ubuntustudio-bugs team mailing list archive

Thread
Date
[Bug 2107302] Re: CVE-2025-3512: Heap-based Buffer Overflow vulnerability in QTextMarkdownImporter

To: ubuntustudio-bugs@xxxxxxxxxxxxxxxxxxx
From: Simon Quigley <2107302@xxxxxxxxxxxxxxxxxx>
Date: Mon, 14 Apr 2025 04:15:47 -0000
Reply-to: Bug 2107302 <2107302@xxxxxxxxxxxxxxxxxx>
Sender: noreply@xxxxxxxxxxxxx
** Attachment added: "Proof of Concept as currently exists in Plucky, which is failed"
   https://bugs.launchpad.net/ubuntu/+source/qt6-base/+bug/2107302/+attachment/5871613/+files/Screenshot_20250413_215136_20250413230851.png

-- 
You received this bug notification because you are a member of Ubuntu
Studio Bugs, which is subscribed to the bug report.
https://bugs.launchpad.net/bugs/2107302

Title:
  CVE-2025-3512: Heap-based Buffer Overflow vulnerability in
  QTextMarkdownImporter

Status in qt6-base package in Ubuntu:
  In Progress

Bug description:
  [Vulnerability Information]

  CVE-2025-3512

  There is a Heap-based Buffer Overflow vulnerability in
  QTextMarkdownImporter. This requires an incorrectly formatted markdown
  file to be passed to QTextMarkdownImporter to trigger the overflow.

  This issue affects Qt from 6.8.0 to 6.8.4. Versions up to 6.6.0 are
  known to be unaffected, and the fix is in 6.8.4 and later.

  Plucky will ship with 6.8.3, and Oracular has 6.6.2. Our current main
  focus is to get this in prior to the release of Plucky.

  [Exploit Impact]

  This impacts any program using QTextMarkdownImporter. While nothing in
  the archive besides Qt itself seems to use QTextMarkdownImporter,
  QTextDocumentWriter *does* have usage in the archive, according to
  codesearch.debian.org. Reference:
  https://sources.debian.org/src/qt6-base/6.8.2+dfsg-5/src/gui/text/qtextdocumentwriter.cpp/?hl=234#L234

  Rough, potential list of impacted packages (this also includes Qt 5, so the list should be pruned, but this should at least give you a rough idea):
  python-anyqt
  openorienteering-mapper
  skrooge
  qtmultimedia-opensource-src
  pyqt6
  qtwebengine-opensource-src
  qgis
  grantlee5
  parley
  kreport
  klayout
  qtquickcontrols2-opensource-src
  iwyu
  qtbase-opensource-src
  libqtpas
  picard
  qt6-webengine
  qtbase-opensource-src-gles
  calligra
  lazarus
  plume-creator
  okular
  algobox
  retext
  pyside2
  pyside6
  chessx
  qtx11extras-opensource-src
  pyqt5
  deepin-log-viewer
  qt6-svg
  qtdeclarative-opensource-src-gles
  qtsvg-opensource-src
  libmlocale
  qtdeclarative-opensource-src
  kdevelop-python
  klatexformula
  feathernotes
  calibre
  qttools-opensource-src
  qt6-tools
  geshi
  eric
  marknote
  qt6-base
  qt6-declarative
  kstars
  featherpad
  kmail
  qtrvsim

  [Commit Message]

  From eced22d7250fc7ba4dbafa1694bf149c2259d9ea Mon Sep 17 00:00:00 2001
  From: Shawn Rutledge <shawn.rutledge@xxxxx>
  Date: Thu, 27 Mar 2025 15:17:21 +0100
  Subject: [PATCH] QTextMarkdownImporter: Fix heap-buffer-overflow

  After finding the end marker `---`, the code expected more characters
  beyond: typically at least a trailing newline. But
  QStringView::sliced() crashes if asked for a substring that starts at
  or beyond the end.

  Now it's restructured into a separate splitFrontMatter() function, and
  we're stricter, tolerating only `---\n` or `---\r\n` as marker lines.
  So the code is easier to prove correct, and we don't need to check
  characters between the end of the marker and the end of the line (to
  allow inadvertent whitespace, for example). If the markers are not
  valid, the Markdown parser will see them as thematic breaks, as it
  would have done if we were not extracting the Front Matter beforehand.

  Amends e10c9b5c0f8f194a79ce12dcf9b6b5cb19976942 and
  bffddc6a993c4b6b64922e8d327bdf32e0d4975a

  Credit to OSS-Fuzz which found this as issue 42533775.

  [ChangeLog][QtGui][Text] Fixed a heap buffer overflow in
  QTextMarkdownImporter. The first marker for Front Matter must begin at
  the first character of a Markdown document, and both markers must be
  exactly ---\n or ---\r\n.

  Done-with: Marc Mutz <marc.mutz@xxxxx>
  Fixes: QTBUG-135284
  Pick-to: 6.9 6.8
  Change-Id: I66412d21ecc0c4eabde443d70865ed2abad86d89
  Reviewed-by: Marc Mutz <marc.mutz@xxxxx>
  (cherry picked from commit 25986746947798e1a22d0830d3bcb11a55fcd3ae)
  Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@xxxxxxxxxxxxxx>
  ---
   src/gui/text/qtextmarkdownimporter.cpp        | 63 ++++++++++++++-----
   .../data/front-marker-malformed1.md           |  3 +
   .../data/front-marker-malformed2.md           |  5 ++
   .../data/front-marker-malformed3.md           |  4 ++
   .../data/oss-fuzz-42533775.md                 |  1 +
   .../qtextmarkdownimporter/data/yaml-crlf.md   | 10 +++
   .../tst_qtextmarkdownimporter.cpp             | 15 ++++-
   7 files changed, 84 insertions(+), 17 deletions(-)
   create mode 100644 tests/auto/gui/text/qtextmarkdownimporter/data/front-marker-malformed1.md
   create mode 100644 tests/auto/gui/text/qtextmarkdownimporter/data/front-marker-malformed2.md
   create mode 100644 tests/auto/gui/text/qtextmarkdownimporter/data/front-marker-malformed3.md
   create mode 100644 tests/auto/gui/text/qtextmarkdownimporter/data/oss-fuzz-42533775.md
   create mode 100644 tests/auto/gui/text/qtextmarkdownimporter/data/yaml-crlf.md

  [Proof of Concept, Testing Plan, and Regression Potential]

  Aaron Rainbolt (~arraybolt3) prepared a Proof of Concept to test this.
  I have attached both the screenshots and the proof of concept tarball.

  This is a small, standard CMake-based Qt 6 application. It needs to be
  ran on a system with a GUI. You are encouraged to read the Proof of
  Concept before running it.

  This is also the basic testing plan, besides generally ensuring Qt-
  based Markdown functionality works as intended. We will be thoroughly
  testing this as part of the Plucky release candidate testing this
  upcoming week, and other distributions with Qt 6.8 have also been
  adopting this patch. Tests have also been added as a part of this
  patch, to ensure functionality does not regress.

  Lastly, two Ubuntu Developers, Simon Quigley and Aaron Rainbolt, have
  tested the Proof of Concept, and can verify basic functionality works.
  A review from the Ubuntu Security Team, both on the fix itself and the
  documentation provided here, would be excellent.

  [Additional Information]

  Upstream code review: https://codereview.qt-project.org/c/qt/qtbase/+/635546
  Upstream commit: https://codereview.qt-project.org/gitweb?p=qt/qtbase.git;a=patch;h=eced22d7250fc7ba4dbafa1694bf149c2259d9ea
  Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103022
  Debian security tracker: https://security-tracker.debian.org/tracker/CVE-2025-3512
  https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3512

To manage notifications about this bug go to:
https://bugs.launchpad.net/ubuntu/+source/qt6-base/+bug/2107302/+subscriptions