Bugzilla – Full Text Bug Listing
|Summary:||VUL-0: CVE-2021-38593: libqt5-qtbase: qt: out-of-bounds write in QOutlineMapper:convertPath called from QRasterPaintEngine:fill and QPaintEngineEx:stroke|
|Product:||[Novell Products] SUSE Security Incidents||Reporter:||Gabriele Sonnu <gabriele.sonnu>|
|Component:||Incidents||Assignee:||Max Lin <mlin>|
|Status:||RESOLVED INVALID||QA Contact:||Security Team bot <security-team>|
|Priority:||P3 - Medium||CC:||gabriele.sonnu, smash_bz|
|Found By:||Security Response Team||Services Priority:|
|Marketing QA Status:||---||IT Deployment:||---|
Description Gabriele Sonnu 2021-08-20 13:30:02 UTC
Qt 5.0.0 through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke). Reference: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35566 Upstream patches: https://github.com/qt/qtbase/commit/6b400e3147dcfd8cc3a393ace1bd118c93762e0c https://github.com/qt/qtbase/commit/1ca02cf2879a5e1511a2f2109f0925cf4c892862 https://github.com/qt/qtbase/commit/202143ba41f6ac574f1858214ed8bf4a38b73ccd References: https://bugzilla.redhat.com/show_bug.cgi?id=1994719 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38593 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35566 https://github.com/qt/qtbase/commit/6b400e3147dcfd8cc3a393ace1bd118c93762e0c https://github.com/qt/qtbase/commit/1ca02cf2879a5e1511a2f2109f0925cf4c892862 https://github.com/qt/qtbase/commit/202143ba41f6ac574f1858214ed8bf4a38b73ccd http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38593 http://www.cvedetails.com/cve/CVE-2021-38593/ https://github.com/google/oss-fuzz-vulns/blob/main/vulns/qt/OSV-2021-903.yaml
Comment 1 Gabriele Sonnu 2021-08-20 13:30:16 UTC
According to the report, all Qt version from 5.0.0 through 6.1.2 are affected. We currently ship these packages: - SUSE:SLE-12-SP2:Update/libqt5-qtbase 5.6.1 - SUSE:SLE-12-SP3:Update/libqt5-qtbase 5.6.2 - SUSE:SLE-15:Update/libqt5-qtbase 5.9.4 - SUSE:SLE-15-SP1:Update/libqt5-qtbase 5.9.7 - SUSE:SLE-15-SP2:Update/libqt5-qtbase 5.12.7 - openSUSE:Factory/libqt5-qtbase 5.15.2+kde200 I couldn't find the buggy code or reproduce the bug, could you please recheck them?
Comment 2 Max Lin 2021-08-23 09:18:03 UTC
I don't know why did CVE report claim any 5.X version are affected, because the bug is when https://code.qt.io/cgit/qt/qtbase.git/commit/src/gui/painting/qpaintengineex.cpp?id=f4d791b330d02777fcaf02938732892eb3167e9b does exist, however it was only applied to very recent 5.15(at least not for 5.15.2, possibly does exist in 5.15.3 but 5.15.3 and above are for commercial license user only) and 6.x series, so overall, current maintained libqt5 in SLE products don't have that change, therefore you can not find the buggy code, and the CVE fix https://code.qt.io/cgit/qt/qtbase.git/commit/src/gui/painting/qpaintengineex.cpp?id=6b400e3147dcfd8cc3a393ace1bd118c93762e0c just useless. two options: 1. Take this report as invalid for SLE - since the buggy change doesn't exist in our products(not in qt 5.6.x nor 5.9.x nor 5.12.x), these fixes aren't *necessary*. 2. Take this report as valid for SLE - apply the buggy code and the fix to our libqt5, this would be *unwise* to do so. I will go for option-1, what do you think?  https://code.qt.io/cgit/qt/qtbase.git/commit/src/gui/painting/qpaintengineex.cpp?id=f4d791b330d02777fcaf02938732892eb3167e9b  https://code.qt.io/cgit/qt/qtbase.git/commit/src/gui/painting/qpaintengineex.cpp?id=6b400e3147dcfd8cc3a393ace1bd118c93762e0c + https://code.qt.io/cgit/qt/qtbase.git/commit/src/gui/painting/qpaintengineex.cpp?id=84aba80944a2e1c3058d7a1372e0e66676411884
Comment 3 Gabriele Sonnu 2021-08-23 14:23:17 UTC
I agree, if we do not ship affected code option 1 is the way to go. I'll mark this bug as resolved.
Comment 4 Gabriele Sonnu 2021-08-23 14:25:05 UTC
Packages are not affected.