On Wed, 1 Dec 2021 13:38:48 +0000 Neil Williams <codeh...@debian.org> wrote:
> On Sun, 28 Nov 2021 21:02:16 +0100 > Salvatore Bonaccorso <car...@debian.org> wrote: > > > Hi Adrian, Neil, > > > > One additional point: > > > > On Sun, Nov 28, 2021 at 08:56:57PM +0100, Salvatore Bonaccorso > > wrote: > > > Hi, > > > > > > > > ===================================== > > > > > data/CVE/list > > > > > ===================================== > > > > > @@ -3785,8 +3785,8 @@ CVE-2021-38595 > > > > > CVE-2021-38594 > > > > > RESERVED > > > > > CVE-2021-38593 (Qt 5.0.0 through 6.1.2 has an out-of-bounds > > > > > write in QOutlineMapper::c ...) > > > > > - - qtbase-opensource-src <unfixed> > > > > > - - qtbase-opensource-src-gles <unfixed> > > > > > + - qtbase-opensource-src <not-affected> (Vulnerable > > > > > code introduced later) > > > > > + - qtbase-opensource-src-gles <not-affected> > > > > > (Vulnerable code introduced later) NOTE: > > > > > https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=35566 > > > > > NOTE: > > > > > https://github.com/google/oss-fuzz-vulns/blob/main/vulns/qt/OSV-2021-903.yaml > > > > > NOTE: > > > > > https://github.com/qt/qtbase/commit/1ca02cf2879a5e1511a2f2109f0925cf4c892862 > > > > > (6.1) > > > > >... > > > > > > > > Hi Neil, > > > > > > > > can you double-check that? > > > > > > > > Upload [1] makes me wonder whether the not-affected is correct, > > > > and "Qt 5.0.0 through 6.1.2" also implies all versions of > > > > qtbase-opensource-src{,-gles} would be affected. > > > > > > I currently think the tracking from Neil was correct. The Issue > > > was introduced by the commit > > > 2https://github.com/qt/qtbase/commit/6869d2463a2e0d71bd04dbc82f5d6ef4933dc510 > > > . > > > > > > Now the maintainer has today uploaded > > > https://tracker.debian.org/news/1281817/accepted-qtbase-opensource-src-5152dfsg-14-source-into-unstable/ > > > claiming it fixes CVE-2021-38593. But looking at the changes it > > > looks that the debian/patches/CVE-2021-38593.diff patch both used > > > https://code.qt.io/cgit/qt/qtbase.git/commit/?id=f4d791b330d02777 > > > introducing the needed "breaking" change, and then as well the > > > fix. > > > > > > See as well https://bugzilla.suse.com/show_bug.cgi?id=1189652#c2 > > > arguing in the same direction. > > > > > > We should recheck, but currently tend to that the tracking is > > > already correct. > > > > https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1950193 > > contains some further information from Ubuntu's side. Does the test > > there triggers the exact out-of-bounds write issue from the CVE? In summary, no, I do not see an out of bounds write with the Launchpad test, either with or without the fix uploaded to unstable. The change in unstable does fix the issue reported in Launchpad but I don't see how that is meant to match against the CVE. > After testing with 5.15.2+dfsg-14 (unstable) and 5.15.2+dfsg-13 > (bookworm): > > The specific test program from the Launchpad bug **does** exhibit the > behaviour, in bookworm, that the Launchpad bug describes as "you might > be affected". > Bullseye shows the original bug - that the test SVG simply does not get shown & the test program continues, taking up 100% of 1 core until killed by the user. The program does not die without intervention, as it does in bookworm. Bullseye: gdb reports no termination Bookworm: gdb reports "Program terminated with signal SIGKILL, Killed" The code referenced in the fixes for the CVE in unstable does not exist in bookworm or bullseye. Some other change is responsible for the effects shown when using the test SVG from Launchpad in bookworm. It looks like there is a long-standing bug in Qt5 that this type of SVG will trigger, causing Qt5 to stall, hogging 1 CPU at 100%. With the changes in bookworm, this bug now causes program termination *but gdb does not show any evidence of an out-of-bounds write*, just that the QApplication terminates. The vulnerable code from the CVE does not exist in bookworm. In bookworm, there is a change in behaviour which will be fixed when the package from unstable migrates in a few days. This temporary issue does not look like CVE-2021-38595 - it looks like a different bug. IMHO the Launchpad bug conflates two different issues: - CVE-2021-38593 - an out-of-bounds write - Qt6 - the Launchpad svg file will block one core at 100% and occupy much memory I don't see that these are the same problem. The CVE was introduced in Qt6 code. The code to trigger the stalling bug still exists in Qt5 after the fix for the CVE is applied, it's just that the CVE fix introduces *new* code that tries to handle the specially crafted test SVG, then falls back to the old stalling code if the new code is not called. Bullseye has the original bug Bookworm has a new bug which causes the test program to crash & still has the original bug. unstable fixes the test program crash from bookworm but still has the original bug, it just works around it for the tested SVG. It is not clear whether another crafted SVG would skip the fix from unstable and execute the original code flow. The commits added to unstable address the Launchpad issue of consuming 100% of one core using the provided test SVG. IMHO the commits do not address the CVE because the vulnerable code of that CVE does not exist. * Backport four upstream commits to fix massive memory consumption when rendering specially crafted SVG files (CVE-2021-38593, LP: #1950193). As noted in https://bugzilla.suse.com/show_bug.cgi?id=1189652#c2, it was only applied to very recent 5.15(at least not for 5.15.2, possibly does exist in 5.15.3 but 5.15.3 and above are for commercial license user only) and 6.x series, If a different SVG is supplied which doesn't trigger the new code, Qt5 in bookworm would use the same slow code as bullseye & the same is true in unstable - the slow code path still exists there too. https://sources.debian.org/src/qtbase-opensource-src/5.15.2+dfsg-14/src/gui/painting/qpaintengineex.cpp/#L438 https://sources.debian.org/src/qtbase-opensource-src/5.15.2+dfsg-13/src/gui/painting/qpaintengineex.cpp/#L406 https://sources.debian.org/src/qtbase-opensource-src/5.15.2+dfsg-9/src/gui/painting/qpaintengineex.cpp/#L406 Overall, I see no vulnerable code in Qt5 for CVE-2021-38595 and the reported fix appears to be addressing a different bug to handle a specific test SVG. > The same test on unstable passes without incident. It's not clear why > at this point. > > I'll check on bullseye later. > > > This as an additional check to be made for double checking if our > > tracking is correct or we need to update. > > It needs more investigation. I'll pick that up. > > -- > Neil Williams > ============= > https://linux.codehelp.co.uk/ -- Neil Williams ============= https://linux.codehelp.co.uk/
pgpJzJe3AB273.pgp
Description: OpenPGP digital signature
