Bug 1868532 (CVE-2020-17507) - CVE-2020-17507 qt: buffer over-read in read_xbm_body in gui/image/qxbmhandler.cpp
Summary: CVE-2020-17507 qt: buffer over-read in read_xbm_body in gui/image/qxbmhandler...
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2020-17507
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 1868534 1870297 1870364 1870365 1918158
Blocks: 1868533
TreeView+ depends on / blocked
 
Reported: 2020-08-13 02:40 UTC by Dhananjay Arunesh
Modified: 2021-05-18 14:48 UTC (History)
10 users (show)

Fixed In Version: qt 5.15.1
Doc Type: If docs needed, set a value
Doc Text:
Clone Of:
Environment:
Last Closed: 2020-11-10 14:21:30 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2020:5021 0 None None None 2020-11-10 13:04:59 UTC

Description Dhananjay Arunesh 2020-08-13 02:40:59 UTC 
An issue was discovered in Qt through 5.12.9, and 5.13.x through 5.15.x before 5.15.1. read_xbm_body in gui/image/qxbmhandler.cpp has a buffer over-read.

References:
https://codereview.qt-project.org/c/qt/qtbase/+/308436
https://codereview.qt-project.org/c/qt/qtbase/+/308495
https://codereview.qt-project.org/c/qt/qtbase/+/308496
Comment 1 Dhananjay Arunesh 2020-08-13 02:41:57 UTC 
Created qt tracking bugs for this issue:

Affects: fedora-all [bug 1868534]
Comment 2 Kevin Kofler 2020-08-13 09:19:47 UTC 
Yes, Qt 4 appears to be vulnerable, we need to backport the fix.

(Qt 3, on the other hand, does not contain the affected code (the XBM loader), so it cannot be vulnerable.)
Comment 3 Todd Cullum 2020-08-19 15:46:34 UTC 
Flaw summary:

In src/gui/image/qxbmhandler.cpp of Qt, there is a buffer overread in the read_xbm_body() function, which reads an X Bitmap Image body from an IO device. The function reads 300 bytes at a time from the input device into `buf` and then uses the pointer `p` to locate and parse hex data from within the buffer. Although the code checks for whether `p` is NULL, it does not check that `p` is inside of the bounds of `buf`. Since `p` is incremented in the loop, and the exit condition is based off of the height value of the XBM, it is possible for a buffer overread to occur due to a crafted height value where `p` is passed to hex2byte() or strstr().

The patch ensures on every iteration of the loop that `p` does not go out of bounds of `buf` and a check for whether the third and fourth chars are hex digits (i.e. 0x3A and not 0x*%) was also added. There is a hardcoded buflen of 300, and the patch's commit message notes that this leaves parsing of lines longer than this unreliable.
Comment 6 Fedora Update System 2020-08-29 16:30:54 UTC 
FEDORA-2020-8dd86f1b3f has been pushed to the Fedora 31 stable repository.
If problem still persists, please make note of it in this bug report.
Comment 10 errata-xmlrpc 2020-11-10 13:05:16 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 7

Via RHSA-2020:5021 https://access.redhat.com/errata/RHSA-2020:5021
Comment 11 Product Security DevOps Team 2020-11-10 14:21:30 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2020-17507
Comment 13 errata-xmlrpc 2021-05-18 14:48:57 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2021:1756 https://access.redhat.com/errata/RHSA-2021:1756
Note You need to log in before you can comment on or make changes to this bug.