Bug#850954: CVE-2016-10040

2017-01-11 Thread Moritz Mühlenhoff 
Lisandro Damián Nicanor Pérez Meyer wrote:
> > Maybe the next QT upload should simply add a note to the
> > changelog that it's unsupported. Do we have any notable
> > users of QXmlSimpleReader in stretch? Probably not.
> 
> I'm afraid we do:
> 
>  %3E=1>
> 
> Granted, we need to distinguish between Qt4 and Qt5 users of it.
> 
> What's not clear to me from Thiago's mail is if this bug is still present in 
> Qt >= 5.5 or he's referring to another corner case.

No idea, but it sounds to me as if that's still in 5.5 since the
class is more or less unmaintained.

Cheers,
Moritz

Bug#850954: CVE-2016-10040

2017-01-11 Thread Lisandro Damián Nicanor Pérez Meyer 
clone 850954 -1
reassign -1 qt4-x11 4:4.8.2+dfsg-11
thanks

On miércoles, 11 de enero de 2017 16:44:48 ART Moritz Muehlenhoff wrote:
> Source: qtbase-opensource-src
> Severity: important
> Tags: security
> 
> Hi QT maintainers,

Hi Moritz!

> there was the following report on QXmlSimpleReader:
> http://www.openwall.com/lists/oss-security/2016/12/24/2
> 
> Which upstream later later on labels as deprecated:
> http://www.openwall.com/lists/oss-security/2017/01/09/1
> 
> There's probably not much we can do here, but I'd
> be interested in QT maintainers opinion.

Thanks a lot for putting this into our attention! The first thing here is to 
note that this bug seems to be present in Qt4 too so I'm cloning the bug. 

> Maybe the next QT upload should simply add a note to the
> changelog that it's unsupported. Do we have any notable
> users of QXmlSimpleReader in stretch? Probably not.

I'm afraid we do:



Granted, we need to distinguish between Qt4 and Qt5 users of it.

What's not clear to me from Thiago's mail is if this bug is still present in 
Qt >= 5.5 or he's referring to another corner case.

Can you clarify this?

-- 
 1: Una computadora sirve:
* Para tratar de dominar el mundo, un caso conocido de esto fue el de
  Skinet
Damian Nadales
http://mx.grulic.org.ar/lurker/message/20080307.141449.a70fb2fc.es.html

Lisandro Damián Nicanor Pérez Meyer
http://perezmeyer.com.ar/
http://perezmeyer.blogspot.com/


signature.asc
Description: This is a digitally signed message part.

Bug#850954: CVE-2016-10040

2017-01-11 Thread Moritz Muehlenhoff 
Source: qtbase-opensource-src
Severity: important
Tags: security

Hi QT maintainers,
there was the following report on QXmlSimpleReader:
http://www.openwall.com/lists/oss-security/2016/12/24/2

Which upstream later later on labels as deprecated:
http://www.openwall.com/lists/oss-security/2017/01/09/1

There's probably not much we can do here, but I'd
be interested in QT maintainers opinion.

Maybe the next QT upload should simply add a note to the
changelog that it's unsupported. Do we have any notable
users of QXmlSimpleReader in stretch? Probably not.

Cheers,
Moritz