qtsvg OOB write

[ken@…]

CVE-2021-45930 : Qt SVG in Qt 5.0.0 through 5.15.2 and 6.0.0 through 6.2.1 has an out-of-bounds write in QtPrivate::QCommonArrayOps<QPainterPath::Element>::growAppend (called from QPainterPath::addPath and QPathClipper::intersect).

[ken@…]

I assume there is a fix in the kf5.15 patches. The severity of this is currently rated as Medium.

I suggest we really ought to pull in the kf5.15 patches for ALL the major parts of qt5 (i.e. those parts used by kde packages which are specifically mentioned in the books). I have W-I-P on this from a few weeks ago (so not including this fix) but I have not got beyond testing the kf5 applications (including those mentioned by name in 'Other KDE packages'), i.e. I have not yet tested plasma.

According to Arch (qt5svg) who probably already have this fix, qt5svg is used by among others audacious, falkon.

[ken@…]

Just for the record, the patch is

From 5b9285c34731e67f9f1d61ec804740991f2a0380 Mon Sep 17 00:00:00 2001
From: Eirik Aavitsland <eirik.aavitsland@qt.io>
Date: Mon, 25 Oct 2021 14:17:55 +0200
Subject: [PATCH 14/16] Do stricter error checking when parsing path nodes
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The SVG spec mandates that path parsing should terminate on the first
error encountered, and an error be reported. To improve the handling
of corrupt files, implement such error handling, and also limit the
number of QPainterPath elements to a reasonable range.

Fixes: QTBUG-96044
Pick-to: 6.2 5.15 5.12
Change-Id: Ic5e65d6b658516d6f1317c72de365c8c7ad81891
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
Reviewed-by: Robert Löhning <robert.loehning@qt.io>
(cherry picked from commit 36cfd9efb9b22b891adee9c48d30202289cfa620)

[ken@…]

Fixed in @d10b8701092fd6b10bc2d39663a6b3b2ab19ef2f 11.0-456

[ken@…]

Advisory SA 11.0-061.