Debian Bug report logs - #417391
CVE-2007-0242, Qt UTF-8 overlong sequence decoding vulnerability

version graph

Package: qt4-x11; Maintainer for qt4-x11 is Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>;

Reported by: Ana Guerrero <ana@debian.org>

Date: Mon, 2 Apr 2007 14:21:10 UTC

Severity: grave

Tags: security, upstream

Found in versions 4.2.1-2, 4.2.1-2+b1

Fixed in version 4.2.2-2

Done: Ana Guerrero <ana@debian.org>

Bug is archived. No further changes may be made.

Toggle useless messages

View this report as an mbox folder, status mbox, maintainer mbox


Report forwarded to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#417391; Package qt4-x11. Full text and rfc822 format available.

Acknowledgement sent to Ana Guerrero <ana@debian.org>:
New Bug report received and forwarded. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>. Full text and rfc822 format available.

Message #5 received at submit@bugs.debian.org (full text, mbox):

From: Ana Guerrero <ana@debian.org>
To: submit@bugs.debian.org
Subject: CVE-2007-0242, Qt UTF-8 overlong sequence decoding vulnerability
Date: Mon, 2 Apr 2007 16:15:05 +0100
Package: qt4-x11
Version: 4.2.1-2
Severity: grave
Tags: security 
Justification: user security hole

> this is a notice about a significant bug in the Qt (3.x and 4.x) UTF 8
> decoder, that in certain cases can lead to security vulnerabilies. It causes
> XSS errors at least in Konqueror, though any KDE application that deals with
> urls or paths from untrusted locations can be affected.
>
> The issue is that the UTF8 decoder incorrectly does not reject overlong
> sequences, which can cause "/../" injection or (in the case of konqueror)
> a "<script>" tag injection.
>
> The patch was embargoed, but it leaked recently into the qt snapshots and was
> also imported into qt-copy, so you can consider it public now. Originally
> Trolltech planned to disclose this with an Qt 3.3.9 release, but it seems
> they changed their mind.


This issued has been addressed in the upload 4.2.2-2 (That is also a new
upstream version...)

Ana






Reply sent to Ana Guerrero <ana@debian.org>:
You have taken responsibility. Full text and rfc822 format available.

Notification sent to Ana Guerrero <ana@debian.org>:
Bug acknowledged by developer. Full text and rfc822 format available.

Message #10 received at 417391-done@bugs.debian.org (full text, mbox):

From: Ana Guerrero <ana@debian.org>
To: 417391-done@bugs.debian.org
Subject: Re: Bug#417391: CVE-2007-0242, Qt UTF-8 overlong sequence decoding vulnerability
Date: Mon, 2 Apr 2007 16:33:02 +0100
Version: 4.2.2-2

On Mon, Apr 02, 2007 at 04:15:05PM +0100, Ana Guerrero wrote:
> 
> This issued has been addressed in the upload 4.2.2-2 (That is also a new
> upstream version...)
> 
> Ana
> 
> 
> 
> 
> 



Tags added: upstream Request was from Filipus Klutiero <cheal@hotpop.com> to control@bugs.debian.org. (Mon, 02 Apr 2007 22:03:14 GMT) Full text and rfc822 format available.

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#417391; Package qt4-x11. Full text and rfc822 format available.

Acknowledgement sent to Jö Fahlke <jorrit@jorrit.de>:
Extra info received and forwarded to list. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>. Full text and rfc822 format available.

Message #17 received at 417391@bugs.debian.org (full text, mbox):

From: Jö Fahlke <jorrit@jorrit.de>
To: Debian Bug Tracking System <417391@bugs.debian.org>
Subject: qt4-x11: Security update older than original version
Date: Wed, 16 May 2007 08:51:04 +0200
[Message part 1 (text/plain, inline)]
Package: qt4-x11
Version: 4.2.1-2+b1
Followup-For: Bug #417391

For all architectures but arm there are binary-only uploads of
qt4-x11's binary packages in etch, see for example
http://packages.debian.org/libqt4-core .  These compare newer than the
security update:

======================================================================
joe@jupiter:/tmp$ dpkg --compare-versions 4.2.1-2etch1 gt 4.2.1-2+b1
joe@jupiter:/tmp$ echo $?
1
======================================================================

MfG,
Jö.

-- System Information:
Debian Release: 4.0
  APT prefers stable
  APT policy: (500, 'stable')
Architecture: i386 (i686)
Shell:  /bin/sh linked to /bin/bash
Kernel: Linux 2.6.18-4-k7
Locale: LANG=de_DE.UTF-8@euro, LC_CTYPE=de_DE.UTF-8@euro (charmap=UTF-8)

-- 
It is my conviction that killing under the cloak of war is nothing but
an act of murder.
-- Albert Einstein
[signature.asc (application/pgp-signature, inline)]

Information forwarded to debian-bugs-dist@lists.debian.org, Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>:
Bug#417391; Package qt4-x11. Full text and rfc822 format available.

Acknowledgement sent to Noah Meyerhans <noahm@debian.org>:
Extra info received and forwarded to list. Copy sent to Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>. Full text and rfc822 format available.

Message #22 received at 417391@bugs.debian.org (full text, mbox):

From: Noah Meyerhans <noahm@debian.org>
To: 417391@bugs.debian.org
Subject: ack
Date: Wed, 16 May 2007 09:28:35 -0400
[Message part 1 (text/plain, inline)]
I'm preparing another round of fixes to address this....

[signature.asc (application/pgp-signature, inline)]

Bug archived. Request was from Debbugs Internal Request <owner@bugs.debian.org> to internal_control@bugs.debian.org. (Wed, 27 Jun 2007 03:52:16 GMT) Full text and rfc822 format available.

Send a report that this bug log contains spam.


Debian bug tracking system administrator <owner@bugs.debian.org>. Last modified: Wed Apr 16 07:21:02 2014; Machine Name: beach.debian.org

Debian Bug tracking system
Copyright (C) 1999 Darren O. Benham, 1997,2003 nCipher Corporation Ltd, 1994-97 Ian Jackson.