Opened 2 months ago
Closed 2 months ago
#19320 closed enhancement (fixed)
Patch Qt5 against CVE-2024-25580
| Reported by: | Douglas R. Reno | Owned by: | Douglas R. Reno |
|---|---|---|---|
| Priority: | high | Milestone: | 12.1 |
| Component: | BOOK | Version: | git |
| Severity: | normal | Keywords: | |
| Cc: |
Description
In Qt6 (see #19316), there were two security vulnerabilities fixed. I decided to look at Qt5 to see if it was vulnerable to both of these vulnerabilities, and upstream has made fixes available at:
- https://download.qt.io/official_releases/qt/5.15/0001-CVE-2023-51714-qtbase-5.15.diff
- https://download.qt.io/official_releases/qt/5.15/0002-CVE-2023-51714-qtbase-5.15.diff
- https://download.qt.io/official_releases/qt/5.15/CVE-2024-25580-qtbase-5.15.diff
I'll try to get this and Qt6 in tomorrow/Saturday.
For more information on CVE-2024-25580, see https://www.qt.io/blog/security-advisory-potential-buffer-overflow-when-reading-ktx-images
https://nvd.nist.gov/vuln/detail/CVE-2023-51714 is marked as 9.8 CRITICAL
Change History (5)
comment:1 by , 2 months ago
| Milestone: | 12.2 → 12.1 |
|---|
comment:2 by , 2 months ago
| Owner: | changed from to |
|---|---|
| Status: | new → assigned |
comment:3 by , 2 months ago
comment:4 by , 2 months ago
| Summary: | Patch Qt5 against CVE-2024-25580 and CVE-2023-51714 → Patch Qt5 against CVE-2024-25580 |
|---|
As noted by Pierre CVE-2023-51714 is already fixed by our KF5 patch, so we just need CVE-2024-25580
comment:5 by , 2 months ago
| Resolution: | → fixed |
|---|---|
| Status: | assigned → closed |
Fixed at 5f38a07f883a230b4a5f6e670e418716aa62ffed
SA-12.0-101 issued
Note:
See TracTickets
for help on using tickets.
The patch for CVE-2023-51714 is already included in the kf5 patch for 5.15.12. The patch for CVE-2024-25580 is not.