[Git][security-tracker-team/security-tracker][master] 2 commits: dla: add qtbase-opensource-src

Tue May 20 13:58:20 BST 2025


Sylvain Beucler pushed to branch master at Debian Security Tracker / security-tracker


Commits:
e719aa93 by Sylvain Beucler at 2025-05-20T14:56:30+02:00
dla: add qtbase-opensource-src

- - - - -
002e62ac by Sylvain Beucler at 2025-05-20T14:56:32+02:00
CVE-2023-6704/libavif: introductory commit (take #2)

Thanks to Salvatore for dropping:
19aa57e7a0ff38986b4b654ca4c865bfd2731c84
a63ed93e0870387f9a7f6d331265e50bca5c19c7
and pointing the libavif revision range at:
https://clusterfuzz.com/revisions?job=linux_asan_chrome_mp&range=1147980:1148001
(d78c0db95b1afe85a66b41c066f8327165a8d567:094e6166339bc317d54b42460232c28193ea4daf)

Bisecting said range with an ASAN build pinpointed:
https://github.com/AOMediaCodec/libavif/commit/c17d24ad2281fee383700e0710e019758a1969ad

The error is present before the fixing commit, and fixed after the fixing commit.

For reference:

  git checkout <revision>
  rm -rf *
  git checkout .
  cp -a ../poc  .
  CC="gcc -fsanitize=address" CXX="g++ -fsanitize=address" cmake -DCMAKE_BUILD_TYPE=Debug -DAVIF_BUILD_APPS=ON
  make -j
  ./avifdec poc test.jpg

- - - - -


2 changed files:

- data/CVE/list
- data/dla-needed.txt


Changes:

=====================================
data/CVE/list
=====================================
@@ -151505,6 +151505,7 @@ CVE-2023-6704 (Use after free in libavif in Google Chrome prior to 120.0.6099.10
 	[bullseye] - libavif <not-affected> (Vulnerable code not present, PoC doesn't crash)
 	NOTE: https://issues.chromium.org/issues/40945359
 	NOTE: https://github.com/AOMediaCodec/libavif/pull/1808
+	NOTE: Introduced by: https://github.com/AOMediaCodec/libavif/commit/c17d24ad2281fee383700e0710e019758a1969ad (v1.0.0)
 	NOTE: Fixed by: https://github.com/AOMediaCodec/libavif/commit/7845153645cfe245de5add94fb07c227c2d16402 (v1.1.0)
 CVE-2023-6703 (Use after free in Blink in Google Chrome prior to 120.0.6099.109 allow ...)
 	{DSA-5577-1}


=====================================
data/dla-needed.txt
=====================================
@@ -347,6 +347,11 @@ pytorch
   NOTE: 20250422: Added by Front-Desk (rouca)
   NOTE: 20250422: CVE-2025-32434 RCE need to be fixed. DoS may be postponed (rouca/FD)
 --
+qtbase-opensource-src
+  NOTE: 20250520: Added by Front-Desk (Beuc)
+  NOTE: 20250520: Follow fixes from bookworm 12.11 (CVE-2024-39936)
+  NOTE: 20250520: We don't seem affected by the non-CVE crash fix #1081682 (Beuc/front-desk)
+--
 rails
   NOTE: 20250105: Added by Front-Desk (apo)
   NOTE: 20250305: Utkarsh uploaded the CVE fixes to unstable via rails/7.2.2.1. (utkarsh)



View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7bed2ddbb7d3c34cf329268bbf39ba0840314940...002e62ace77c782c7022c78f457e7e6958f511d9

-- 
View it on GitLab: https://salsa.debian.org/security-tracker-team/security-tracker/-/compare/7bed2ddbb7d3c34cf329268bbf39ba0840314940...002e62ace77c782c7022c78f457e7e6958f511d9
You're receiving this email because of your account on salsa.debian.org.


-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://alioth-lists.debian.net/pipermail/debian-security-tracker-commits/attachments/20250520/41e2cdfa/attachment.htm>
