Bug 1039291 - (CVE-2016-10040) VUL-0: CVE-2016-10040: libqt4,libqt5-qtbase: stack buffer overflow in QXmlSimpleReader
(CVE-2016-10040)
VUL-0: CVE-2016-10040: libqt4,libqt5-qtbase: stack buffer overflow in QXmlSim...
Status: RESOLVED FIXED
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Normal
: ---
Assigned To: Security Team bot
Security Team bot
https://smash.suse.de/issue/178082/
CVSSv3:RedHat:CVE-2016-10040:3.7:(AV:...
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2017-05-16 10:51 UTC by Marcus Meissner
Modified: 2020-04-28 13:14 UTC (History)
3 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Victor Pereira 2017-06-07 13:27:00 UTC
patchset https://codereview.qt-project.org/#/c/71010/
Comment 2 Dirk Mueller 2017-10-16 11:39:00 UTC
all of that is fixed in 4.8.7.
Comment 3 Johannes Segitz 2018-02-16 13:58:01 UTC
please submit for both packages. Thank you
Comment 4 Johannes Segitz 2018-02-27 09:34:42 UTC
ping. Please submit
Comment 5 Dirk Mueller 2018-04-23 12:46:48 UTC
The code that was patched for this bugreport doesn't exist in Qt 4.6. The code that was patched is a fix for CVE-2013-4549, which we have not fixed in SLE11. 

the rest is fixed in 4.8.7, which would be a good thing to update to anyway. want me to submit 4.8.7 to SLE12?
Comment 6 Dirk Mueller 2018-05-05 07:24:57 UTC
154348  State:declined   By:darix        When:2018-02-09T12:36:29
        maintenance_incident: home:dirkmueller:branches:SUSE:SLE-12:Update/libqt4@c3726ad7a2d7adfbbc4b3006cffdc590 -> SUSE:Maintenance (release in SUSE:SLE-12:Update)


I'm trying to submit it once more, hopefully it gets accepted now:

164467  State:review     By:dirkmueller  When:2018-05-05T06:45:32
        maintenance_incident: home:dirkmueller:branches:SUSE:SLE-12:Update/libqt4@404d502e435fcc6314f58571cb191a23 -> SUSE:Maintenance (release in SUSE:SLE-12:Update)

it also requires request 164468 (libQtWebKit4)
Comment 7 Swamp Workflow Management 2018-07-06 16:08:12 UTC
SUSE-SU-2018:1902-1: An update that solves one vulnerability and has four fixes is now available.

Category: security (moderate)
Bug References: 1039291,1042657,956357,964458,982826
CVE References: CVE-2016-10040
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP3 (src):    libqt4-4.8.7-8.6.1, libqt4-sql-plugins-4.8.7-8.6.1, qt4-qtscript-0.2.0-11.2.4
SUSE Linux Enterprise Software Development Kit 12-SP3 (src):    libQtWebKit4-4.8.7+2.3.4-4.5.1, libqca2-2.0.3-17.2.1, libqt4-4.8.7-8.6.1, libqt4-devel-doc-4.8.7-8.6.4, libqt4-sql-plugins-4.8.7-8.6.1
SUSE Linux Enterprise Server 12-SP3 (src):    libQtWebKit4-4.8.7+2.3.4-4.5.1, libqca2-2.0.3-17.2.1, libqt4-4.8.7-8.6.1, libqt4-devel-doc-4.8.7-8.6.4, libqt4-sql-plugins-4.8.7-8.6.1
SUSE Linux Enterprise Desktop 12-SP3 (src):    libQtWebKit4-4.8.7+2.3.4-4.5.1, libqca2-2.0.3-17.2.1, libqt4-4.8.7-8.6.1, libqt4-sql-plugins-4.8.7-8.6.1, qt4-qtscript-0.2.0-11.2.4
Comment 8 Alexandros Toptsoglou 2020-04-28 13:14:26 UTC
Done