Bug 1224782 (CVE-2024-36048) - VUL-0: CVE-2024-36048: qtnetworkauth: data race and poor seeding in generateRandomString()
Summary: VUL-0: CVE-2024-36048: qtnetworkauth: data race and poor seeding in generateR...
Status: NEW
Alias: CVE-2024-36048
Product: openSUSE Distribution
Classification: openSUSE
Component: Security (show other bugs)
Version: Leap 15.6
Hardware: Other Other
: P3 - Medium : Normal (vote)
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/406815/
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2024-05-21 09:12 UTC by Christophe Marin
Modified: 2024-05-27 16:04 UTC (History)
2 users (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Christophe Marin 2024-05-21 09:12:21 UTC 
(Adding the bug report since I'm preparing the qt6-networkauth fixes)


QAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values.

https://www.cve.org/CVERecord?id=CVE-2024-36048
https://nvd.nist.gov/vuln/detail/CVE-2024-36048

Affected:

qt6-networkauth packages in:
openSUSE:Factory (6.7.1 packaging in progress)
openSUSE:Backports:SLE15-SP5
openSUSE:Backports:SLE15-SP6

libqt5-qtnetworkauth:
openSUSE:Factory
openSUSE:Backports:SLE15-SP5
openSUSE:Backports:SLE15-SP6
Comment 1 OBSbugzilla Bot 2024-05-21 09:55:02 UTC 
This is an autogenerated message for OBS integration:
This bug (1224782) was mentioned in
https://build.opensuse.org/request/show/1175484 Backports:SLE-15-SP6 / qt6-networkauth
https://build.opensuse.org/request/show/1175487 Backports:SLE-15-SP5 / qt6-networkauth
Comment 2 Marcus Meissner 2024-05-24 19:04:54 UTC 
openSUSE-SU-2024:0138-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1224782
CVE References: CVE-2024-36048
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    qt6-networkauth-6.4.2-bp155.2.3.1, qt6-networkauth-docs-6.4.2-bp155.2.3.1
Comment 3 OBSbugzilla Bot 2024-05-27 10:45:03 UTC 
This is an autogenerated message for OBS integration:
This bug (1224782) was mentioned in
https://build.opensuse.org/request/show/1177087 Factory / libqt5-qtnetworkauth
Comment 4 Christophe Marin 2024-05-27 11:21:07 UTC 
(In reply to Christophe Marin from comment #0)

> 
> libqt5-qtnetworkauth:
> openSUSE:Factory
> openSUSE:Backports:SLE15-SP5

https://build.opensuse.org/request/show/1177107

> openSUSE:Backports:SLE15-SP6

https://build.opensuse.org/request/show/1177108


Reassign to security team
Comment 5 Marcus Meissner 2024-05-27 16:04:53 UTC 
openSUSE-SU-2024:0143-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1224782
CVE References: CVE-2024-36048
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP5 (src):    libqt5-qtnetworkauth-5.15.2+kde2-bp155.3.3.1