Hi! On Thu, 30 Jan 2020 at 13:38, Salvatore Bonaccorso <[email protected]> wrote: > > Hi, > > On Thu, Jan 30, 2020 at 01:21:18PM -0300, Lisandro Damián Nicanor Pérez Meyer > wrote: > > Hi again... > > > > On Thu, 30 Jan 2020 at 12:43, Lisandro Damián Nicanor Pérez Meyer > > <[email protected]> wrote: > > > > > > Hit Enter too fast... > > > > > > On Thu, 30 Jan 2020 at 12:39, Lisandro Damián Nicanor Pérez Meyer > > > <[email protected]> wrote: > > > [snip] > > > > I'm attaching the stretch debdiff. > > > > > > In this case only one CVE applies. I wanted to prepare a MR on the > > > security tracker for this too, but it has been forking the repo for > > > more than 5' already... > > > > > > So I'm adding more info here: > > > > > > - CVE-2020-0569.diff applies to all Qt 5 versions (except gles > > > variants) *and* also qt4-x11. > > > - CVE-2020-0570.diff only applies to buster, testing and sid Qt5's > > > versions. > > > > I'm afraid I was confused here, I think due to upstream's affected ranges. > > > > - CVE-2020-0569.diff applies to all Qt 5 versions (except gles variants) > > - CVE-2020-0570.diff, according to upstream, is said to affect only > > 5.12 onwards. But I've found the code also applies to 5.7 and even to > > qt4. I have just asked upstream to re check this. > > I have for now reverted the last change 5bd1b4fe297e ("Add > CVE-2020-0569/qt4-x11 as well"). So for now we are tracking those as: > > CVE-2020-0570 > RESERVED > - qtbase-opensource-src <unfixed> > [stretch] - qtbase-opensource-src <not-affected> (Only affects 5.12.0 > through 5.14.0) > NOTE: https://bugreports.qt.io/browse/QTBUG-81272 > NOTE: Patch: > https://code.qt.io/cgit/qt/qtbase.git/commit/?id=e6f1fde24f77f63fb16b2df239f82a89d2bf05dd > CVE-2020-0569 > RESERVED > - qtbase-opensource-src <unfixed> > NOTE: Patch for 5.6.0 through 5.13.2: > https://code.qt.io/cgit/qt/qtbase.git/commit/?id=bf131e8d2181b3404f5293546ed390999f760404 > NOTE: Patch for 5.0.0 through 5.5.1: > https://code.qt.io/cgit/qt/qtbase.git/commit/?id=5c4234ed958130d655df8197129806f687d4df0d > TODO: check qt4-x11 > > Once you have confirmation from upstream we can adjust those accordingly. > > Regards, > Salvatore
I have just did: <https://lists.qt-project.org/pipermail/development/2020-January/038534.html> The patch just make sure that we don't do wrong call when the search prefixes contains '/' But before 5.12 (commit 5219c37f7c98f37f078fee00fe8ca35d83ff4f5d), there were no search prefixes with '/' in them. So no need to apply the patch in earlier versions. So: - None of the above CVEs affect qt4-x11 - stretch and buster already have the fixes in the security repo. Cheers, and thanks a lot! -- Lisandro Damián Nicanor Pérez Meyer http://perezmeyer.com.ar/ http://perezmeyer.blogspot.com/ -- https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-kde-talk
