On Thu, Jan 06, 2022 at 05:24:57PM -, Paulo Flabiano Smorigo wrote:
> Thanks! I didn't add the LP number because it was in the previous
> changelog entry. It seems that it needs to be in the latest one in order
> to identify it correctly.
I think you could work around this by using the -v
I received the update. Thank you!
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to qtbase-opensource-src in
Ubuntu.
https://bugs.launchpad.net/bugs/1950193
Title:
libqt5svg5 affected by CVE-2021-38593
Status in
Thanks! I didn't add the LP number because it was in the previous
changelog entry. It seems that it needs to be in the latest one in order
to identify it correctly.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to
I'm manually setting the bug tasks to Fix Released as this bug wasn't
referenced in the changelog entry.
** Changed in: qtbase-opensource-src (Ubuntu Focal)
Status: Fix Committed => Fix Released
** Changed in: qtbase-opensource-src (Ubuntu Impish)
Status: Fix Committed => Fix
I've just published focal and impish updates into the -security pocket.
focal: 5.12.8+dfsg-0ubuntu2.1
impish: 5.15.2+dfsg-12ubuntu1.1
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to qtbase-opensource-src in
Ubuntu.
Ok, thank you Paulo.
As advised by Brian, I'm adding block-proposed tags to make sure the
current packages don't get accidentally released.
** Tags added: block-proposed-focal block-proposed-impish
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages,
Hello, I'm doing build for the -security pocket as Marc suggested. Will
be published soon.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to qtbase-opensource-src in
Ubuntu.
https://bugs.launchpad.net/bugs/1950193
Title:
Marc, can you do it please? You can take my changes but use a different
version number so that it's rebuilt. Then we will ask the SRU team to
remove the versions in -proposed.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to
This update needs to go in the -security pocket since it is a security
fix, but it likely can't just be copied, it would need to be rebuilt.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to qtbase-opensource-src in
Ubuntu.
Tested in an Impish chroot:
root@mitya57:/test# time ./test-2021-38593 ./input.svg
Testing for CVE-2021-38593...
If the test doesn't finish immediately, you probably are affected.
Test finished.
real0m0.033s
user0m0.004s
sys 0m0.017s
root@mitya57:/test# echo $?
0
root@mitya57:/test#
I tested this in a VM with a freshly installed Ubuntu 20.04 Desktop.
Following the steps in the description with released version
5.12.8+dfsg-0ubuntu1 freezes the entire VM.
After upgrading all the Qt packages to 5.12.8+dfsg-0ubuntu2 from
proposed repo, the test program finishes immediately as
Hello Robert, or anyone else affected,
Accepted qtbase-opensource-src into impish-proposed. The package will
build now and be available at
https://launchpad.net/ubuntu/+source/qtbase-opensource-
src/5.15.2+dfsg-12ubuntu1 in a few hours, and then in the -proposed
repository.
Please help us by
** Also affects: qtbase-opensource-src (Ubuntu Impish)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to qtbase-opensource-src in
Ubuntu.
https://bugs.launchpad.net/bugs/1950193
Does this also need fixing in impish? I'm not very concerned about
hirsute given it will be EoL in January.
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to qtbase-opensource-src in
Ubuntu.
** Description changed:
+ [Impact]
+
libqt5svg5 5.12.8-0ubuntu1 in Ubuntu 20.04 is affected by CVE-2021-38593:
https://nvd.nist.gov/vuln/detail/CVE-2021-38593
Trying to open the attached svg file will block one core at 100% and occupy
much memory. Depending on the configuration, it
> Anything I can do now to help this arrive in 20.04?
No, I just need to find some free time again. Thanks for reminding me.
** Also affects: qtbase-opensource-src (Ubuntu Focal)
Importance: Undecided
Status: New
--
You received this bug notification because you are a member of
Thank you picking this up Dmitry and sorry for not replying earlier.
Anything I can do now to help this arrive in 20.04?
--
You received this bug notification because you are a member of Ubuntu
Touch seeded packages, which is subscribed to qtbase-opensource-src in
Ubuntu.
This bug was fixed in the package qtbase-opensource-src - 5.15.2+dfsg-14
---
qtbase-opensource-src (5.15.2+dfsg-14) unstable; urgency=medium
* Backport four upstream commits to fix massive memory consumption when
rendering specially crafted SVG files (CVE-2021-38593, LP:
** Package changed: qtsvg-opensource-src (Ubuntu) => qtbase-opensource-
src (Ubuntu)
** Changed in: qtbase-opensource-src (Ubuntu)
Status: Confirmed => In Progress
** Changed in: qtbase-opensource-src (Ubuntu)
Assignee: (unassigned) => Dmitry Shachnev (mitya57)
--
You received this
19 matches
Mail list logo
