Bug 1223917 (CVE-2024-33861)

Summary: VUL-0: CVE-2024-33861: qt6-base: invalid pointer in QStringConverter
Product: [Novell Products] SUSE Security Incidents Reporter: Gabriele Sonnu <gabriele.sonnu>
Component: IncidentsAssignee: Antonio Larrosa <alarrosa>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium    
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/404450/
Whiteboard: CVSSv3.1:SUSE:CVE-2024-33861:5.8:(AV:L/AC:H/PR:L/UI:N/S:U/C:L/I:L/A:H)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Gabriele Sonnu 2024-05-06 08:08:16 UTC 
QStringConverter has an invalid pointer being passed as a callback which can allow modification of the stack and has been assigned the CVE id CVE-2024-33861.

Qt itself is not vulnerable to remote attack however an application using QStringDecoder either directly or indirectly can be vulnerable. This affects Qt 6.5.0->6.5.5, 6.6.x and 6.7.0.

This requires:

1) the attacker be able to tell the application a specific codec to use

2) the attacker be able to feed the application data in a specific way to cause the desired modification

3) the attacker what in the stack will get modified, which requires knowing the build of the application (and not all builds will be vulnerable)

4) the modification do anything in particular that is useful to the attacker, besides maybe crashing the application

 Qt does not automatically use any of those codecs, so this needs the application to implement something using QStringDecoder to be vulnerable.

Solution: Apply the following patch or update to Qt 6.5.6 or Qt 6.7.1.

Patches:

dev: https://codereview.qt-project.org/c/qt/qtbase/+/555922
6.7: https://codereview.qt-project.org/c/qt/qtbase/+/556191 or https://download.qt.io/official_releases/qt/6.7/CVE-2024-33861-qtbase-6.7.diff
6.6: https://download.qt.io/official_releases/qt/6.6/CVE-2024-33861-qtbase-6.6.diff
6.5: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/556369 or https://download.qt.io/official_releases/qt/6.5/CVE-2024-33861-qtbase-6.5.diff

References:
https://www.qt.io/blog/security-advisory-qstringconverter
Comment 1 Gabriele Sonnu 2024-05-06 09:13:56 UTC 
Tracking as affected:

- openSUSE:Factory/qt6-base              6.7.0
- SUSE:ALP:Source:Standard:1.0/qt6-base  6.6.1
- SUSE:SLE-15-SP6:Update/qt6-base        6.6.3
Comment 2 Christophe Marin 2024-05-10 07:34:11 UTC 
(In reply to Gabriele Sonnu from comment #1)
> Tracking as affected:
> 
> - openSUSE:Factory/qt6-base              6.7.0

The bug report arrived too late, the fix is already in factory