Fuzzing test revealed that for certain malformed gif files, the handler would segfault. Upstream fix: https://codereview.qt-project.org/#/c/108248/ Acknowledgements: Red Hat would like to thank Richard Moore of KDE for reporting this issue.
Created qt tracking bugs for this issue: Affects: fedora-all [bug 1210677]
References: Upstream advisory: http://lists.qt-project.org/pipermail/announce/2015-April/000067.html
qt5-qtbase-5.4.1-9.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
Qt 3 appears to be VULNERABLE to this issue. (The offending code can be found in src/kernel/qasyncimageio.cpp.) I am backporting the fix from Qt 4 to the Fedora qt3 package. Qt 4 and Qt 5 are also vulnerable, and Fedora updates correcting this vulnerability have been issued.
Qt 3 patch (backported from Qt 4 by me): http://pkgs.fedoraproject.org/cgit/qt3.git/plain/qt-x11-free-3.3.8b-CVE-2015-1860.patch
Qt 3 security updates filed: https://admin.fedoraproject.org/updates/qt3
qt-4.8.6-28.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
qt3-3.3.8b-63.fc22 has been pushed to the Fedora 22 stable repository. If problems still persist, please make note of it in this bug report.
qt5-qtbase-5.4.1-9.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.
qt5-qtbase-5.4.1-9.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
qt5-qtbase-5.4.1-9.el7 has been pushed to the Fedora EPEL 7 stable repository. If problems still persist, please make note of it in this bug report.
qt-4.8.6-28.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
qt3-3.3.8b-63.fc21 has been pushed to the Fedora 21 stable repository. If problems still persist, please make note of it in this bug report.
qt3-3.3.8b-63.fc20 has been pushed to the Fedora 20 stable repository. If problems still persist, please make note of it in this bug report.