Your message dated Sun, 07 Apr 2024 23:02:18 +0000 with message-id <e1rtbwk-009hqt...@fasolo.debian.org> and subject line Bug#1055280: fixed in qtbase-opensource-src 5.15.8+dfsg-11+deb12u1 has caused the Debian Bug report #1055280, regarding libqt5sql5-odbc: Patch CVE 2023 24607.diff breaks Unicode support in libqt5sql5-odbc. to be marked as done.
This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact ow...@bugs.debian.org immediately.) -- 1055280: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1055280 Debian Bug Tracking System Contact ow...@bugs.debian.org with problems
--- Begin Message ---Package: libqt5sql5-odbc Version: 5.15.8+dfsg-11 Severity: important X-Debbugs-Cc: viktor.my...@insta.fi Dear Maintainer, Changes introduced in patch CVE-2023-24607.diff break Unicode handling. I have tested this Microsoft ODBC driver for SQL Server 17 and 18, using a database from the Docker image 'mcr.microsoft.com/mssql/server:2019-latest'. The easiest way to reproduce the issue is by calling QSqlDatabase::tables(), which returns an empty list. Some other database actions work, but the ODBC log is filled with HY009 (Invalid use of null pointer) error messages. The same issue was also present in the package libqt6sql6-odbc (version 6.4.2+dfsg-10), which includes the same patch. Version 5.15.2+dfsg-9 on Bullseye works fine. The Qt GitHub repository 'qtbase' seems to include multiple Unicode-related commits that seem to address this issue. I suggest including such fixes as additional patches in the package. Additionally, it seems that the same CVE vulnerability is still present in Buster and Bullseye packages. Testing was done using Docker images dabian:bullseye-slim and debian:bookworm-slim. *** Reporter, please consider answering these questions, where appropriate *** * What led up to the situation? * What exactly did you do (or not do) that was effective (or ineffective)? * What was the outcome of this action? * What outcome did you expect instead? *** End of the template - remove these template lines *** -- System Information: Debian Release: 12.2 APT prefers stable-updates APT policy: (500, 'stable-updates'), (500, 'stable-security'), (500, 'stable') Architecture: amd64 (x86_64) Kernel: Linux 5.15.90.1-microsoft-standard-WSL2 (SMP w/20 CPU threads) Locale: LANG=C, LC_CTYPE=C.UTF-8 (charmap=UTF-8), LANGUAGE not set Shell: /bin/sh linked to /usr/bin/dash Init: unable to detect Versions of packages libqt5sql5-odbc depends on: ii libc6 2.36-9+deb12u3 ii libodbc2 2.3.11-2+deb12u1 ii libqt5core5a [qtbase-abi-5-15-8] 5.15.8+dfsg-11 ii libqt5sql5 5.15.8+dfsg-11 ii libstdc++6 12.2.0-14 libqt5sql5-odbc recommends no packages. libqt5sql5-odbc suggests no packages. -- no debconf information
--- End Message ---
--- Begin Message ---Source: qtbase-opensource-src Source-Version: 5.15.8+dfsg-11+deb12u1 Done: Dmitry Shachnev <mity...@debian.org> We believe that the bug you reported is fixed in the latest version of qtbase-opensource-src, which is due to be installed in the Debian FTP archive. A summary of the changes between this version and the previous one is attached. Thank you for reporting the bug, which will now be closed. If you have further comments please address them to 1055...@bugs.debian.org, and the maintainer will reopen the bug report if appropriate. Debian distribution maintenance software pp. Dmitry Shachnev <mity...@debian.org> (supplier of updated qtbase-opensource-src package) (This message was generated automatically at their request; if you believe that there is a problem with it please contact the archive administrators by mailing ftpmas...@ftp-master.debian.org) -----BEGIN PGP SIGNED MESSAGE----- Hash: SHA512 Format: 1.8 Date: Sun, 07 Apr 2024 12:45:51 +0300 Source: qtbase-opensource-src Architecture: source Version: 5.15.8+dfsg-11+deb12u1 Distribution: bookworm Urgency: medium Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> Changed-By: Dmitry Shachnev <mity...@debian.org> Closes: 1037210 1041105 1055280 Changes: qtbase-opensource-src (5.15.8+dfsg-11+deb12u1) bookworm; urgency=medium . [ Alexander Volkov ] * Backport upstream patches to fix regression caused by CVE-2023-24607.diff (closes: #1055280). . [ Dmitry Shachnev ] * Backport fixes for three CVEs from Debian unstable: - CVE-2023-34410: use of system CA certificates when not wanted (closes: #1037210). - CVE-2023-37369: potential buffer overflow in QXmlStreamReader. - CVE-2023-38197: infinite loop in XML recursive entity expansion (closes: #1041105). Checksums-Sha1: f5911485458c4d45980843d4fe17f876a82e63fa 5466 qtbase-opensource-src_5.15.8+dfsg-11+deb12u1.dsc 62276547b690ecb1221bce4c524cb757127c70f9 239660 qtbase-opensource-src_5.15.8+dfsg-11+deb12u1.debian.tar.xz d6f4e3b40820a8f2f65a86dcbe5c1b4619a16cbe 17085 qtbase-opensource-src_5.15.8+dfsg-11+deb12u1_source.buildinfo Checksums-Sha256: 565b67bb51232ebdc5ca4b33f94954e3b9f2725dbe3f80fa0c06376ac27dea72 5466 qtbase-opensource-src_5.15.8+dfsg-11+deb12u1.dsc afd5ae59d2155d6c8629b5ecbf39462040606238cdd8dc9229b208c469fbc146 239660 qtbase-opensource-src_5.15.8+dfsg-11+deb12u1.debian.tar.xz ceb2b31c46ed4bd256912db58d3cfc42fc63bbcd3cd249c813b7124491994a92 17085 qtbase-opensource-src_5.15.8+dfsg-11+deb12u1_source.buildinfo Files: 0b6ccd2fab5dcb59e3a2fe19fbcfaaea 5466 libs optional qtbase-opensource-src_5.15.8+dfsg-11+deb12u1.dsc 79756a4abc5cfc5f0c598637926c38b3 239660 libs optional qtbase-opensource-src_5.15.8+dfsg-11+deb12u1.debian.tar.xz 3794909ffa63dcccd90015a0437c64e1 17085 libs optional qtbase-opensource-src_5.15.8+dfsg-11+deb12u1_source.buildinfo -----BEGIN PGP SIGNATURE----- iQJHBAEBCgAxFiEEq2sdvrA0LydXHe1qsmYUtFL0RrYFAmYSbFgTHG1pdHlhNTdA ZGViaWFuLm9yZwAKCRCyZhS0UvRGtizqEACwWZZ6JwzoT8MVWDHcj2i7aFFSq+mI fwpYk4SzEaZbay5Tbu/RYlV3obiUkROKb5HJx9gn1mw7X9TnxV1yKBdbapZxk3Hz ED9vz5DtSpb7rqmS34NpGnHLz2a3TeAQk5cTECYBlLTmySzt/WvhF88ndRr9XljI p0ccmgCZ60ZGACVX1PR6SCed5bSX2+M4zM8zoUmwcwPuNX0I26cSsrE0h9jq0itv kyWWvRmTxK5Rx3iU8V8tSfMLddmVAgyVPJnsBNa+9MR2kpwHAqTtEs1OfgMmBOdo OvzpbZ3Nm6/tVANqtjp1gQXc5DRyl5vJGzkDnRsR9xOk2cHKG6YCSQfX7/AvdNss ygTfWwKMJD0e2m7HUP2jOiTqQS7RukL6sWNxMvXBm3uNnbFVPdNrEfmBXNSaysOH Jc52ks6TsXv5DPmmRNbO5LYQAvxrCyzvU83IWaT0BKTp5+btqlX22AT7KMx2M/u2 Ap2AVD1rvT0VaOl9Wi1Hy1ElZ6e8bh7Fzg7JfX9fCd7nfN9eRFRkG7vm9x8UaPoU c55mftdaiNUWdgWXJT42dLJOyJxosZKU8KD2abLyoBjSpf1ssqT8oy6f4K9cAnf0 cGnBR0MGKkOjuydNgssaepEDecKjt/ahFNFvHzeivbrxv4ZxYpFpCx00gGUMvxK4 5fV5Y8zwzvlslg== =X/Fj -----END PGP SIGNATURE-----pgpljjBNiyZ9J.pgp
Description: PGP signature
--- End Message ---