Bug 269001 (CVE-2007-4137)

Summary: CVE-2007-4137 QT off by one buffer overflow
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: kreilly, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: reported=20070828,source=vendorsec,public=20070903,impact=important,cwe=CWE-193[auto]
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-15 11:33:36 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---
Bug Depends On: 269061, 269081, 269101, 269121, 269141, 269161, 292941, 292951    
Bug Blocks:    
Description Flags
Proposed patch for QT3
Proposed patch for QT4 none

Description Josh Bressers 2007-08-30 16:24:08 EDT
Dirk Mueller reported an off by one buffer overflow flaw in the way QT parses
certain unicode strings.

To quote Dirk:

    I`ve found a off-by-one buffer overflow in QUtf8Decoder::toUnicode().  
    It is not exploitable with Qt 4.x or above because there is an  
    additional QChar(0) being allocated in QString, however it is still a  
    bug there, as the array returned by utf16() etc is no longer  
    terminated properly.
Comment 2 Josh Bressers 2007-08-30 16:25:42 EDT
Created attachment 181821 [details]
Proposed patch for QT3
Comment 3 Josh Bressers 2007-08-30 16:26:03 EDT
Created attachment 181841 [details]
Proposed patch for QT4
Comment 11 Mark J. Cox (Product Security) 2007-09-13 04:57:28 EDT
public, removing embargo
Comment 13 Red Hat Product Security 2008-01-15 11:33:36 EST
This issue was addressed in:

Red Hat Enterprise Linux: