Hi, On Sun, Nov 28, 2021 at 05:32:07PM +0200, Adrian Bunk wrote: > On Tue, Aug 31, 2021 at 09:15:15AM +0000, Raphaƫl Hertzog (@hertzog) wrote: > >... > > Commits: > > 63957298 by Neil Williams at 2021-08-31T10:11:30+01:00 > > CVE-2021-38593/qt vulnerable code introduced later > >... > > Changes: > > > > ===================================== > > data/CVE/list > > ===================================== > > @@ -3785,8 +3785,8 @@ CVE-2021-38595 > > CVE-2021-38594 > > RESERVED > > CVE-2021-38593 (Qt 5.0.0 through 6.1.2 has an out-of-bounds write in > > QOutlineMapper::c ...) > > - - qtbase-opensource-src <unfixed> > > - - qtbase-opensource-src-gles <unfixed> > > + - qtbase-opensource-src <not-affected> (Vulnerable code introduced > > later) > > + - qtbase-opensource-src-gles <not-affected> (Vulnerable code introduced > > later) > > NOTE: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35566 > > NOTE: > > https://github.com/google/oss-fuzz-vulns/blob/main/vulns/qt/OSV-2021-903.yaml > > NOTE: > > https://github.com/qt/qtbase/commit/1ca02cf2879a5e1511a2f2109f0925cf4c892862 > > (6.1) > >... > > Hi Neil, > > can you double-check that? > > Upload [1] makes me wonder whether the not-affected is correct, > and "Qt 5.0.0 through 6.1.2" also implies all versions of > qtbase-opensource-src{,-gles} would be affected.
I currently think the tracking from Neil was correct. The Issue was introduced by the commit 2https://github.com/qt/qtbase/commit/6869d2463a2e0d71bd04dbc82f5d6ef4933dc510 . Now the maintainer has today uploaded https://tracker.debian.org/news/1281817/accepted-qtbase-opensource-src-5152dfsg-14-source-into-unstable/ claiming it fixes CVE-2021-38593. But looking at the changes it looks that the debian/patches/CVE-2021-38593.diff patch both used https://code.qt.io/cgit/qt/qtbase.git/commit/?id=f4d791b330d02777 introducing the needed "breaking" change, and then as well the fix. See as well https://bugzilla.suse.com/show_bug.cgi?id=1189652#c2 arguing in the same direction. We should recheck, but currently tend to that the tracking is already correct. Regards, Salvatore
