Bug 2037339 (CVE-2021-45930)
| Summary: | CVE-2021-45930 qt: out-of-bounds write may lead to DoS | ||
|---|---|---|---|
| Product: | [Other] Security Response | Reporter: | Marian Rehak <mrehak> |
| Component: | vulnerability | Assignee: | Red Hat Product Security <security-response-team> |
| Status: | CLOSED ERRATA | QA Contact: | |
| Severity: | medium | Docs Contact: | |
| Priority: | medium | ||
| Version: | unspecified | CC: | erik-fedora, helio, jgrulich, jreznik, kde-sig, kevin, manisandro, rdieter, than |
| Target Milestone: | --- | Keywords: | Security |
| Target Release: | --- | ||
| Hardware: | All | ||
| OS: | Linux | ||
| Whiteboard: | |||
| Fixed In Version: | qt 5.12.12, qt 6.2.2 | Doc Type: | If docs needed, set a value |
| Doc Text: |
A flaw was found in qtsvg's qsvghandler.cpp module. An attacker who is able to submit a crafted image file to an application that uses qsvghandler could cause an out-of-bounds write and potential denial of service to occur, depending on the application.
|
Story Points: | --- |
| Clone Of: | Environment: | ||
| Last Closed: | 2022-05-12 01:16:04 UTC | Type: | --- |
| Regression: | --- | Mount Type: | --- |
| Documentation: | --- | CRM: | |
| Verified Versions: | Category: | --- | |
| oVirt Team: | --- | RHEL 7.3 requirements from Atomic Host: | |
| Cloudforms Team: | --- | Target Upstream Version: | |
| Embargoed: | |||
| Bug Depends On: | 2037340, 2037341, 2037342, 2037344, 2037345, 2038487, 2038488 | ||
| Bug Blocks: | 2037343 | ||
|
Description
Marian Rehak
2022-01-05 13:27:55 UTC
Created mingw-qt5-qtbase tracking bugs for this issue: Affects: fedora-all [bug 2037342] Created qt3 tracking bugs for this issue: Affects: fedora-all [bug 2037340] Created qt5 tracking bugs for this issue: Affects: fedora-all [bug 2037341] Created qt5-qtbase tracking bugs for this issue: Affects: fedora-all [bug 2037344] Created qt6-qtbase tracking bugs for this issue: Affects: fedora-all [bug 2037345] Note that there seems to be some issues with the oss-fuzz bot that have lead to this issue being closed and marked as resolved before it was actually resolved upstream. The series of oss-fuzz issues seems to be: 1.) https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37025 (linked in comment#0 above) qt:qtsvg_svg_qsvgrenderer_render: Crash in QtPrivate::QCommonArrayOps<QPainterPath::Element>::growAppend 2.) https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37306 qt:qtsvg_svg_qsvgrenderer_render: Crash in QtPrivate::QPodArrayOps<QPainterPath::Element>::copyAppend 3.) https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40161 qt:qtsvg_svg_qsvgrenderer_render: Crash in QtPrivate::QCommonArrayOps<QPainterPath::Element>::growAppend So all of those issues are actually caused by the same one bug. Reference for above info: https://github.com/google/oss-fuzz/issues/6237#issuecomment-900591242 Upstream patches: 5.12 branch: https://codereview.qt-project.org/c/qt%2Fqtsvg/+/378662 6.2 branch: https://codereview.qt-project.org/c/qt%2Fqtsvg/+/378661 dev branch: https://codereview.qt-project.org/c/qt/qtsvg/+/378250 Ref: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40161#c3 Flaw summary: qtsvg did not follow the SVG spec's requirement that path parsing error out on first issue encountered. It was possible for a crafted file to cause there to be too many QPainterPath elements and a subsequent out-of-bounds write. The upstream patch introduces the error handling functionality and sets the max number of path elements to 32767. This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2022:1920 https://access.redhat.com/errata/RHSA-2022:1920 This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2021-45930 |