Bug 2037339 (CVE-2021-45930) - CVE-2021-45930 qt: out-of-bounds write may lead to DoS
Summary: CVE-2021-45930 qt: out-of-bounds write may lead to DoS
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2021-45930
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
medium
medium
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 2037340 2037341 2037342 2037344 2037345 2038487 2038488
Blocks: 2037343
TreeView+ depends on / blocked
 
Reported: 2022-01-05 13:27 UTC by Marian Rehak
Modified: 2022-05-17 10:00 UTC (History)
9 users (show)

Fixed In Version: qt 5.12.12, qt 6.2.2
Doc Type: If docs needed, set a value
Doc Text:
A flaw was found in qtsvg's qsvghandler.cpp module. An attacker who is able to submit a crafted image file to an application that uses qsvghandler could cause an out-of-bounds write and potential denial of service to occur, depending on the application.
Clone Of:
Environment:
Last Closed: 2022-05-12 01:16:04 UTC
Embargoed:

Attachments (Terms of Use)


Links
System ID Private Priority Status Summary Last Updated
Red Hat Product Errata RHSA-2022:1920 0 None None None 2022-05-10 14:18:52 UTC

Description Marian Rehak 2022-01-05 13:27:55 UTC 
An out-of-bounds write in QtPrivate::QCommonArrayOps<QPainterPath::Element>::growAppend (called from QPainterPath::addPath and QPathClipper::intersect).

External Reference:

https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37025
Comment 1 Marian Rehak 2022-01-05 13:28:27 UTC 
Created mingw-qt5-qtbase tracking bugs for this issue:

Affects: fedora-all [bug 2037342]


Created qt3 tracking bugs for this issue:

Affects: fedora-all [bug 2037340]


Created qt5 tracking bugs for this issue:

Affects: fedora-all [bug 2037341]


Created qt5-qtbase tracking bugs for this issue:

Affects: fedora-all [bug 2037344]


Created qt6-qtbase tracking bugs for this issue:

Affects: fedora-all [bug 2037345]
Comment 2 Todd Cullum 2022-01-07 23:45:06 UTC 
Note that there seems to be some issues with the oss-fuzz bot that have lead to this issue being closed and marked as resolved before it was actually resolved upstream. The series of oss-fuzz issues seems to be:

1.) https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37025 (linked in comment#0 above)
qt:qtsvg_svg_qsvgrenderer_render: Crash in QtPrivate::QCommonArrayOps<QPainterPath::Element>::growAppend

2.) https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37306
qt:qtsvg_svg_qsvgrenderer_render: Crash in QtPrivate::QPodArrayOps<QPainterPath::Element>::copyAppend

3.) https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40161
qt:qtsvg_svg_qsvgrenderer_render: Crash in QtPrivate::QCommonArrayOps<QPainterPath::Element>::growAppend

So all of those issues are actually caused by the same one bug.
Comment 3 Todd Cullum 2022-01-07 23:49:44 UTC 
Reference for above info: https://github.com/google/oss-fuzz/issues/6237#issuecomment-900591242

Upstream patches:
5.12 branch: https://codereview.qt-project.org/c/qt%2Fqtsvg/+/378662
6.2 branch: https://codereview.qt-project.org/c/qt%2Fqtsvg/+/378661
dev branch: https://codereview.qt-project.org/c/qt/qtsvg/+/378250

Ref: https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=40161#c3
Comment 5 Todd Cullum 2022-01-12 00:54:41 UTC 
Flaw summary:

qtsvg did not follow the SVG spec's requirement that path parsing error out on first issue encountered. It was possible for a crafted file to cause there to be too many QPainterPath elements and a subsequent out-of-bounds write. The upstream patch introduces the error handling functionality and sets the max number of path elements to 32767.
Comment 6 errata-xmlrpc 2022-05-10 14:18:50 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2022:1920 https://access.redhat.com/errata/RHSA-2022:1920
Comment 7 Product Security DevOps Team 2022-05-12 01:16:02 UTC 
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s):

https://access.redhat.com/security/cve/cve-2021-45930
Note You need to log in before you can comment on or make changes to this bug.