Re: Crash in Qt 5.12.2
Hi again Robert, On Fri, Oct 18, 2019 at 02:14:01PM +, Robert Loehning wrote: > Hi, > > every application based on Qt will crash when opening a crafted plain > text file. Could you please add the patch below to your builds to fix this? > > Thank you and have a nice weekend. Let me forward you a question I got on the bug: https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1848784/comments/1 This would appear to have security implications since I imagine if an email were sent to a KMail recipient which was crafted in this same way it would crash KMail? If this is likely true a CVE should be requested from MITRE via https://cveform.mitre.org/ so that other distros etc can ensure they ship this patch too. What do you think about this? -- Dmitry Shachnev -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Crash in Qt 5.12.2
Am 22.10.19 um 18:41 schrieb Dmitry Shachnev: > Hi again Robert, > > On Fri, Oct 18, 2019 at 02:14:01PM +, Robert Loehning wrote: >> Hi, >> >> every application based on Qt will crash when opening a crafted plain >> text file. Could you please add the patch below to your builds to fix this? >> >> Thank you and have a nice weekend. > > Let me forward you a question I got on the bug: > > https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1848784/comments/1 > > This would appear to have security implications since I imagine if an email > were sent to a KMail recipient which was crafted in this same way it would > crash KMail? If this is likely true a CVE should be requested from MITRE via > https://cveform.mitre.org/ so that other distros etc can ensure they ship > this patch too. > > What do you think about this? > > -- > Dmitry Shachnev > Hi Dmitry, this is most probably right. I expect that it's possible to crash KMail in that way. With Quassel, it was already used ITW. I don't think I'm authorized to send you such a crafted file, but if you look closely at the test for the attached fix, you can probably figure it out yourself. I'm not aware of an existing CVE for this issue, though. Cheers, Robert -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
Re: Crash in Qt 5.12.2
Am 23.10.19 um 09:29 schrieb Alex Murray: > > On Wed, 2019-10-23 at 17:32:58 +1030, Robert Loehning wrote: > >> Am 22.10.19 um 18:41 schrieb Dmitry Shachnev: >>> Hi again Robert, >>> >>> On Fri, Oct 18, 2019 at 02:14:01PM +, Robert Loehning wrote: Hi, every application based on Qt will crash when opening a crafted plain text file. Could you please add the patch below to your builds to fix this? Thank you and have a nice weekend. >>> >>> Let me forward you a question I got on the bug: >>> >>> https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1848784/comments/1 >>> >>> This would appear to have security implications since I imagine if an >>> email >>> were sent to a KMail recipient which was crafted in this same way it would >>> crash KMail? If this is likely true a CVE should be requested from MITRE >>> via >>> https://cveform.mitre.org/ so that other distros etc can ensure they ship >>> this patch too. >>> >>> What do you think about this? >>> >>> -- >>> Dmitry Shachnev >>> >> >> Hi Dmitry, >> >> this is most probably right. I expect that it's possible to crash KMail >> in that way. With Quassel, it was already used ITW. >> >> I don't think I'm authorized to send you such a crafted file, but if you >> look closely at the test for the attached fix, you can probably figure >> it out yourself. >> >> I'm not aware of an existing CVE for this issue, though. > > FYI - I have just submitted a CVE application for this to MITRE so that > all distros can be notified of, and backport the fix as appropriate. Wonderful! Thank you so much! Cheers, Robert -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
