Bug 1224782 (CVE-2024-36048)

Summary: VUL-0: CVE-2024-36048: qtnetworkauth: data race and poor seeding in generateRandomString()
Product: [openSUSE] openSUSE Distribution Reporter: Christophe Marin <christophe>
Component: SecurityAssignee: Security Team bot <security-team>
Status: NEW --- QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: meissner, rfrohl
Version: Leap 15.6   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/406815/
Whiteboard:
Found By: --- Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Christophe Marin 2024-05-21 09:12:21 UTC 
(Adding the bug report since I'm preparing the qt6-networkauth fixes)


QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values.

https://www.cve.org/CVERecord?id=CVE-2024-36048
https://nvd.nist.gov/vuln/detail/CVE-2024-36048

Affected:

qt6-networkauth packages in:
openSUSE:Factory (6.7.1 packaging in progress)
openSUSE:Backports:SLE15-SP5
openSUSE:Backports:SLE15-SP6

libqt5-qtnetworkauth:
openSUSE:Factory
openSUSE:Backports:SLE15-SP5
openSUSE:Backports:SLE15-SP6
Comment 1 OBSbugzilla Bot 2024-05-21 09:55:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1224782) was mentioned in
https://build.opensuse.org/request/show/1175484 Backports:SLE-15-SP6 / qt6-networkauth
https://build.opensuse.org/request/show/1175487 Backports:SLE-15-SP5 / qt6-networkauth
Comment 2 Marcus Meissner 2024-05-24 19:04:54 UTC 
openSUSE-SU-2024:0138-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1224782
CVE References: CVE-2024-36048
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    qt6-networkauth-6.4.2-bp155.2.3.1, qt6-networkauth-docs-6.4.2-bp155.2.3.1
Comment 3 OBSbugzilla Bot 2024-05-27 10:45:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1224782) was mentioned in
https://build.opensuse.org/request/show/1177087 Factory / libqt5-qtnetworkauth
Comment 4 Christophe Marin 2024-05-27 11:21:07 UTC 
(In reply to Christophe Marin from comment #0)

> 
> libqt5-qtnetworkauth:
> openSUSE:Factory
> openSUSE:Backports:SLE15-SP5

https://build.opensuse.org/request/show/1177107

> openSUSE:Backports:SLE15-SP6

https://build.opensuse.org/request/show/1177108


Reassign to security team
Comment 5 Marcus Meissner 2024-05-27 16:04:53 UTC 
openSUSE-SU-2024:0143-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1224782
CVE References: CVE-2024-36048
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    libqt5-qtnetworkauth-5.15.2+kde2-bp155.3.3.1