Two CVEs in qtbase-opensource-src

Salvatore Bonaccorso carnil at debian.org
Thu Jan 30 16:38:07 GMT 2020 

Hi,

On Thu, Jan 30, 2020 at 01:21:18PM -0300, Lisandro Damián Nicanor Pérez Meyer wrote:
> Hi again...
> 
> On Thu, 30 Jan 2020 at 12:43, Lisandro Damián Nicanor Pérez Meyer
> <perezmeyer at gmail.com> wrote:
> >
> > Hit Enter too fast...
> >
> > On Thu, 30 Jan 2020 at 12:39, Lisandro Damián Nicanor Pérez Meyer
> > <perezmeyer at gmail.com> wrote:
> > [snip]
> > > I'm attaching the stretch debdiff.
> >
> > In this case only one CVE applies. I wanted to prepare a MR on the
> > security tracker for this too, but it has been forking the repo for
> > more than 5' already...
> >
> > So I'm adding more info here:
> >
> > - CVE-2020-0569.diff applies to all Qt 5 versions (except gles
> > variants) *and* also qt4-x11.
> > - CVE-2020-0570.diff only applies to buster, testing and sid Qt5's versions.
> 
> I'm afraid I was confused here, I think due to upstream's affected ranges.
> 
> - CVE-2020-0569.diff applies to all Qt 5 versions (except gles variants)
> - CVE-2020-0570.diff, according to upstream, is said to affect only
> 5.12 onwards. But I've found the code also applies to 5.7 and even to
> qt4. I have just asked upstream to re check this.

I have for now reverted the last change 5bd1b4fe297e ("Add
CVE-2020-0569/qt4-x11 as well"). So for now we are tracking those as:

CVE-2020-0570
        RESERVED
        - qtbase-opensource-src <unfixed>
        [stretch] - qtbase-opensource-src <not-affected> (Only affects 5.12.0 through 5.14.0)
        NOTE: https://bugreports.qt.io/browse/QTBUG-81272
        NOTE: Patch: https://code.qt.io/cgit/qt/qtbase.git/commit/?id=e6f1fde24f77f63fb16b2df239f82a89d2bf05dd
CVE-2020-0569
        RESERVED
        - qtbase-opensource-src <unfixed>
        NOTE: Patch for 5.6.0 through 5.13.2: https://code.qt.io/cgit/qt/qtbase.git/commit/?id=bf131e8d2181b3404f5293546ed390999f760404
        NOTE: Patch for 5.0.0 through 5.5.1: https://code.qt.io/cgit/qt/qtbase.git/commit/?id=5c4234ed958130d655df8197129806f687d4df0d
        TODO: check qt4-x11

Once you have confirmation from upstream we can adjust those accordingly.

Regards,
Salvatore

More information about the pkg-kde-talk mailing list