Bug 1189652 - (CVE-2021-38593) VUL-0: CVE-2021-38593: libqt5-qtbase: qt: out-of-bounds write in QOutlineMapper:convertPath called from QRasterPaintEngine:fill and QPaintEngineEx:stroke
(CVE-2021-38593)
VUL-0: CVE-2021-38593: libqt5-qtbase: qt: out-of-bounds write in QOutlineMapp...
Status: RESOLVED INVALID
Classification: Novell Products
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents
unspecified
Other Other
: P3 - Medium : Major
: ---
Assigned To: Max Lin
Security Team bot
https://smash.suse.de/issue/306948/
:
Depends on:
Blocks:
  Show dependency treegraph
 
Reported: 2021-08-20 13:30 UTC by Gabriele Sonnu
Modified: 2021-08-23 14:25 UTC (History)
2 users (show)

See Also:
Found By: Security Response Team
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Gabriele Sonnu 2021-08-20 13:30:16 UTC
According to the report, all Qt version from 5.0.0 through 6.1.2 are affected.

We currently ship these packages:

- SUSE:SLE-12-SP2:Update/libqt5-qtbase  5.6.1
- SUSE:SLE-12-SP3:Update/libqt5-qtbase  5.6.2
- SUSE:SLE-15:Update/libqt5-qtbase      5.9.4
- SUSE:SLE-15-SP1:Update/libqt5-qtbase  5.9.7
- SUSE:SLE-15-SP2:Update/libqt5-qtbase  5.12.7
- openSUSE:Factory/libqt5-qtbase        5.15.2+kde200

I couldn't find the buggy code or reproduce the bug, could you please recheck them?
Comment 2 Max Lin 2021-08-23 09:18:03 UTC
I don't know why did CVE report claim any 5.X version are affected, because the bug is when https://code.qt.io/cgit/qt/qtbase.git/commit/src/gui/painting/qpaintengineex.cpp?id=f4d791b330d02777fcaf02938732892eb3167e9b [1]does exist, however it was only applied to very recent 5.15(at least not for 5.15.2, possibly does exist in 5.15.3 but 5.15.3 and above are for commercial license user only) and 6.x series, so overall, current maintained libqt5 in SLE products don't have that change, therefore you can not find the buggy code, and the CVE fix https://code.qt.io/cgit/qt/qtbase.git/commit/src/gui/painting/qpaintengineex.cpp?id=6b400e3147dcfd8cc3a393ace1bd118c93762e0c [2]just useless.

two options:
1. Take this report as invalid for SLE - since the buggy change[1] doesn't exist in our products(not in qt 5.6.x nor 5.9.x nor 5.12.x), these fixes[2] aren't *necessary*.
2. Take this report as valid for SLE - apply the buggy code[1] and the fix[2] to our libqt5, this would be *unwise* to do so.

I will go for option-1, what do you think?


[1] https://code.qt.io/cgit/qt/qtbase.git/commit/src/gui/painting/qpaintengineex.cpp?id=f4d791b330d02777fcaf02938732892eb3167e9b

[2] https://code.qt.io/cgit/qt/qtbase.git/commit/src/gui/painting/qpaintengineex.cpp?id=6b400e3147dcfd8cc3a393ace1bd118c93762e0c + https://code.qt.io/cgit/qt/qtbase.git/commit/src/gui/painting/qpaintengineex.cpp?id=84aba80944a2e1c3058d7a1372e0e66676411884
Comment 3 Gabriele Sonnu 2021-08-23 14:23:17 UTC
I agree, if we do not ship affected code option 1 is the way to go. I'll mark this bug as resolved.
Comment 4 Gabriele Sonnu 2021-08-23 14:25:05 UTC
Packages are not affected.