Crash in Qt 5.12.2
Alex Murray
alex.murray at canonical.com
Thu Oct 24 00:49:13 UTC 2019
On Wed, 2019-10-23 at 21:51:27 +1030, Robert Loehning wrote:
> Am 23.10.19 um 09:29 schrieb Alex Murray:
>>
>> On Wed, 2019-10-23 at 17:32:58 +1030, Robert Loehning wrote:
>>
>>> Am 22.10.19 um 18:41 schrieb Dmitry Shachnev:
>>>> Hi again Robert,
>>>>
>>>> On Fri, Oct 18, 2019 at 02:14:01PM +0000, Robert Loehning wrote:
>>>>> Hi,
>>>>>
>>>>> every application based on Qt will crash when opening a crafted plain
>>>>> text file. Could you please add the patch below to your builds to fix this?
>>>>>
>>>>> Thank you and have a nice weekend.
>>>>
>>>> Let me forward you a question I got on the bug:
>>>>
>>>> https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1848784/comments/1
>>>>
>>>> This would appear to have security implications since I imagine if an email
>>>> were sent to a KMail recipient which was crafted in this same way it would
>>>> crash KMail? If this is likely true a CVE should be requested from MITRE via
>>>> https://cveform.mitre.org/ so that other distros etc can ensure they ship
>>>> this patch too.
>>>>
>>>> What do you think about this?
>>>>
>>>> --
>>>> Dmitry Shachnev
>>>>
>>>
>>> Hi Dmitry,
>>>
>>> this is most probably right. I expect that it's possible to crash KMail
>>> in that way. With Quassel, it was already used ITW.
>>>
>>> I don't think I'm authorized to send you such a crafted file, but if you
>>> look closely at the test for the attached fix, you can probably figure
>>> it out yourself.
>>>
>>> I'm not aware of an existing CVE for this issue, though.
>>
>> FYI - I have just submitted a CVE application for this to MITRE so that
>> all distros can be notified of, and backport the fix as appropriate.
>
> Wonderful! Thank you so much!
MITRE have assigned CVE-2019-18281 for this issue.
>
> Cheers,
> Robert
More information about the Ubuntu-devel-discuss
mailing list