Your message dated Sat, 09 May 2026 21:41:29 +0000
with message-id <[email protected]>
and subject line Bug#1136089: fixed in qt6-svg 6.10.2-6
has caused the Debian Bug report #1136089,
regarding qt6-svg: CVE-2026-6210
to be marked as done.
This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.
(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact [email protected]
immediately.)
--
1136089: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1136089
Debian Bug Tracking System
Contact [email protected] with problems
--- Begin Message ---
Source: qt6-svg
Version: 6.10.2-5
Severity: important
Tags: security upstream
Forwarded: https://codereview.qt-project.org/c/qt/qtsvg/+/724887
X-Debbugs-Cc: [email protected], Debian Security Team <[email protected]>
Hi,
The following vulnerability was published for qt6-svg.
CVE-2026-6210[0]:
| A type confusion vulnerability in Qt SVG allows an attacker to cause
| an application crash via a crafted SVG image. When processing SVG
| marker references, the renderer retrieves a node by its id attribute
| and casts it to QSvgMarker* without verifying the node type. A non-
| marker element (such as a <line> element) that references itself as
| a marker triggers an out-of-bounds heap read due to the object size
| difference between QSvgLine and QSvgMarker, followed by an endless
| recursion that bypasses the marker recursion guard through
| incorrect virtual dispatch. The result is an application crash
| (denial of service). This issue affects Qt SVG: from 6.7.0
| before 6.8.8, from 6.9.0 before 6.11.1.
If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.
For further information see:
[0] https://security-tracker.debian.org/tracker/CVE-2026-6210
https://www.cve.org/CVERecord?id=CVE-2026-6210
[1] https://codereview.qt-project.org/c/qt/qtsvg/+/724887
Please adjust the affected versions in the BTS as needed.
Regards,
Salvatore
--- End Message ---
--- Begin Message ---
Source: qt6-svg
Source-Version: 6.10.2-6
Done: Patrick Franz <[email protected]>
We believe that the bug you reported is fixed in the latest version of
qt6-svg, which is due to be installed in the Debian FTP archive.
A summary of the changes between this version and the previous one is
attached.
Thank you for reporting the bug, which will now be closed. If you
have further comments please address them to [email protected],
and the maintainer will reopen the bug report if appropriate.
Debian distribution maintenance software
pp.
Patrick Franz <[email protected]> (supplier of updated qt6-svg package)
(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing [email protected])
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512
Format: 1.8
Date: Sat, 09 May 2026 22:59:35 +0200
Source: qt6-svg
Architecture: source
Version: 6.10.2-6
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <[email protected]>
Changed-By: Patrick Franz <[email protected]>
Closes: 1136089
Changes:
qt6-svg (6.10.2-6) unstable; urgency=medium
.
[ Patrick Franz ]
* Backport patch to fix CVE-2026-6210 (Closes: #1136089).
* Bump Standards-Version to 4.7.4 (no changes needed).
Checksums-Sha1:
2563190656bef0fdd2d79eefe5abd17ec9e99d99 2822 qt6-svg_6.10.2-6.dsc
64fd332bbaa10278034052e912bf3ecbdf43023a 9684 qt6-svg_6.10.2-6.debian.tar.xz
20411f6ba4a7781c9d16d0068e17313f947f8aef 11591
qt6-svg_6.10.2-6_source.buildinfo
Checksums-Sha256:
79f5bbd297c9431669ec1da711c53e72d6a58b4dac5c20c4180c63f8d3b5b0bb 2822
qt6-svg_6.10.2-6.dsc
375426cd46b11b025ddbeaece3e2bed17996bc0654cabe0cc842622c0068cf61 9684
qt6-svg_6.10.2-6.debian.tar.xz
3203b8b5ec996d7cf5337be35e2477675ac8152f3813fd8ee76b006fe1a1fd44 11591
qt6-svg_6.10.2-6_source.buildinfo
Files:
400acc63195bd4f8b3f90c6b59966066 2822 libs optional qt6-svg_6.10.2-6.dsc
fe01a6ef6ed7cab768eefd66f6d85dbc 9684 libs optional
qt6-svg_6.10.2-6.debian.tar.xz
d30f82acc4c725f88b99deab7eaa321d 11591 libs optional
qt6-svg_6.10.2-6_source.buildinfo
-----BEGIN PGP SIGNATURE-----
iQIzBAEBCgAdFiEEYodBXDR68cxZHu3Knp96YDB3/lYFAmn/oOwACgkQnp96YDB3
/lYytRAAvRjfKm1V5npxfHgZY2sRxhFjEexUUJg8AL9vwNQN47Dl3UTxo8w7uRxR
YehuAsz7jr+7OaB79wivrhGMAYSYjUQu+AT7l9OKXWSDnn1I0n4MZGj+8TzPyEUG
L7zKijnQV5yWbKOl9qlVyHNU7NZ58ZXbdj8WtB4OIe/8dWrzZZwxyHVhaF15I5p1
iAPyft5GuXfpkgpnL4n3U24Rfp8ngRNFk2WxNCeiplDdWNaQngWtainTCSa7W+ff
irICrxy8KRRql5riD/083uM4UB90F5Vf0rMlD+4H1ygHZUsQBSsUBRBs3zHWTbJT
m0pAg2bVN5LQMiGSghDmQTzY1aiIPn+vUdjTgWW7yx3mmByqvs6II2XVtvJ51n+G
U50uZHsQNSLh1BP1yqEfB1Nu5Dl4QboyFa3qBUsrO16mzF8ntOdPneVl/xpY1B2H
RUO5aYJkR63cJSP4+AzifNpQn5T9R5md4Ohyd6Z+LhwcYhq+qsn97guPNAPOmp3j
dYr2zXvvmFj5so7ab483n2NFJ/wH768HkdUCgPy6RA+RsdbSoRpqdDocDGQupX98
ae5gCrUclwT0eijj1Ad3e6wDXChmmSLIp++wph0R+EhpHA/lIerIXY0++e9TOcip
u77RexXMhUr2vlx7C2Gwp580FjrKtQoahIdfY5CjuAQM/r+GHp0=
=jBK2
-----END PGP SIGNATURE-----
pgptEEAfdpdK3.pgp
Description: PGP signature
--- End Message ---
