Bug 927807 (CVE-2015-1859)

Summary: VUL-0: CVE-2015-1859: libqt5-qtbase,libqt4,qt,qt3: segmentation fault in ICO Qt Image Format Handling
Product: [Novell Products] SUSE Security Incidents Reporter: Andreas Stieger <astieger>
Component: IncidentsAssignee: Security Team bot <security-team>
Status: RESOLVED FIXED QA Contact: Security Team bot <security-team>
Severity: Normal    
Priority: P3 - Medium CC: mlin, smash_bz
Version: unspecified   
Target Milestone: ---   
Hardware: Other   
OS: Other   
URL: https://smash.suse.de/issue/115701/
Whiteboard: maint:released:sle11-sp3:61769 CVSSv2:RedHat:CVE-2015-1859:5.1:(AV:N/AC:H/Au:N/C:P/I:P/A:P) CVSSv2:NVD:CVE-2015-1859:6.8:(AV:N/AC:M/Au:N/C:P/I:P/A:P)
Found By: Security Response Team Services Priority:
Business Priority: Blocker: ---
Marketing QA Status: --- IT Deployment: ---

Description Andreas Stieger 2015-04-20 10:09:32 UTC
rh#1210674

Qt Project Security Advisory
----------------------------

Title:        Multiple Vulnerabilities in Qt Image Format Handling
Risk Rating:  High
CVE:          CVE-2015-1858, CVE-2015-1859, CVE-2015-1860
Platforms:    All
Modules:      QtBase
Versions:     Qt 4.8.6 and earlier, Qt 5.4.1 and earlier
Author:       Richard J. Moore <rich at kde.org>
Date:         12th April 2015

Overview
--------

Due to two recent vulnerabilities identified in the built-in image format
handling code, it was decided that this area required further testing to
determine if further issues remained. Fuzzing using afl-fuzz located a
number
of issues in the handling of BMP, ICO and GIF files. The issues exposed
included denial of service and buffer overflows leading to heap corruption.
It
is possible the latter could be used to perform remote code execution.


CVE-2015-1859 ICO vulnerability

Impact
------

Denial of service and potentially remote code execution.

Workaround
----------

None

Solution
--------

Upgrade to Qt 5.5 once released or apply the patches below:

For Qt 5.0 to 5.4:

https://codereview.qt-project.org/#/c/108312/
https://codereview.qt-project.org/#/c/108248/

For Qt 4.8:

https://codereview.qt-project.org/#/c/108474/
https://codereview.qt-project.org/#/c/108475/

The fixes will also be included in Qt 4.8.7 and 5.4.2.

References:
https://bugzilla.redhat.com/show_bug.cgi?id=1210674
http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2015-1859
http://people.canonical.com/~ubuntu-security/cve/2015/CVE-2015-1859.html
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2015-1859
Comment 1 Swamp Workflow Management 2015-04-20 11:17:41 UTC
An update workflow for this issue was started.
This issue was rated as moderate.
Please submit fixed packages until 2015-05-04.
When done, reassign the bug to security-team@suse.de.
https://swamp.suse.de/webswamp/wf/61570
Comment 2 Swamp Workflow Management 2015-04-20 22:01:09 UTC
bugbot adjusting priority
Comment 3 Dirk Mueller 2015-05-07 13:52:29 UTC
This is really a duplicate of 927808..
Comment 4 Bernhard Wiedemann 2015-05-07 17:00:13 UTC
This is an autogenerated message for OBS integration:
This bug (927807) was mentioned in
https://build.opensuse.org/request/show/305786 Factory / libqt4
Comment 7 Andreas Stieger 2015-05-13 14:52:38 UTC
SLE12 libqt5-qtbase is affected:
libqt5-qtbase/qtbase-opensource-src-5.3.1.tar.xz.contents/qtbase-opensource-src-5.3.1/src/gui/image/qgifhandler.cpp
libqt5-qtbase/qtbase-opensource-src-5.3.1.tar.xz.contents/qtbase-opensource-src-5.3.1/src/plugins/imageformats/ico/qicohandler.cpp

Please proceed to also fix this package SLE 12 in addition to libqt4. Thanks!
Comment 8 Andreas Stieger 2015-05-13 14:56:32 UTC
bug 921999, bug 927806, bug 927807, bug 927808 affect libqt5-qtbase on SLE 12. Assigning to maintainer for submission.
Comment 11 Swamp Workflow Management 2015-06-01 13:05:31 UTC
SUSE-SU-2015:0977-1: An update that fixes four vulnerabilities is now available.

Category: security (moderate)
Bug References: 921999,927806,927807,927808
CVE References: CVE-2015-0295,CVE-2015-1858,CVE-2015-1859,CVE-2015-1860
Sources used:
SUSE Linux Enterprise Software Development Kit 11 SP3 (src):    libqt4-4.6.3-5.34.2, libqt4-devel-doc-4.6.3-5.34.2, libqt4-devel-doc-data-4.6.3-5.34.2, libqt4-sql-plugins-4.6.3-5.34.2
SUSE Linux Enterprise Server 11 SP3 for VMware (src):    libqt4-4.6.3-5.34.2, libqt4-devel-doc-4.6.3-5.34.2, libqt4-sql-plugins-4.6.3-5.34.2
SUSE Linux Enterprise Server 11 SP3 (src):    libqt4-4.6.3-5.34.2, libqt4-devel-doc-4.6.3-5.34.2, libqt4-sql-plugins-4.6.3-5.34.2
SUSE Linux Enterprise Desktop 11 SP3 (src):    libqt4-4.6.3-5.34.2, libqt4-sql-plugins-4.6.3-5.34.2
Comment 12 Swamp Workflow Management 2015-08-07 09:11:34 UTC
SUSE-SU-2015:1359-1: An update that solves four vulnerabilities and has two fixes is now available.

Category: security (moderate)
Bug References: 847880,921999,927806,927807,927808,929688
CVE References: CVE-2015-0295,CVE-2015-1858,CVE-2015-1859,CVE-2015-1860
Sources used:
SUSE Linux Enterprise Workstation Extension 12 (src):    libqt4-4.8.6-4.2, libqt4-sql-plugins-4.8.6-4.1
SUSE Linux Enterprise Software Development Kit 12 (src):    libqt4-4.8.6-4.2, libqt4-devel-doc-4.8.6-4.6, libqt4-sql-plugins-4.8.6-4.1
SUSE Linux Enterprise Server 12 (src):    libqt4-4.8.6-4.2, libqt4-devel-doc-4.8.6-4.6, libqt4-sql-plugins-4.8.6-4.1
SUSE Linux Enterprise Desktop 12 (src):    libqt4-4.8.6-4.2, libqt4-sql-plugins-4.8.6-4.1
Comment 13 Swamp Workflow Management 2015-08-14 11:10:22 UTC
SUSE-SU-2015:1383-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 870151,921999,927806,927807,927808
CVE References: CVE-2015-0295,CVE-2015-1858,CVE-2015-1859,CVE-2015-1860
Sources used:
SUSE Linux Enterprise Software Development Kit 12 (src):    libqt5-qtbase-5.3.1-4.4.2
SUSE Linux Enterprise Server 12 (src):    libqt5-qtbase-5.3.1-4.4.2
SUSE Linux Enterprise Desktop 12 (src):    libqt5-qtbase-5.3.1-4.4.2
Comment 14 Marcus Meissner 2016-03-03 10:01:17 UTC
was fixed apparently