Bug 1189652 (CVE-2021-38593)

Summary: VUL-0: CVE-2021-38593: libqt5-qtbase: qt: out-of-bounds write in QOutlineMapper:convertPath called from QRasterPaintEngine:fill and QPaintEngineEx:stroke
Product: [Novell Products] SUSE Security Incidents Reporter: Gabriele Sonnu <gabriele.sonnu>
Component: IncidentsAssignee: Max Lin <mlin>
Status: RESOLVED INVALID QA Contact: Security Team bot <security-team>
Severity: Major    
Priority: P3 - Medium CC: gabriele.sonnu, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/306948/
Whiteboard:
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Comment 1 Gabriele Sonnu 2021-08-20 13:30:16 UTC
According to the report, all Qt version from 5.0.0 through 6.1.2 are affected.

We currently ship these packages:

- SUSE:SLE-12-SP2:Update/libqt5-qtbase  5.6.1
- SUSE:SLE-12-SP3:Update/libqt5-qtbase  5.6.2
- SUSE:SLE-15:Update/libqt5-qtbase      5.9.4
- SUSE:SLE-15-SP1:Update/libqt5-qtbase  5.9.7
- SUSE:SLE-15-SP2:Update/libqt5-qtbase  5.12.7
- openSUSE:Factory/libqt5-qtbase        5.15.2+kde200

I couldn't find the buggy code or reproduce the bug, could you please recheck them?
Comment 2 Max Lin 2021-08-23 09:18:03 UTC
I don't know why did CVE report claim any 5.X version are affected, because the bug is when https://code.qt.io/cgit/qt/qtbase.git/commit/src/gui/painting/qpaintengineex.cpp?id=f4d791b330d02777fcaf02938732892eb3167e9b [1]does exist, however it was only applied to very recent 5.15(at least not for 5.15.2, possibly does exist in 5.15.3 but 5.15.3 and above are for commercial license user only) and 6.x series, so overall, current maintained libqt5 in SLE products don't have that change, therefore you can not find the buggy code, and the CVE fix https://code.qt.io/cgit/qt/qtbase.git/commit/src/gui/painting/qpaintengineex.cpp?id=6b400e3147dcfd8cc3a393ace1bd118c93762e0c [2]just useless.

two options:
1. Take this report as invalid for SLE - since the buggy change[1] doesn't exist in our products(not in qt 5.6.x nor 5.9.x nor 5.12.x), these fixes[2] aren't *necessary*.
2. Take this report as valid for SLE - apply the buggy code[1] and the fix[2] to our libqt5, this would be *unwise* to do so.

I will go for option-1, what do you think?


[1] https://code.qt.io/cgit/qt/qtbase.git/commit/src/gui/painting/qpaintengineex.cpp?id=f4d791b330d02777fcaf02938732892eb3167e9b

[2] https://code.qt.io/cgit/qt/qtbase.git/commit/src/gui/painting/qpaintengineex.cpp?id=6b400e3147dcfd8cc3a393ace1bd118c93762e0c + https://code.qt.io/cgit/qt/qtbase.git/commit/src/gui/painting/qpaintengineex.cpp?id=84aba80944a2e1c3058d7a1372e0e66676411884
Comment 3 Gabriele Sonnu 2021-08-23 14:23:17 UTC
I agree, if we do not ship affected code option 1 is the way to go. I'll mark this bug as resolved.
Comment 4 Gabriele Sonnu 2021-08-23 14:25:05 UTC
Packages are not affected.