ubuntu-sdk-bugs team mailing list archive
-
ubuntu-sdk-bugs team
-
Mailing list archive
-
Message #08112
[Bug 1950193] Re: libqt5svg5 affected by CVE-2021-38593
This bug was fixed in the package qtbase-opensource-src - 5.15.2+dfsg-14
---------------
qtbase-opensource-src (5.15.2+dfsg-14) unstable; urgency=medium
* Backport four upstream commits to fix massive memory consumption when
rendering specially crafted SVG files (CVE-2021-38593, LP: #1950193).
* Update symbols files from buildds’ logs.
* Override some source-is-missing and unpack-message-for-orig warnings.
-- Dmitry Shachnev <mitya57@xxxxxxxxxx> Sun, 28 Nov 2021 17:12:50
+0300
** Changed in: qtbase-opensource-src (Ubuntu)
Status: In Progress => Fix Released
--
You received this bug notification because you are a member of Ubuntu
SDK bug tracking, which is subscribed to qtbase-opensource-src in
Ubuntu.
https://bugs.launchpad.net/bugs/1950193
Title:
libqt5svg5 affected by CVE-2021-38593
Status in qtbase-opensource-src package in Ubuntu:
Fix Released
Bug description:
libqt5svg5 5.12.8-0ubuntu1 in Ubuntu 20.04 is affected by CVE-2021-38593:
https://nvd.nist.gov/vuln/detail/CVE-2021-38593
Trying to open the attached svg file will block one core at 100% and occupy much memory. Depending on the configuration, it might even run out of memory and crash. This is fixed upstream by:
https://codereview.qt-project.org/c/qt/qtbase/+/377942
The original issue is public since July 29th. If I'm allowed to upload
further files, I'll send a simple test program.
ProblemType: Bug
DistroRelease: Ubuntu 20.04
Package: libqt5svg5 5.12.8-0ubuntu1
ProcVersionSignature: Ubuntu 5.14.0-1005.5-oem 5.14.9
Uname: Linux 5.14.0-1005-oem x86_64
ApportVersion: 2.20.11-0ubuntu27.21
Architecture: amd64
CasperMD5CheckResult: skip
CurrentDesktop: GNOME
Date: Mon Nov 8 20:24:34 2021
InstallationDate: Installed on 2012-07-06 (3411 days ago)
InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425)
ProcEnviron:
PATH=(custom, no user)
XDG_RUNTIME_DIR=<set>
LANG=de_DE.UTF-8
SHELL=/bin/bash
SourcePackage: qtsvg-opensource-src
UpgradeStatus: Upgraded to focal on 2020-10-03 (400 days ago)
To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1950193/+subscriptions