Debian Bug report logs - #1014124
buffer overflow in the mng plugin for Qt (CVE-2020-23884)

version graph

Package: qt5-image-formats-plugins; Maintainer for qt5-image-formats-plugins is Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>; Source for qt5-image-formats-plugins is src:qtimageformats-opensource-src (PTS, buildd, popcon).

Reported by: Moritz Mühlenhoff <jmm@inutil.org>

Date: Thu, 30 Jun 2022 14:51:01 UTC

Severity: important

Tags: security, upstream

Fixed in version qtimageformats-opensource-src/5.15.15-3

Done: Dmitry Shachnev <mitya57@debian.org>

Forwarded to https://github.com/nomacs/nomacs/issues/516

Reply or subscribe to this bug.

View this report as an mbox folder, status mbox, maintainer mbox

Report forwarded to debian-bugs-dist@lists.debian.org, team@security.debian.org, LXQt Packaging Team <pkg-lxqt-devel@lists.alioth.debian.org>:
Bug#1014124; Package src:nomacs. (Thu, 30 Jun 2022 14:51:03 GMT) (full text, mbox, link).

Acknowledgement sent to Moritz Mühlenhoff <jmm@inutil.org>:
New Bug report received and forwarded. Copy sent to team@security.debian.org, LXQt Packaging Team <pkg-lxqt-devel@lists.alioth.debian.org>. (Thu, 30 Jun 2022 14:51:03 GMT) (full text, mbox, link).

Message #5 received at submit@bugs.debian.org (full text, mbox, reply):

From: Moritz Mühlenhoff <jmm@inutil.org>
To: submit@bugs.debian.org
Subject: nomacs: CVE-2020-23884
Date: Thu, 30 Jun 2022 16:47:22 +0200
Source: nomacs
X-Debbugs-CC: team@security.debian.org
Severity: grave
Tags: security

Hi,

The following vulnerability was published for nomacs.

CVE-2020-23884[0]:
| A buffer overflow in Nomacs v3.15.0 allows attackers to cause a denial
| of service (DoS) via a crafted MNG file.

https://github.com/nomacs/nomacs/issues/516

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2020-23884
    https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-23884

Please adjust the affected versions in the BTS as needed.

Added tag(s) upstream. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 30 Jun 2022 18:30:07 GMT) (full text, mbox, link).

Set Bug forwarded-to-address to 'https://github.com/nomacs/nomacs/issues/516'. Request was from Salvatore Bonaccorso <carnil@debian.org> to control@bugs.debian.org. (Thu, 30 Jun 2022 18:30:07 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, LXQt Packaging Team <pkg-lxqt-devel@lists.alioth.debian.org>:
Bug#1014124; Package src:nomacs. (Tue, 06 Jun 2023 13:00:02 GMT) (full text, mbox, link).

Acknowledgement sent to andrew@lists.savchenko.net:
Extra info received and forwarded to list. Copy sent to LXQt Packaging Team <pkg-lxqt-devel@lists.alioth.debian.org>. (Tue, 06 Jun 2023 13:00:02 GMT) (full text, mbox, link).

Message #14 received at 1014124@bugs.debian.org (full text, mbox, reply):

From: andrew@lists.savchenko.net
To: 1014124@bugs.debian.org
Subject: nomacs: CVE-2020-23884
Date: Tue, 6 Jun 2023 22:27:01 +0930
I think this should be filled against 
https://tracker.debian.org/pkg/qtimageformats-opensource-src

Explanation: 
https://github.com/nomacs/nomacs/issues/516#issuecomment-1578313635

Added tag(s) fixed-upstream. Request was from debian-bts-link@lists.debian.org to control@bugs.debian.org. (Thu, 14 Sep 2023 17:36:10 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, LXQt Packaging Team <team+lxqt@tracker.debian.org>:
Bug#1014124; Package src:nomacs. (Mon, 16 Sep 2024 14:45:01 GMT) (full text, mbox, link).

Acknowledgement sent to Vincent Lefevre <vincent@vinc17.net>:
Extra info received and forwarded to list. Copy sent to LXQt Packaging Team <team+lxqt@tracker.debian.org>. (Mon, 16 Sep 2024 14:45:02 GMT) (full text, mbox, link).

Message #21 received at 1014124@bugs.debian.org (full text, mbox, reply):

From: Vincent Lefevre <vincent@vinc17.net>
To: andrew@lists.savchenko.net, 1014124@bugs.debian.org
Cc: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Subject: Re: Bug#1014124: nomacs: CVE-2020-23884
Date: Mon, 16 Sep 2024 16:43:41 +0200
Control: tags -1 - fixed-upstream
Control: reassign -1 qt5-image-formats-plugins
Control: retitle -1 buffer overflow in the mng plugin for Qt (CVE-2020-23884)

The upstream fix in Nomacs was for MS Windows only:

"I removed the qmng.dll plugin from Windows version. MNG files will
not work by default in nomacs on Windows."

because the MS Windows version of Nomacs was providing this pluging.
And this is not a Nomacs bug for Debian (see below).

On 2023-06-06 22:27:01 +0930, andrew@lists.savchenko.net wrote:
> I think this should be filled against
> https://tracker.debian.org/pkg/qtimageformats-opensource-src
> 
> Explanation:
> https://github.com/nomacs/nomacs/issues/516#issuecomment-1578313635

If I understand correctly, the buffer overflow was in the qmng.dll
plugin for Windows (which Nomacs for MS Windows was including). And
the explanation says "the problem affects other Qt-based viewers too"
if Debian's libqmng.so is buggy too. This plugin comes from the
qt5-image-formats-plugins package, so I'm reassigning the bug,
assuming that the bug was in common Qt code for both Windows and
Linux.

If the bug was in Windows-only code, it can be closed.

BTW, I don't understand

  https://github.com/nomacs/nomacs/issues/516#issuecomment-667859911

which says "Qt does not support it anymore" about mng. The given
link is

  https://doc.qt.io/qt-5/qtimageformats-index.html

where I can see:

  MNG / Multiple-image Network Graphics / Read / Yes (Not bundled)

So it is claimed to be supported (for reading), as long as
a 3rd party codec is provided, which is the case in Debian:

cventin:~> ldd /usr/lib/x86_64-linux-gnu/qt5/plugins/imageformats/libqmng.so
[...]
        libmng.so.1 => /lib/x86_64-linux-gnu/libmng.so.1 (0x00007fc3c3600000)
[...]

provided by the libmng1 package.

-- 
Vincent Lefèvre <vincent@vinc17.net> - Web: <https://www.vinc17.net/>
100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/>
Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)

Removed tag(s) fixed-upstream. Request was from Vincent Lefevre <vincent@vinc17.net> to 1014124-submit@bugs.debian.org. (Mon, 16 Sep 2024 14:45:02 GMT) (full text, mbox, link).

Bug reassigned from package 'src:nomacs' to 'qt5-image-formats-plugins'. Request was from Vincent Lefevre <vincent@vinc17.net> to 1014124-submit@bugs.debian.org. (Mon, 16 Sep 2024 14:45:02 GMT) (full text, mbox, link).

Changed Bug title to 'buffer overflow in the mng plugin for Qt (CVE-2020-23884)' from 'nomacs: CVE-2020-23884'. Request was from Vincent Lefevre <vincent@vinc17.net> to 1014124-submit@bugs.debian.org. (Mon, 16 Sep 2024 14:45:02 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#1014124; Package qt5-image-formats-plugins. (Sat, 26 Oct 2024 05:51:01 GMT) (full text, mbox, link).

Acknowledgement sent to Sebastiaan Couwenberg <sebastic@xs4all.nl>:
Extra info received and forwarded to list. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>. (Sat, 26 Oct 2024 05:51:01 GMT) (full text, mbox, link).

Message #32 received at 1014124@bugs.debian.org (full text, mbox, reply):

From: Sebastiaan Couwenberg <sebastic@xs4all.nl>
To: 1014124@bugs.debian.org
Subject: qt5-image-formats-plugins: buffer overflow in the mng plugin for Qt (CVE-2020-23884)
Date: Sat, 26 Oct 2024 07:46:44 +0200
Control: severity -1 important

Lowering the severity as the security-tracker marks it as a no-dsa minor issue.

Kind Regards,

Bas

-- 
 GPG Key ID: 4096R/6750F10AE88D4AF1
Fingerprint: 8182 DE41 7056 408D 6146  50D1 6750 F10A E88D 4AF1

Severity set to 'important' from 'grave' Request was from Sebastiaan Couwenberg <sebastic@xs4all.nl> to 1014124-submit@bugs.debian.org. (Sat, 26 Oct 2024 05:51:02 GMT) (full text, mbox, link).

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#1014124; Package qt5-image-formats-plugins. (Sat, 26 Oct 2024 09:57:02 GMT) (full text, mbox, link).

Acknowledgement sent to Salvatore Bonaccorso <carnil@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>. (Sat, 26 Oct 2024 09:57:02 GMT) (full text, mbox, link).

Message #39 received at 1014124@bugs.debian.org (full text, mbox, reply):

From: Salvatore Bonaccorso <carnil@debian.org>
To: Sebastiaan Couwenberg <sebastic@xs4all.nl>, 1014124@bugs.debian.org
Cc: Debian Security Team <team@security.debian.org>
Subject: Re: Bug#1014124: qt5-image-formats-plugins: buffer overflow in the mng plugin for Qt (CVE-2020-23884)
Date: Sat, 26 Oct 2024 11:53:52 +0200
Hi,

I will leave specific comment on this to Moritz, but below a general
note since this seems to be not gneerally known:

On Sat, Oct 26, 2024 at 07:46:44AM +0200, Sebastiaan Couwenberg wrote:
> Control: severity -1 important
> 
> Lowering the severity as the security-tracker marks it as a no-dsa minor issue.

A RC severity and a no-dsa classification is orthogonal. With a RC
severity we make clear, this issue should be fixed for the next to be
released stable release and we consider as such.

With no-dsa we think that a out-of-band DSA is not needed for this,
often classifying it at minor issue. There is additionally a
postoponed tag, of same class when we think of higher priority or
someone has already queued it. You will see DSA's for both even lower
severity bugs or for RC bugs. But what should be made aware here is
that not every RC issue CVE implies a DSA, or viceversa, if something
is marked no-dsa in the security tracker that it is not considered RC.

Regards,
Salvatore

Message sent on to Moritz Mühlenhoff <jmm@inutil.org>:
Bug#1014124. (Mon, 28 Oct 2024 21:03:01 GMT) (full text, mbox, link).

Message #42 received at 1014124-submitter@bugs.debian.org (full text, mbox, reply):

From: Dmitry Shachnev <noreply@salsa.debian.org>
To: 1014124-submitter@bugs.debian.org
Subject: Bug#1014124 marked as pending in qtimageformats-opensource-src
Date: Mon, 28 Oct 2024 21:01:41 +0000
Control: tag -1 pending

Hello,

Bug #1014124 in qtimageformats-opensource-src reported by you has been fixed in the
Git repository and is awaiting an upload. You can see the commit
message below and you can check the diff of the fix at:

https://salsa.debian.org/qt-kde-team/qt/qtimageformats/-/commit/3eef1eb4030de28fcdcf2301d44c2da5a76cf0f1

------------------------------------------------------------------------
Add a patch to reject broken MNG images.

Closes: #1014124.
------------------------------------------------------------------------

(this message was generated automatically)
-- 
Greetings

https://bugs.debian.org/1014124

Added tag(s) pending. Request was from Dmitry Shachnev <noreply@salsa.debian.org> to 1014124-submitter@bugs.debian.org. (Mon, 28 Oct 2024 21:03:01 GMT) (full text, mbox, link).

Reply sent to Dmitry Shachnev <mitya57@debian.org>:
You have taken responsibility. (Tue, 29 Oct 2024 00:30:02 GMT) (full text, mbox, link).

Notification sent to Moritz Mühlenhoff <jmm@inutil.org>:
Bug acknowledged by developer. (Tue, 29 Oct 2024 00:30:02 GMT) (full text, mbox, link).

Message #49 received at 1014124-close@bugs.debian.org (full text, mbox, reply):

From: Debian FTP Masters <ftpmaster@ftp-master.debian.org>
To: 1014124-close@bugs.debian.org
Subject: Bug#1014124: fixed in qtimageformats-opensource-src 5.15.15-3
Date: Tue, 29 Oct 2024 00:27:53 +0000
[Message part 1 (text/plain, inline)]
Source: qtimageformats-opensource-src
Source-Version: 5.15.15-3
Done: Dmitry Shachnev <mitya57@debian.org>

We believe that the bug you reported is fixed in the latest version of
qtimageformats-opensource-src, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1014124@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dmitry Shachnev <mitya57@debian.org> (supplier of updated qtimageformats-opensource-src package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Tue, 29 Oct 2024 00:08:53 +0300
Source: qtimageformats-opensource-src
Architecture: source
Version: 5.15.15-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Dmitry Shachnev <mitya57@debian.org>
Closes: 1014124 1046162
Changes:
 qtimageformats-opensource-src (5.15.15-3) unstable; urgency=medium
 .
   * Add a patch to reject broken MNG images, backported from qtbase 6.0
     (CVE-2020-23884, closes: #1014124).
   * Add debian/clean file (closes: #1046162).
Checksums-Sha1:
 e0ee64671553f3fac749eb339aa46259b3756e4c 2452 qtimageformats-opensource-src_5.15.15-3.dsc
 b69d450fd727fdc2cde727034b805cf23d1dfaef 7756 qtimageformats-opensource-src_5.15.15-3.debian.tar.xz
 5ef7c03b04f9fbc4e45fa167705fcf7bbb3dc24c 12646 qtimageformats-opensource-src_5.15.15-3_source.buildinfo
Checksums-Sha256:
 2eb7b2cd88171b8f4aa5cc56e65379ca52dc6f89b9884613c0c1dd68d0d6cc10 2452 qtimageformats-opensource-src_5.15.15-3.dsc
 16a1d9120ee6aff6062304d66e7797f483caaa00b52c736557a52890c953d0a8 7756 qtimageformats-opensource-src_5.15.15-3.debian.tar.xz
 35bf2a976f2a5f5a4a6442b972ea809faab173144b6dd40154481226527ab0bb 12646 qtimageformats-opensource-src_5.15.15-3_source.buildinfo
Files:
 ccb4a79f9921a775c22b826f1bbc1c65 2452 libs optional qtimageformats-opensource-src_5.15.15-3.dsc
 6f26ee9f7df44ffedb4cbe1fd9370e3d 7756 libs optional qtimageformats-opensource-src_5.15.15-3.debian.tar.xz
 2bfb3ccf90e9c07688250c2c78dcbfeb 12646 libs optional qtimageformats-opensource-src_5.15.15-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEEq2sdvrA0LydXHe1qsmYUtFL0RrYFAmcf/X4THG1pdHlhNTdA
ZGViaWFuLm9yZwAKCRCyZhS0UvRGthidD/92kE7vHQRSnooG2qKgTfIN8IWcCjZl
ws8ko2HmZ8GL7QOSSgfM0nT5DtKI1YYf/eof1bYBXnCX/tcwe0hEf5rLaJ8WvKGT
+BEFMBu+EawnQENFjW/68T+Sl5ihAkGm9MN/VRoDs8YcHjSO8QF0n41Ig/7h6cRV
Fl0I3uRv5VxR+QDg+cUrc60spuN2gW9YUCvgQdyYYSXC6o/SqGe72w6kt662VqsQ
eI0GNNQx7YUDxLyudxSTNQM1MKuQ7rY2LHyGEBW1jylqRMOD11USU6EtF7X3Ij3v
O75Ng28oZDfAuR8NMLurEgxuXJqkBi/pHNIgztT2pdzRBF7/YEiNz4J/ursux1xl
E0XOnSTf256nYsTm13lg9Swzu11VZwmDAjcPYIWZ4mlQJX1CMSgzWK/nc+m1NOdk
lDOZl9IbqKQUaTs4juuUpSjLFPF+wsuf+G+jZeCi3Aq5yhqvxdy1AVun+y60DDEG
rkACy5X+keA+XEqAh2y5OkjV+twnvjGWa9NEjLOA9yGKMRbptHm9TKkKTeETjMDT
pceEb0rrWwgdUrYfS5ie5oveYZdx+mnZrJvutOX8Jj4sXdZJW9JEDZdjKlkt2BrO
8hFEgYzpWuBB6aBaotdihRnFdtm5RTM4mNuwSBnzeazTeUugzn2TT0mLL/zcsYRG
0NezKEblEFXbuw==
=T+m6
-----END PGP SIGNATURE-----


[Message part 2 (application/pgp-signature, inline)]

Send a report that this bug log contains spam.

Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Thu Nov 21 22:36:01 2024; Machine Name: bembo

Debian Bug tracking system

Debbugs is free software and licensed under the terms of the GNU Public License version 2. The current version can be obtained from https://bugs.debian.org/debbugs-source/.

Copyright © 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson, 2005-2017 Don Armstrong, and many other contributors.