Bug 269001 (CVE-2007-4137)

Summary: CVE-2007-4137 QT off by one buffer overflow
Product: [Other] Security Response Reporter: Josh Bressers <bressers>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: high Docs Contact:
Priority: high    
Version: unspecifiedCC: kreilly, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2008-01-15 16:33:36 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Bug Depends On: 269061, 269081, 269101, 269121, 269141, 269161, 292941, 292951    
Bug Blocks:    
Description Flags
Proposed patch for QT3
Proposed patch for QT4 none

Description Josh Bressers 2007-08-30 20:24:08 UTC
Dirk Mueller reported an off by one buffer overflow flaw in the way QT parses
certain unicode strings.

To quote Dirk:

    I`ve found a off-by-one buffer overflow in QUtf8Decoder::toUnicode().  
    It is not exploitable with Qt 4.x or above because there is an  
    additional QChar(0) being allocated in QString, however it is still a  
    bug there, as the array returned by utf16() etc is no longer  
    terminated properly.

Comment 2 Josh Bressers 2007-08-30 20:25:42 UTC
Created attachment 181821 [details]
Proposed patch for QT3

Comment 3 Josh Bressers 2007-08-30 20:26:03 UTC
Created attachment 181841 [details]
Proposed patch for QT4

Comment 11 Mark J. Cox 2007-09-13 08:57:28 UTC
public, removing embargo

Comment 13 Red Hat Product Security 2008-01-15 16:33:36 UTC
This issue was addressed in:

Red Hat Enterprise Linux: