Bugzilla – Bug 1189652
VUL-0: CVE-2021-38593: libqt5-qtbase: qt: out-of-bounds write in QOutlineMapper:convertPath called from QRasterPaintEngine:fill and QPaintEngineEx:stroke
Last modified: 2021-08-23 14:25:05 UTC
Qt 5.0.0 through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke). Reference: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35566 Upstream patches: https://github.com/qt/qtbase/commit/6b400e3147dcfd8cc3a393ace1bd118c93762e0c https://github.com/qt/qtbase/commit/1ca02cf2879a5e1511a2f2109f0925cf4c892862 https://github.com/qt/qtbase/commit/202143ba41f6ac574f1858214ed8bf4a38b73ccd References: https://bugzilla.redhat.com/show_bug.cgi?id=1994719 http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2021-38593 https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35566 https://github.com/qt/qtbase/commit/6b400e3147dcfd8cc3a393ace1bd118c93762e0c https://github.com/qt/qtbase/commit/1ca02cf2879a5e1511a2f2109f0925cf4c892862 https://github.com/qt/qtbase/commit/202143ba41f6ac574f1858214ed8bf4a38b73ccd http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-38593 http://www.cvedetails.com/cve/CVE-2021-38593/ https://github.com/google/oss-fuzz-vulns/blob/main/vulns/qt/OSV-2021-903.yaml
According to the report, all Qt version from 5.0.0 through 6.1.2 are affected. We currently ship these packages: - SUSE:SLE-12-SP2:Update/libqt5-qtbase 5.6.1 - SUSE:SLE-12-SP3:Update/libqt5-qtbase 5.6.2 - SUSE:SLE-15:Update/libqt5-qtbase 5.9.4 - SUSE:SLE-15-SP1:Update/libqt5-qtbase 5.9.7 - SUSE:SLE-15-SP2:Update/libqt5-qtbase 5.12.7 - openSUSE:Factory/libqt5-qtbase 5.15.2+kde200 I couldn't find the buggy code or reproduce the bug, could you please recheck them?
I don't know why did CVE report claim any 5.X version are affected, because the bug is when https://code.qt.io/cgit/qt/qtbase.git/commit/src/gui/painting/qpaintengineex.cpp?id=f4d791b330d02777fcaf02938732892eb3167e9b [1]does exist, however it was only applied to very recent 5.15(at least not for 5.15.2, possibly does exist in 5.15.3 but 5.15.3 and above are for commercial license user only) and 6.x series, so overall, current maintained libqt5 in SLE products don't have that change, therefore you can not find the buggy code, and the CVE fix https://code.qt.io/cgit/qt/qtbase.git/commit/src/gui/painting/qpaintengineex.cpp?id=6b400e3147dcfd8cc3a393ace1bd118c93762e0c [2]just useless. two options: 1. Take this report as invalid for SLE - since the buggy change[1] doesn't exist in our products(not in qt 5.6.x nor 5.9.x nor 5.12.x), these fixes[2] aren't *necessary*. 2. Take this report as valid for SLE - apply the buggy code[1] and the fix[2] to our libqt5, this would be *unwise* to do so. I will go for option-1, what do you think? [1] https://code.qt.io/cgit/qt/qtbase.git/commit/src/gui/painting/qpaintengineex.cpp?id=f4d791b330d02777fcaf02938732892eb3167e9b [2] https://code.qt.io/cgit/qt/qtbase.git/commit/src/gui/painting/qpaintengineex.cpp?id=6b400e3147dcfd8cc3a393ace1bd118c93762e0c + https://code.qt.io/cgit/qt/qtbase.git/commit/src/gui/painting/qpaintengineex.cpp?id=84aba80944a2e1c3058d7a1372e0e66676411884
I agree, if we do not ship affected code option 1 is the way to go. I'll mark this bug as resolved.
Packages are not affected.