On Wed, 2019-10-23 at 21:51:27 +1030, Robert Loehning wrote: > Am 23.10.19 um 09:29 schrieb Alex Murray: >> >> On Wed, 2019-10-23 at 17:32:58 +1030, Robert Loehning wrote: >> >>> Am 22.10.19 um 18:41 schrieb Dmitry Shachnev: >>>> Hi again Robert, >>>> >>>> On Fri, Oct 18, 2019 at 02:14:01PM +0000, Robert Loehning wrote: >>>>> Hi, >>>>> >>>>> every application based on Qt will crash when opening a crafted plain >>>>> text file. Could you please add the patch below to your builds to fix >>>>> this? >>>>> >>>>> Thank you and have a nice weekend. >>>> >>>> Let me forward you a question I got on the bug: >>>> >>>> https://bugs.launchpad.net/ubuntu/+source/qtbase-opensource-src/+bug/1848784/comments/1 >>>> >>>> This would appear to have security implications since I imagine if an >>>> email >>>> were sent to a KMail recipient which was crafted in this same way it >>>> would >>>> crash KMail? If this is likely true a CVE should be requested from MITRE >>>> via >>>> https://cveform.mitre.org/ so that other distros etc can ensure they ship >>>> this patch too. >>>> >>>> What do you think about this? >>>> >>>> -- >>>> Dmitry Shachnev >>>> >>> >>> Hi Dmitry, >>> >>> this is most probably right. I expect that it's possible to crash KMail >>> in that way. With Quassel, it was already used ITW. >>> >>> I don't think I'm authorized to send you such a crafted file, but if you >>> look closely at the test for the attached fix, you can probably figure >>> it out yourself. >>> >>> I'm not aware of an existing CVE for this issue, though. >> >> FYI - I have just submitted a CVE application for this to MITRE so that >> all distros can be notified of, and backport the fix as appropriate. > > Wonderful! Thank you so much!
MITRE have assigned CVE-2019-18281 for this issue. > > Cheers, > Robert -- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
