Opened 7 years ago

Closed 7 years ago

Last modified 7 years ago

#8644 closed enhancement (fixed)

qt-5.7.1 (critical bug fix release, CVE-2016-51{33,47,53,55,61,66,70,71,72,81,85,86,87,88,92,98)

Reported by: Douglas R. Reno Owned by: bdubbs@…
Priority: highest Milestone: 8.0
Component: BOOK Version: SVN
Severity: critical Keywords:
Cc:

Description

New point version.

In addition to the security changes, I went through all of the changelogs available. Users on bog-standard Nouveau cards have been having issues with KDE and other QtWayland specific problems. GT cards are fine, but the standard GTX gaming graphics cards are not. Archetech reported this to me in IRC two weeks ago and I've been helping him troubleshoot since.

CVE-2016-5133, CVE-2016-5147, CVE-2016-5153, CVE-2016-5155,
      CVE-2016-5161, CVE-2016-5166, CVE-2016-5170, CVE-2016-5171,
      CVE-2016-5172, CVE-2016-5181, CVE-2016-5185, CVE-2016-5186,
      CVE-2016-5187, CVE-2016-5188, CVE-2016-5192, CVE-2016-5198

This is after 8 months of waiting. Several things were also broken in Qt-5.7.0 (major functionality, like bluetooth connectivity), that are now fixed in Qt-5.7.1.

Change History (5)

comment:1 by Douglas R. Reno, 7 years ago

Alright, here's some detailed vulnerability descriptions. I'm taking this if this is not taken in the next three hours since I'm right there at the point where I need to build it.

CVE-2016-5133

Google Chrome before 52.0.2743.82 mishandles origin information during proxy authentication, which allows man-in-the-middle attackers to spoof a proxy-authentication login prompt or trigger incorrect credential storage by modifying the client-server data stream. 

CVE-2016-5147

Blink, as used in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, mishandles deferred page loads, which allows remote attackers to inject arbitrary web script or HTML via a crafted web site, aka "Universal XSS (UXSS)." 

CVE-2016-5153

The Web Animations implementation in Blink, as used in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, improperly relies on list iteration, which allows remote attackers to cause a denial of service (use-after-destruction) or possibly have unspecified other impact via a crafted web site. 

CVE-2016-5155

Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux does not properly validate access to the initial document, which allows remote attackers to spoof the address bar via a crafted web site. 

CVE-2016-5161

The EditingStyle::mergeStyle function in WebKit/Source/core/editing/EditingStyle.cpp in Blink, as used in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux, mishandles custom properties, which allows remote attackers to cause a denial of service or possibly have unspecified other impact via a crafted web site that leverages "type confusion" in the StylePropertySerializer class. 

CVE-2016-5166

The download implementation in Google Chrome before 53.0.2785.89 on Windows and OS X and before 53.0.2785.92 on Linux does not properly restrict saving a file:// URL that is referenced by an http:// URL, which makes it easier for user-assisted remote attackers to discover NetNTLM hashes and conduct SMB relay attacks via a crafted web page that is accessed with the "Save page as" menu choice. 

CVE-2016-5170

WebKit/Source/bindings/modules/v8/V8BindingForModules.cpp in Blink, as used in Google Chrome before 53.0.2785.113, does not properly consider getter side effects during array key conversion, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted Indexed Database (aka IndexedDB) API calls. 

CVE-2016-5171

WebKit/Source/bindings/templates/interface.cpp in Blink, as used in Google Chrome before 53.0.2785.113, does not prevent certain constructor calls, which allows remote attackers to cause a denial of service (use-after-free) or possibly have unspecified other impact via crafted JavaScript code. 

CVE-2016-5172

The parser in Google V8, as used in Google Chrome before 53.0.2785.113, mishandles scopes, which allows remote attackers to obtain sensitive information from arbitrary memory locations via crafted JavaScript code. 

CVE-2016-5181

EMBARGOED

CVE-2016-5185

EMBARGOED

CVE-2016-5186

EMBARGOED

CVE-2016-5187

EMBARGOED

CVE-2016-5188

EMBARGOED

CVE-2016-5192

EMBARGOED

CVE-2016-5198

EMBARGOED

Out of the above list, several of them scored 8.8 "HIGH" on the CVSSv3 metric.

comment:2 by Pierre Labastie, 7 years ago

All the (non-embargoed) CVE's above are in qtwebengine, which we just build optionally for qupzilla... I've not been able to get the version of chrome used by Qt-5.7.0.

comment:3 by bdubbs@…, 7 years ago

Owner: changed from blfs-book@… to bdubbs@…
Status: newassigned

comment:4 by bdubbs@…, 7 years ago

Resolution: fixed
Status: assignedclosed

Fixed at revision 18073.

comment:5 by bdubbs@…, 7 years ago

Milestone: 7.118.0

Milestone renamed

Note: See TracTickets for help on using tickets.