Bugzilla – Bug 1219996
VUL-0: CVE-2024-25580: libqt5-qtbase,qt6-base: qtbase: potential buffer overflow when reading KTX images
Last modified: 2024-07-03 05:10:58 UTC
CVE-2024-25580: A recently reported potential buffer overflow issue in Qt’s KTX’s image handling has been assigned the CVE id CVE-2024-25580. An issue was discovered in Qt from 5.12.0 through 5.15.17, 6.x before 6.2.12, 6.3.x through 6.5.x before 6.5.5, and 6.6.x before 6.6.2. With a specifically crafted KTX image file it is possible that the application reading it could cause an overflow and subsequently a crash. Fixed qtbase-6.6.2 is already in-tree (pending stable), qtgui will need: https://download.qt.io/official_releases/qt/5.15/CVE-2024-25580-qtbase-5.15.diff References: http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2024-25580 https://bugzilla.redhat.com/show_bug.cgi?id=2264423
KTX support got introduced in Qt 5.12, so qt3 and libqt4 are not affected.
Patch: https://github.com/qt/qtbase/commit/28ecb523ce8490bff38b251b3df703c72e057519 6.6 - https://ftp.fau.de/qtproject/archive/qt/6.6/CVE-2024-25580-qtbase-6.6.diff 6.5 - https://ftp.fau.de/qtproject/archive/qt/6.5/CVE-2024-25580-qtbase-6.5.diff 6.2 - https://ftp.fau.de/qtproject/archive/qt/6.2/CVE-2024-25580-qtbase-6.2.diff 5.15 - https://ftp.fau.de/qtproject/archive/qt/5.15/CVE-2024-25580-qtbase-5.15.diff Thanks Fabian, tracking as affected: - SUSE:ALP:Source:Standard:1.0/libqt5-qtbase - SUSE:SLE-15-SP2:Update/libqt5-qtbase - SUSE:SLE-15-SP4:Update/libqt5-qtbase - SUSE:SLE-15-SP5:Update/libqt5-qtbase - SUSE:SLE-15-SP5:Update/qt6-base - SUSE:ALP:Source:Standard:1.0/qt6-base - openSUSE:Factory/qt6-base - openSUSE:Factory/libqt5-qtbase
(In reply to Andrea Mattiazzo from comment #2) > Thanks Fabian, tracking as affected: > - openSUSE:Factory/qt6-base The Qt6 packages were updated to 6.6.2 and are not affected anymore