Source: qtsvg-opensource-src Version: 5.15.2-3 Severity: important Tags: security upstream Forwarded: https://bugreports.qt.io/browse/QTBUG-96044 X-Debbugs-Cc: car...@debian.org, Debian Security Team <t...@security.debian.org> Control: found -1 5.11.3-2
Hi, The following vulnerability was published for qtsvg-opensource-src. CVE-2021-45930[0]: | Qt SVG in Qt 5.0.0 through 5.15.2 and 6.0.0 through 6.2.1 has an out- | of-bounds write in | QtPrivate::QCommonArrayOps<QPainterPath::Element>::growAppend | (called from QPainterPath::addPath and QPathClipper::intersect). Note that for 5.12.y it was fixed with [6] in 5.12.12, but remains unfixed in 5.15.2. The corresponding QT bug does not seem public, still marking it as forwarded there. If you fix the vulnerability please also make sure to include the CVE (Common Vulnerabilities & Exposures) id in your changelog entry. For further information see: [0] https://security-tracker.debian.org/tracker/CVE-2021-45930 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-45930 [1] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37025 [2] https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=37306 [3] https://github.com/google/oss-fuzz-vulns/blob/main/vulns/qt/OSV-2021-1121.yaml [4] https://github.com/qt/qtsvg/commit/36cfd9efb9b22b891adee9c48d30202289cfa620 (dev) [5] https://github.com/qt/qtsvg/commit/79bb9f51fa374106a612d17c9d98d35d807be670 (v6.2.2) [6] https://github.com/qt/qtsvg/commit/a3b753c2d077313fc9eb93af547051b956e383fc (v5.12.12) [7] https://bugreports.qt.io/browse/QTBUG-96044 Regards, Salvatore