** Description changed: + [Impact] + libqt5svg5 5.12.8-0ubuntu1 in Ubuntu 20.04 is affected by CVE-2021-38593: https://nvd.nist.gov/vuln/detail/CVE-2021-38593 Trying to open the attached svg file will block one core at 100% and occupy much memory. Depending on the configuration, it might even run out of memory and crash. This is fixed upstream by: https://codereview.qt-project.org/c/qt/qtbase/+/377942 - The original issue is public since July 29th. If I'm allowed to upload - further files, I'll send a simple test program. + The original issue is public since July 29th. - ProblemType: Bug - DistroRelease: Ubuntu 20.04 - Package: libqt5svg5 5.12.8-0ubuntu1 - ProcVersionSignature: Ubuntu 5.14.0-1005.5-oem 5.14.9 - Uname: Linux 5.14.0-1005-oem x86_64 - ApportVersion: 2.20.11-0ubuntu27.21 - Architecture: amd64 - CasperMD5CheckResult: skip - CurrentDesktop: GNOME - Date: Mon Nov 8 20:24:34 2021 - InstallationDate: Installed on 2012-07-06 (3411 days ago) - InstallationMedia: Ubuntu 12.04 LTS "Precise Pangolin" - Release amd64 (20120425) - ProcEnviron: - PATH=(custom, no user) - XDG_RUNTIME_DIR=<set> - LANG=de_DE.UTF-8 - SHELL=/bin/bash - SourcePackage: qtsvg-opensource-src - UpgradeStatus: Upgraded to focal on 2020-10-03 (400 days ago) + [Test Plan] + + 1. Install libqt5svg5-dev, qtbase5-dev and their dependencies. + 2. Build the attached project with the system's version of Qt: + /usr/lib/qt5/bin/qmake test-2021-38593.pro && make + 3. Start the resulting binary and pass the path to the included input file as first parameter: + ./test-2021-38593 ./input.svg + The binary should return immediately and without error messages. If it doesn't, you might be affected. + + [Where problems could occur] + + The fix tries to skip drawing dashes that would be invisible anyway. So + a potential problem may that it skips too much. In fact, this has + already happened, and upstream had to adjust the fix. + + [Other Info] + + The patch is a combination of the following upstream commits: + + - https://code.qt.io/cgit/qt/qtbase.git/commit/?id=7f345f2a1c8d9f60 + - https://code.qt.io/cgit/qt/qtbase.git/commit/?id=9378ba2ae857df7e + - https://code.qt.io/cgit/qt/qtbase.git/commit/?id=81998f50d039a631 + - https://code.qt.io/cgit/qt/qtbase.git/commit/?id=cca8ed0547405b1c
-- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to the bug report. https://bugs.launchpad.net/bugs/1950193 Title: libqt5svg5 affected by CVE-2021-38593 To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1950193/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
