ubuntu-sdk-bugs team mailing list archive

Thread
Date

[Bug 1950193] [NEW] libqt5svg5 affected by CVE-2021-38593

To: ubuntu-sdk-bugs@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1950193@xxxxxxxxxxxxxxxxxx>
Date: Sat, 27 Nov 2021 18:10:29 -0000
Reply-to: Bug 1950193 <1950193@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

*** This bug is a security vulnerability ***

You have been subscribed to a public security bug:

libqt5svg5 5.12.8-0ubuntu1 in Ubuntu 20.04 is affected by CVE-2021-38593:
https://nvd.nist.gov/vuln/detail/CVE-2021-38593

Trying to open the attached svg file will block one core at 100% and occupy much memory. Depending on the configuration, it might even run out of memory and crash. This is fixed upstream by:
https://codereview.qt-project.org/c/qt/qtbase/+/377942

The original issue is public since July 29th. If I'm allowed to upload
further files, I'll send a simple test program.

ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: libqt5svg5 5.12.8-0ubuntu1
ProcVersionSignature: Ubuntu 5.14.0-1005.5-oem 5.14.9
Uname: Linux 5.14.0-1005-oem x86_64
ApportVersion: 2.20.11-0ubuntu27.21
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: GNOME
Date: Mon Nov  8 20:24:34 2021
InstallationDate: Installed on 2012-07-06 (3411 days ago)
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
ProcEnviron:
 PATH=(custom, no user)
 XDG_RUNTIME_DIR=<set>
 LANG=de_DE.UTF-8
 SHELL=/bin/bash
SourcePackage: qtsvg-opensource-src
UpgradeStatus: Upgraded to focal on 2020-10-03 (400 days ago)

** Affects: qtbase-opensource-src (Ubuntu)
     Importance: Undecided
     Assignee: Dmitry Shachnev (mitya57)
         Status: In Progress


** Tags: amd64 apport-bug community-security focal
-- 
libqt5svg5 affected by CVE-2021-38593
https://bugs.launchpad.net/bugs/1950193
You received this bug notification because you are a member of Ubuntu SDK bug tracking, which is subscribed to qtbase-opensource-src in Ubuntu.