Crash in Qt 5.12.2

Alex Murray alex.murray at canonical.com
Wed Oct 23 07:29:08 UTC 2019


On Wed, 2019-10-23 at 17:32:58 +1030, Robert Loehning wrote:

> Am 22.10.19 um 18:41 schrieb Dmitry Shachnev:
>> Hi again Robert,
>> 
>> On Fri, Oct 18, 2019 at 02:14:01PM +0000, Robert Loehning wrote:
>>> Hi,
>>>
>>> every application based on Qt will crash when opening a crafted plain
>>> text file. Could you please add the patch below to your builds to fix this?
>>>
>>> Thank you and have a nice weekend.
>> 
>> Let me forward you a question I got on the bug:
>> 
>> https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1848784/comments/1
>> 
>>   This would appear to have security implications since I imagine if an email
>>   were sent to a KMail recipient which was crafted in this same way it would
>>   crash KMail? If this is likely true a CVE should be requested from MITRE via
>>   https://cveform.mitre.org/ so that other distros etc can ensure they ship
>>   this patch too.
>> 
>> What do you think about this?
>> 
>> --
>> Dmitry Shachnev
>> 
>
> Hi Dmitry,
>
> this is most probably right. I expect that it's possible to crash KMail
> in that way. With Quassel, it was already used ITW.
>
> I don't think I'm authorized to send you such a crafted file, but if you
> look closely at the test for the attached fix, you can probably figure
> it out yourself.
>
> I'm not aware of an existing CVE for this issue, though.

FYI - I have just submitted a CVE application for this to MITRE so that
all distros can be notified of, and backport the fix as appropriate.

>
> Cheers,
> Robert





More information about the Ubuntu-devel-discuss mailing list