Ubuntu
qtbase-opensource-src package

Crash in Qt 5.12.2

Bug #1848784 reported by Dmitry Shachnev
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
qtbase-opensource-src (Ubuntu)
Fix Released
Undecided
Ubuntu Security Team
Disco
Won't Fix
Undecided
Ubuntu Security Team
Eoan
Fix Released
Undecided
Ubuntu Security Team

Bug Description

Originally reported by Robert Loehning in <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2019-October/018485.html>:

Every application based on Qt will crash when opening a crafted plain text file. Could you please add the patch below to your builds to fix this?

https://codereview.qt-project.org/c/qt/qtbase/+/271889

CVE References

Revision history for this message
Alex Murray (alexmurray) wrote :

This would appear to have security implications since I imagine if an email were sent to a KMail recipient which was crafted in this same way it would crash KMail? If this is likely true a CVE should be requested from MITRE via https://cveform.mitre.org/ so that other distros etc can ensure they ship this patch too.

Revision history for this message
Alex Murray (alexmurray) wrote :

MITRE has assigned CVE-2019-18281 for this issue.

Changed in qtbase-opensource-src (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Dmitry Shachnev (mitya57)
information type: Public → Public Security
Revision history for this message
Dmitry Shachnev (mitya57) wrote :

Focal now has Qt 5.12.5 where this is fixed.

Changed in qtbase-opensource-src (Ubuntu Bionic):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Changed in qtbase-opensource-src (Ubuntu Disco):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Changed in qtbase-opensource-src (Ubuntu Eoan):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Changed in qtbase-opensource-src (Ubuntu):
status: New → Fix Released
Revision history for this message
Alex Murray (alexmurray) wrote :

Removing the bionic task since the version in bionic is not affected (it doesn't contain the original vulnerability).

no longer affects: qtbase-opensource-src (Ubuntu Bionic)
Revision history for this message
Dmitry Shachnev (mitya57) wrote :

Fixed in eoan by https://launchpad.net/ubuntu/+source/qtbase-opensource-src/5.12.4+dfsg-4ubuntu1.1.

disco has reached end of life on 2020-01-18, so this won't be fixed there.

Changed in qtbase-opensource-src (Ubuntu Eoan):
status: New → Fix Released
Changed in qtbase-opensource-src (Ubuntu Disco):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.
Subscribing...

Other bug subscribers

Remote bug watches

Bug watches keep track of this bug in other bug trackers.