Crash in Qt 5.12.2

Bug #1848784 reported by Dmitry Shachnev on 2019-10-18
256
This bug affects 1 person
Affects Status Importance Assigned to Milestone
qtbase-opensource-src (Ubuntu)
Undecided
Ubuntu Security Team
Disco
Undecided
Ubuntu Security Team
Eoan
Undecided
Ubuntu Security Team

Bug Description

Originally reported by Robert Loehning in <https://lists.ubuntu.com/archives/ubuntu-devel-discuss/2019-October/018485.html>:

Every application based on Qt will crash when opening a crafted plain text file. Could you please add the patch below to your builds to fix this?

https://codereview.qt-project.org/c/qt/qtbase/+/271889

CVE References

Alex Murray (alexmurray) wrote :

This would appear to have security implications since I imagine if an email were sent to a KMail recipient which was crafted in this same way it would crash KMail? If this is likely true a CVE should be requested from MITRE via https://cveform.mitre.org/ so that other distros etc can ensure they ship this patch too.

Alex Murray (alexmurray) wrote :

MITRE has assigned CVE-2019-18281 for this issue.

Changed in qtbase-opensource-src (Ubuntu):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
information type: Public → Public Security
Dmitry Shachnev (mitya57) wrote :

Focal now has Qt 5.12.5 where this is fixed.

Changed in qtbase-opensource-src (Ubuntu Bionic):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Changed in qtbase-opensource-src (Ubuntu Disco):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Changed in qtbase-opensource-src (Ubuntu Eoan):
assignee: nobody → Ubuntu Security Team (ubuntu-security)
Changed in qtbase-opensource-src (Ubuntu):
status: New → Fix Released
Alex Murray (alexmurray) wrote :

Removing the bionic task since the version in bionic is not affected (it doesn't contain the original vulnerability).

no longer affects: qtbase-opensource-src (Ubuntu Bionic)
Dmitry Shachnev (mitya57) wrote :

Fixed in eoan by https://launchpad.net/ubuntu/+source/qtbase-opensource-src/5.12.4+dfsg-4ubuntu1.1.

disco has reached end of life on 2020-01-18, so this won't be fixed there.

Changed in qtbase-opensource-src (Ubuntu Eoan):
status: New → Fix Released
Changed in qtbase-opensource-src (Ubuntu Disco):
status: New → Won't Fix
To post a comment you must log in.
This report contains Public Security information  Edit
Everyone can see this security related information.

Other bug subscribers