[Development] [Announce] Qt Project Security Advisory - Multiple Vulnerabilities in Qt Image Format Handling
Kevin Kofler
kevin.kofler at chello.at
Wed Apr 22 02:14:47 CEST 2015
Hi,
for those who still care about Qt 3, I looked into these vulnerabilities:
> CVE-2015-1858 BMP vulnerability
To the best of my knowledge, Qt 3 is NOT vulnerable to this issue, for the
following reason:
The security fix from Qt 4 changes the relevant code sequence in the BMP/DIB
reader from "protection, get characters, update p" to "get characters,
protection, update p". The Qt 3 code was already using the correct "get
characters, protection, update p" order. ("get characters" increments the x
and y variables, "protection" checks them.) The character reading code was
modified for Qt 4, apparently introducing this bug.
> CVE-2015-1859 ICO vulnerability
To the best of my knowledge, Qt 3 is NOT vulnerable to this issue, because
it does not include an ICO reader. (ICO reading in Qt 3 was provided only in
kdelibs3's kimgio, which uses completely different code.)
> CVE-2015-1860 GIF vulnerability
Qt 3 appears to be VULNERABLE to this issue. I backported the fix from Qt 4:
http://pkgs.fedoraproject.org/cgit/qt3.git/plain/qt-x11-free-3.3.8b-CVE-2015-1860.patch
Please note that Qt 3 is NOT supported by the Qt Project anymore. The above
backported patch (CVE-2015-1860) and statements of non-vulnerability
(CVE-2015-1858/1859) are user-contributed (by me, a volunteer Fedora
packager) on a purely as-is basis.
I hope this helps,
Kevin Kofler
More information about the Development
mailing list