Bug 269001 - (CVE-2007-4137) CVE-2007-4137 QT off by one buffer overflow
CVE-2007-4137 QT off by one buffer overflow
Product: Security Response
Classification: Other
Component: vulnerability (Show other bugs)
All Linux
high Severity high
: ---
: ---
Assigned To: Red Hat Product Security
: Security
Depends On: 269061 269081 269101 269121 269141 269161 292941 292951
  Show dependency treegraph
Reported: 2007-08-30 16:24 EDT by Josh Bressers
Modified: 2016-03-04 06:48 EST (History)
2 users (show)

See Also:
Fixed In Version:
Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of:
Last Closed: 2008-01-15 11:33:36 EST
Type: ---
Regression: ---
Mount Type: ---
Documentation: ---
Verified Versions:
Category: ---
oVirt Team: ---
RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: ---

Attachments (Terms of Use)
Proposed patch for QT3 (338 bytes, patch)
2007-08-30 16:25 EDT, Josh Bressers
no flags Details | Diff
Proposed patch for QT4 (467 bytes, patch)
2007-08-30 16:26 EDT, Josh Bressers
no flags Details | Diff

  None (edit)
Description Josh Bressers 2007-08-30 16:24:08 EDT
Dirk Mueller reported an off by one buffer overflow flaw in the way QT parses
certain unicode strings.

To quote Dirk:

    I`ve found a off-by-one buffer overflow in QUtf8Decoder::toUnicode().  
    It is not exploitable with Qt 4.x or above because there is an  
    additional QChar(0) being allocated in QString, however it is still a  
    bug there, as the array returned by utf16() etc is no longer  
    terminated properly.
Comment 2 Josh Bressers 2007-08-30 16:25:42 EDT
Created attachment 181821 [details]
Proposed patch for QT3
Comment 3 Josh Bressers 2007-08-30 16:26:03 EDT
Created attachment 181841 [details]
Proposed patch for QT4
Comment 11 Mark J. Cox 2007-09-13 04:57:28 EDT
public, removing embargo
Comment 13 Red Hat Product Security 2008-01-15 11:33:36 EST
This issue was addressed in:

Red Hat Enterprise Linux:


Note You need to log in before you can comment on or make changes to this bug.