[Announce] Qt Project Security Advisory - Multiple Vulnerabilities in Qt Image Format Handling

List for announcements regarding Qt releases and development announce at qt-project.org
Mon Apr 13 11:06:51 CEST 2015


Qt Project Security Advisory
----------------------------

Title:        Multiple Vulnerabilities in Qt Image Format Handling
Risk Rating:  High
CVE:          CVE-2015-1858, CVE-2015-1859, CVE-2015-1860
Platforms:    All
Modules:      QtBase
Versions:     Qt 4.8.6 and earlier, Qt 5.4.1 and earlier
Author:       Richard J. Moore <rich at kde.org>
Date:         12th April 2015

Overview
--------

Due to two recent vulnerabilities identified in the built-in image format
handling code, it was decided that this area required further testing to
determine if further issues remained. Fuzzing using afl-fuzz located a
number
of issues in the handling of BMP, ICO and GIF files. The issues exposed
included denial of service and buffer overflows leading to heap corruption.
It
is possible the latter could be used to perform remote code execution.

Details
-------

It is possible to construct invalid BMP, ICO and GIF images that lead to
buffer overflows. The CVEs have been assigned as follows:

CVE-2015-1858 BMP vulnerability
CVE-2015-1859 ICO vulnerability
CVE-2015-1860 GIF vulnerability

Impact
------

Denial of service and potentially remote code execution.

Workaround
----------

None

Solution
--------

Upgrade to Qt 5.5 once released or apply the patches below:

For Qt 5.0 to 5.4:

https://codereview.qt-project.org/#/c/108312/
https://codereview.qt-project.org/#/c/108248/

For Qt 4.8:

https://codereview.qt-project.org/#/c/108474/
https://codereview.qt-project.org/#/c/108475/

The fixes will also be included in Qt 4.8.7 and 5.4.2.

Credits
=======

These issues were discovered by Richard Moore, and were addressed by Eirik
Aavitsland. While this advisory was being prepared, two of the issues were
also identified by Fabian Vogt. Thanks to Redhat for assigning the CVEs.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.qt-project.org/pipermail/announce/attachments/20150413/9ffe7c2e/attachment.html 


More information about the Announce mailing list