Bug 1931444 (CVE-2021-3481) - CVE-2021-3481 qt: Out of bounds read in function QRadialFetchSimd from crafted svg file
Summary: CVE-2021-3481 qt: Out of bounds read in function QRadialFetchSimd from crafte...
Keywords:
Status: NEW
Alias: CVE-2021-3481
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1945643 1931445 1931447 1945642 1947272 1947273 1947275
Blocks: 1945582 1931448
TreeView+ depends on / blocked
 
Reported: 2021-02-22 12:47 UTC by Pedro Sampaio
Modified: 2021-04-14 13:02 UTC (History)
10 users (show)

Fixed In Version:
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality the application availability.
Clone Of:
Environment:
Last Closed:


Attachments (Terms of Use)

Description Pedro Sampaio 2021-02-22 12:47:37 UTC
An out-of-bounds (OOB) memory access flaw was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt.  While processing a crafted svg input file, parsed doubles to float representable values, and this may lead to an unauthorised memory access problem, and may even lead to a denial-of-service.

References:

https://bugreports.qt.io/browse/QTBUG-91507

Comment 1 Pedro Sampaio 2021-02-22 12:48:24 UTC
Created qt tracking bugs for this issue:

Affects: fedora-all [bug 1931445]


Created qt5 tracking bugs for this issue:

Affects: fedora-all [bug 1931447]

Comment 2 Kevin Kofler 2021-02-22 13:43:02 UTC
QRadialFetchSimd was added in Qt 4.8.0. Qt 3 and versions of Qt 4 up to 4.7.x are not affected. The qt (4), qt5-qtbase, and qt6-qtbase packages in Fedora are probably affected, but without the details of the vulnerability (the referenced bug is private), I cannot tell for sure.

Comment 3 Doran Moppert 2021-03-09 12:43:11 UTC
Upstream bug:

https://bugreports.qt.io/browse/QTBUG-91507

Comment 4 Than Ngo 2021-03-10 08:03:40 UTC
Do we have CVE for this security issue?

Comment 5 Pedro Sampaio 2021-03-10 12:11:53 UTC
In reply to comment #4:
> Do we have CVE for this security issue?

Not yet. The issue is still under analysis. We can assign one if needed after the analysis is done.

Comment 9 msiddiqu 2021-04-01 10:41:24 UTC
In reply to comment #4:
> Do we have CVE for this security issue?

We now do: CVE-2021-3481 was assigned to it.

Comment 14 Rohit Keshri 2021-04-01 15:28:09 UTC
Mitigation:

Mitigation for this issue is either not available or the currently available options don't meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.

Comment 15 Rohit Keshri 2021-04-08 06:33:32 UTC
Created qt3 tracking bugs for this issue:

Affects: fedora-all [bug 1947272]

Comment 18 Kevin Kofler 2021-04-08 10:16:49 UTC
> Created qt3 tracking bugs for this issue:
>
> Affects: fedora-all [bug 1947272]

Why? QRadialFetchSimd was added in Qt 4.8.0, so I do not see how qt3 can possibly be affected.

Comment 19 Rohit Keshri 2021-04-14 13:02:07 UTC
Hi, thank you for confirmation. 

Following the crash path it was leading to a crash in fetch() while performing operations on the double datatype to float,  
~~
UndefinedBehaviorSanitizer can not provide additional info.
SUMMARY: UndefinedBehaviorSanitizer: SEGV /src/qt/qtbase/src/gui/painting/qdrawhelper_p.h:601:13 in QRadialFetchSimd<QSimdSse2>::fetch(unsigned int*, unsigned int*, Operator const*, QSpanData const*, double, double, double, double, double)
==12881==ABORTING
~~~ 

This Bugzilla was just a place holder if we are doing something similar somewhere  (double->float) in qt3 as well  while rendering and displaying a Scalable Vector Graphics (SVG) file. Feel free to close this, if my assumption was wrong.   Regards.


Note You need to log in before you can comment on or make changes to this bug.