Hello Robert, or anyone else affected, Accepted qtbase-opensource-src into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/qtbase-opensource- src/5.15.2+dfsg-12ubuntu1 in a few hours, and then in the -proposed repository.
Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users. If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed- impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification- failed-impish. In either case, without details of your testing we will not be able to proceed. Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping! N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days. ** Changed in: qtbase-opensource-src (Ubuntu Impish) Status: New => Fix Committed ** Tags added: verification-needed verification-needed-impish ** Changed in: qtbase-opensource-src (Ubuntu Focal) Status: New => Fix Committed ** Tags added: verification-needed-focal -- You received this bug notification because you are a member of Ubuntu Touch seeded packages, which is subscribed to qtbase-opensource-src in Ubuntu. https://bugs.launchpad.net/bugs/1950193 Title: libqt5svg5 affected by CVE-2021-38593 Status in qtbase-opensource-src package in Ubuntu: Fix Released Status in qtbase-opensource-src source package in Focal: Fix Committed Status in qtbase-opensource-src source package in Impish: Fix Committed Bug description: [Impact] libqt5svg5 5.12.8-0ubuntu1 in Ubuntu 20.04 is affected by CVE-2021-38593: https://nvd.nist.gov/vuln/detail/CVE-2021-38593 Trying to open the attached svg file will block one core at 100% and occupy much memory. Depending on the configuration, it might even run out of memory and crash. This is fixed upstream by: https://codereview.qt-project.org/c/qt/qtbase/+/377942 The original issue is public since July 29th. [Test Plan] 1. Install libqt5svg5-dev, qtbase5-dev and their dependencies. 2. Build the attached project with the system's version of Qt: /usr/lib/qt5/bin/qmake test-2021-38593.pro && make 3. Start the resulting binary and pass the path to the included input file as first parameter: ./test-2021-38593 ./input.svg The binary should return immediately and without error messages. If it doesn't, you might be affected. [Where problems could occur] The fix tries to skip drawing dashes that would be invisible anyway. So a potential problem may that it skips too much. In fact, this has already happened, and upstream had to adjust the fix. [Other Info] The patch is a combination of the following upstream commits: - https://code.qt.io/cgit/qt/qtbase.git/commit/?id=7f345f2a1c8d9f60 - https://code.qt.io/cgit/qt/qtbase.git/commit/?id=9378ba2ae857df7e - https://code.qt.io/cgit/qt/qtbase.git/commit/?id=81998f50d039a631 - https://code.qt.io/cgit/qt/qtbase.git/commit/?id=cca8ed0547405b1c To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1950193/+subscriptions -- Mailing list: https://launchpad.net/~touch-packages Post to : touch-packages@lists.launchpad.net Unsubscribe : https://launchpad.net/~touch-packages More help : https://help.launchpad.net/ListHelp