Bug 1931444 (CVE-2021-3481)
| Summary: | CVE-2021-3481 qt: Out of bounds read in function QRadialFetchSimd from crafted svg file | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Pedro Sampaio <psampaio> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | helio, jgrulich, jreznik, kasal, kevin, me, rdieter, rkeshri, smparrish, than |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | qt 5.12.11, qt 5.15.4, qt 6.0.3, qt 6.1.0RC | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality the application availability.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2021-11-09 23:25:06 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 1931445, 1931447, 1945642, 1945643, 1947272, 1947273, 1947275 | ||
| Bug Blocks: | 1931448, 1945582 | ||
|
Description
Pedro Sampaio
2021-02-22 12:47:37 UTC
Created qt tracking bugs for this issue: Affects: fedora-all [bug 1931445] Created qt5 tracking bugs for this issue: Affects: fedora-all [bug 1931447] QRadialFetchSimd was added in Qt 4.8.0. Qt 3 and versions of Qt 4 up to 4.7.x are not affected. The qt (4), qt5-qtbase, and qt6-qtbase packages in Fedora are probably affected, but without the details of the vulnerability (the referenced bug is private), I cannot tell for sure. Upstream bug: https://bugreports.qt.io/browse/QTBUG-91507 Do we have CVE for this security issue? In reply to comment #4: > Do we have CVE for this security issue? Not yet. The issue is still under analysis. We can assign one if needed after the analysis is done. In reply to comment #4: > Do we have CVE for this security issue? We now do: CVE-2021-3481 was assigned to it. Mitigation: Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability. Created qt3 tracking bugs for this issue: Affects: fedora-all [bug 1947272] > Created qt3 tracking bugs for this issue: > > Affects: fedora-all [bug 1947272] Why? QRadialFetchSimd was added in Qt 4.8.0, so I do not see how qt3 can possibly be affected. Hi, thank you for confirmation. Following the crash path it was leading to a crash in fetch() while performing operations on the double datatype to float, ~~ UndefinedBehaviorSanitizer can not provide additional info. SUMMARY: UndefinedBehaviorSanitizer: SEGV /src/qt/qtbase/src/gui/painting/qdrawhelper_p.h:601:13 in QRadialFetchSimd<QSimdSse2>::fetch(unsigned int*, unsigned int*, Operator const*, QSpanData const*, double, double, double, double, double) ==12881==ABORTING ~~~ This Bugzilla was just a place holder if we are doing something similar somewhere (double->float) in qt3 as well while rendering and displaying a Scalable Vector Graphics (SVG) file. Feel free to close this, if my assumption was wrong. Regards. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2021:4172 https://access.redhat.com/errata/RHSA-2021:4172 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-3481 |