.asc
Description: PGP signature
--- End Message ---