Two CVEs in qtbase-opensource-src
Lisandro Damián Nicanor Pérez Meyer
perezmeyer at gmail.com
Thu Jan 30 16:21:18 GMT 2020
Hi again...
On Thu, 30 Jan 2020 at 12:43, Lisandro Damián Nicanor Pérez Meyer
<perezmeyer at gmail.com> wrote:
>
> Hit Enter too fast...
>
> On Thu, 30 Jan 2020 at 12:39, Lisandro Damián Nicanor Pérez Meyer
> <perezmeyer at gmail.com> wrote:
> [snip]
> > I'm attaching the stretch debdiff.
>
> In this case only one CVE applies. I wanted to prepare a MR on the
> security tracker for this too, but it has been forking the repo for
> more than 5' already...
>
> So I'm adding more info here:
>
> - CVE-2020-0569.diff applies to all Qt 5 versions (except gles
> variants) *and* also qt4-x11.
> - CVE-2020-0570.diff only applies to buster, testing and sid Qt5's versions.
I'm afraid I was confused here, I think due to upstream's affected ranges.
- CVE-2020-0569.diff applies to all Qt 5 versions (except gles variants)
- CVE-2020-0570.diff, according to upstream, is said to affect only
5.12 onwards. But I've found the code also applies to 5.7 and even to
qt4. I have just asked upstream to re check this.
Cheers, Lisandro.
--
Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/
More information about the pkg-kde-talk
mailing list