ubuntu-sdk-bugs team mailing list archive

Thread
Date

[Bug 1950193] Re: libqt5svg5 affected by CVE-2021-38593

To: ubuntu-sdk-bugs@xxxxxxxxxxxxxxxxxxx
From: Launchpad Bug Tracker <1950193@xxxxxxxxxxxxxxxxxx>
Date: Tue, 30 Nov 2021 19:27:06 -0000
Reply-to: Bug 1950193 <1950193@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx

This bug was fixed in the package qtbase-opensource-src - 5.15.2+dfsg-14

---------------
qtbase-opensource-src (5.15.2+dfsg-14) unstable; urgency=medium

  * Backport four upstream commits to fix massive memory consumption when
    rendering specially crafted SVG files (CVE-2021-38593, LP: #1950193).
  * Update symbols files from buildds’ logs.
  * Override some source-is-missing and unpack-message-for-orig warnings.

 -- Dmitry Shachnev <mitya57@xxxxxxxxxx>  Sun, 28 Nov 2021 17:12:50
+0300

** Changed in: qtbase-opensource-src (Ubuntu)
       Status: In Progress => Fix Released

-- 
You received this bug notification because you are a member of Ubuntu
SDK bug tracking, which is subscribed to qtbase-opensource-src in
Ubuntu.
https://bugs.launchpad.net/bugs/1950193

Title:
  libqt5svg5 affected by CVE-2021-38593

Status in qtbase-opensource-src package in Ubuntu:
  Fix Released

Bug description:
  libqt5svg5 5.12.8-0ubuntu1 in Ubuntu 20.04 is affected by CVE-2021-38593:
  https://nvd.nist.gov/vuln/detail/CVE-2021-38593

  Trying to open the attached svg file will block one core at 100% and occupy much memory. Depending on the configuration, it might even run out of memory and crash. This is fixed upstream by:
  https://codereview.qt-project.org/c/qt/qtbase/+/377942

  The original issue is public since July 29th. If I'm allowed to upload
  further files, I'll send a simple test program.

  ProblemType: Bug
  DistroRelease: Ubuntu 20.04
  Package: libqt5svg5 5.12.8-0ubuntu1
  ProcVersionSignature: Ubuntu 5.14.0-1005.5-oem 5.14.9
  Uname: Linux 5.14.0-1005-oem x86_64
  ApportVersion: 2.20.11-0ubuntu27.21
  Architecture: amd64
  CasperMD5CheckResult: skip
  CurrentDesktop: GNOME
  Date: Mon Nov  8 20:24:34 2021
  InstallationDate: Installed on 2012-07-06 (3411 days ago)
  InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
  ProcEnviron:
   PATH=(custom, no user)
   XDG_RUNTIME_DIR=<set>
   LANG=de_DE.UTF-8
   SHELL=/bin/bash
  SourcePackage: qtsvg-opensource-src
  UpgradeStatus: Upgraded to focal on 2020-10-03 (400 days ago)

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1950193/+subscriptions