Your message dated Sat, 26 Sep 2020 11:36:30 +0100 with message-id <d50ba4de424290cd2840a09ef19950156fcf51ab.camel@adam-barratt.org.uk> and subject line Closing bugs for fixes included in 10.6 point release has caused the Debian Bug report #970311, regarding buster-pu: qt4-x11/4:4.8.7+dfsg-18 -> 4:4.8.7+dfsg-18+deb10u1 to be marked as done. This means that you claim that the problem has been dealt with. If this is not the case it is now your responsibility to reopen the Bug report if necessary, and/or fix the problem forthwith. (NB: If you are a system administrator and have no idea what this message is talking about, this may indicate a serious mail system misconfiguration somewhere. Please contact owner@bugs.debian.org immediately.) -- 970311: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=970311 Debian Bug Tracking System Contact owner@bugs.debian.org with problems
--- Begin Message ---
- To: Debian Bug Tracking System <submit@bugs.debian.org>
- Subject: buster-pu: qt4-x11/4:4.8.7+dfsg-18 -> 4:4.8.7+dfsg-18+deb10u1
- From: Lisandro Damián Nicanor Pérez Meyer <perezmeyer@gmail.com>
- Date: Mon, 14 Sep 2020 11:25:57 -0300
- Message-id: <[🔎] CA+QPbz06ZWZYVWUijBu=G9cWpTU3h=YUPA7Xobt7dxby8Niihg@mail.gmail.com>
Package: release.debian.org Severity: normal Tags: buster User: release.debian.org@packages.debian.org Usertags: pu Dear stable release team, I'd like to update qt4-x11 in stable in order to fix Debian bug #970308 CVE-2020-17507 The security team decided not to issue a DSA but it would be good to have it fixed non the less. I'll be uploading to buster-p-u soon. Thanks for considering it, Lisandro. -- Lisandro Damián Nicanor Pérez Meyer http://perezmeyer.com.ar/ http://perezmeyer.blogspot.com/diff -Nru qt4-x11-4.8.7+dfsg/debian/changelog qt4-x11-4.8.7+dfsg/debian/changelog --- qt4-x11-4.8.7+dfsg/debian/changelog 2019-04-12 17:10:28.000000000 -0300 +++ qt4-x11-4.8.7+dfsg/debian/changelog 2020-09-14 10:56:35.000000000 -0300 @@ -1,3 +1,10 @@ +qt4-x11 (4:4.8.7+dfsg-18+deb10u1) buster; urgency=medium + + * Backport upstream patch to fix buffer overflow in XBM parser + (CVE-2020-17507, closes: #968444). + + -- Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org> Mon, 14 Sep 2020 10:56:35 -0300 + qt4-x11 (4:4.8.7+dfsg-18) unstable; urgency=medium * Team upload. diff -Nru qt4-x11-4.8.7+dfsg/debian/patches/CVE-2020-17507.patch qt4-x11-4.8.7+dfsg/debian/patches/CVE-2020-17507.patch --- qt4-x11-4.8.7+dfsg/debian/patches/CVE-2020-17507.patch 1969-12-31 21:00:00.000000000 -0300 +++ qt4-x11-4.8.7+dfsg/debian/patches/CVE-2020-17507.patch 2020-09-14 09:52:18.000000000 -0300 @@ -0,0 +1,21 @@ +Description: fix buffer overflow in XBM parser +Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=1616c71921b73b22 +Last-Update: 2020-08-18 + +--- + src/gui/image/qxbmhandler.cpp | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +--- a/src/gui/image/qxbmhandler.cpp ++++ b/src/gui/image/qxbmhandler.cpp +@@ -154,7 +154,9 @@ static bool read_xbm_body(QIODevice *dev + w = (w+7)/8; // byte width + + while (y < h) { // for all encoded bytes... +- if (p) { // p = "0x.." ++ if (p && p < (buf + readBytes - 3)) { // p = "0x.." ++ if (!isxdigit(p[2]) || !isxdigit(p[3])) ++ return false; + *b++ = hex2byte(p+2); + p += 2; + if (++x == w && ++y < h) { diff -Nru qt4-x11-4.8.7+dfsg/debian/patches/series qt4-x11-4.8.7+dfsg/debian/patches/series --- qt4-x11-4.8.7+dfsg/debian/patches/series 2019-04-12 17:10:28.000000000 -0300 +++ qt4-x11-4.8.7+dfsg/debian/patches/series 2020-09-14 10:04:34.000000000 -0300 @@ -19,6 +19,7 @@ CVE-2018-19871.patch CVE-2018-19872.patch CVE-2018-19873.patch +CVE-2020-17507.patch # qt-copy patches 0195-compositing-properties.diff
--- End Message ---
--- Begin Message ---
- To: 947464-done@bugs.debian.org, 949826-done@bugs.debian.org, 953614-done@bugs.debian.org, 961843-done@bugs.debian.org, 965334-done@bugs.debian.org, 967995-done@bugs.debian.org, 967996-done@bugs.debian.org, 968037-done@bugs.debian.org, 968296-done@bugs.debian.org, 968502-done@bugs.debian.org, 968515-done@bugs.debian.org, 968548-done@bugs.debian.org, 968723-done@bugs.debian.org, 968846-done@bugs.debian.org, 969066-done@bugs.debian.org, 969163-done@bugs.debian.org, 969172-done@bugs.debian.org, 969190-done@bugs.debian.org, 969272-done@bugs.debian.org, 969348-done@bugs.debian.org, 969349-done@bugs.debian.org, 969366-done@bugs.debian.org, 969369-done@bugs.debian.org, 969706-done@bugs.debian.org, 969912-done@bugs.debian.org, 970096-done@bugs.debian.org, 970098-done@bugs.debian.org, 970132-done@bugs.debian.org, 970239-done@bugs.debian.org, 970241-done@bugs.debian.org, 970296-done@bugs.debian.org, 970307-done@bugs.debian.org, 970311-done@bugs.debian.org, 970349-done@bugs.debian.org, 970387-done@bugs.debian.org, 970424-done@bugs.debian.org, 970427-done@bugs.debian.org, 970549-done@bugs.debian.org, 970563-done@bugs.debian.org, 970564-done@bugs.debian.org, 970569-done@bugs.debian.org, 970583-done@bugs.debian.org, 970584-done@bugs.debian.org
- Subject: Closing bugs for fixes included in 10.6 point release
- From: "Adam D. Barratt" <adam@adam-barratt.org.uk>
- Date: Sat, 26 Sep 2020 11:36:30 +0100
- Message-id: <d50ba4de424290cd2840a09ef19950156fcf51ab.camel@adam-barratt.org.uk>
Package: release.debian.org Version: 10.6 Hi, Each of these bugs relates to an update that was included in today's stable point release. Regards, Adam
--- End Message ---