Bugzilla – Bug 1189652
VUL-0: CVE-2021-38593: libqt5-qtbase: qt: out-of-bounds write in QOutlineMapper:convertPath called from QRasterPaintEngine:fill and QPaintEngineEx:stroke
Last modified: 2021-08-23 14:25:05 UTC
Qt 5.0.0 through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).
According to the report, all Qt version from 5.0.0 through 6.1.2 are affected.
We currently ship these packages:
- SUSE:SLE-12-SP2:Update/libqt5-qtbase 5.6.1
- SUSE:SLE-12-SP3:Update/libqt5-qtbase 5.6.2
- SUSE:SLE-15:Update/libqt5-qtbase 5.9.4
- SUSE:SLE-15-SP1:Update/libqt5-qtbase 5.9.7
- SUSE:SLE-15-SP2:Update/libqt5-qtbase 5.12.7
- openSUSE:Factory/libqt5-qtbase 5.15.2+kde200
I couldn't find the buggy code or reproduce the bug, could you please recheck them?
I don't know why did CVE report claim any 5.X version are affected, because the bug is when https://code.qt.io/cgit/qt/qtbase.git/commit/src/gui/painting/qpaintengineex.cpp?id=f4d791b330d02777fcaf02938732892eb3167e9b does exist, however it was only applied to very recent 5.15(at least not for 5.15.2, possibly does exist in 5.15.3 but 5.15.3 and above are for commercial license user only) and 6.x series, so overall, current maintained libqt5 in SLE products don't have that change, therefore you can not find the buggy code, and the CVE fix https://code.qt.io/cgit/qt/qtbase.git/commit/src/gui/painting/qpaintengineex.cpp?id=6b400e3147dcfd8cc3a393ace1bd118c93762e0c just useless.
1. Take this report as invalid for SLE - since the buggy change doesn't exist in our products(not in qt 5.6.x nor 5.9.x nor 5.12.x), these fixes aren't *necessary*.
2. Take this report as valid for SLE - apply the buggy code and the fix to our libqt5, this would be *unwise* to do so.
I will go for option-1, what do you think?
 https://code.qt.io/cgit/qt/qtbase.git/commit/src/gui/painting/qpaintengineex.cpp?id=6b400e3147dcfd8cc3a393ace1bd118c93762e0c + https://code.qt.io/cgit/qt/qtbase.git/commit/src/gui/painting/qpaintengineex.cpp?id=84aba80944a2e1c3058d7a1372e0e66676411884
I agree, if we do not ship affected code option 1 is the way to go. I'll mark this bug as resolved.
Packages are not affected.