libqt5svg5 affected by CVE-2021-38593

Bug #1950193 reported by Robert Löhning
260
This bug affects 1 person
Affects Status Importance Assigned to Milestone
qtbase-opensource-src (Ubuntu)
Fix Released
Undecided
Dmitry Shachnev
Focal
Fix Released
Undecided
Unassigned
Impish
Fix Released
Undecided
Unassigned

Bug Description

[Impact]

libqt5svg5 5.12.8-0ubuntu1 in Ubuntu 20.04 is affected by CVE-2021-38593:
https://nvd.nist.gov/vuln/detail/CVE-2021-38593

Trying to open the attached svg file will block one core at 100% and occupy much memory. Depending on the configuration, it might even run out of memory and crash. This is fixed upstream by:
https://codereview.qt-project.org/c/qt/qtbase/+/377942

The original issue is public since July 29th.

[Test Plan]

1. Install libqt5svg5-dev, qtbase5-dev and their dependencies.
2. Build the attached project with the system's version of Qt:
   /usr/lib/qt5/bin/qmake test-2021-38593.pro && make
3. Start the resulting binary and pass the path to the included input file as first parameter:
   ./test-2021-38593 ./input.svg
   The binary should return immediately and without error messages. If it doesn't, you might be affected.

[Where problems could occur]

The fix tries to skip drawing dashes that would be invisible anyway. So a potential problem may that it skips too much. In fact, this has already happened, and upstream had to adjust the fix.

[Other Info]

The patch is a combination of the following upstream commits:

- https://code.qt.io/cgit/qt/qtbase.git/commit/?id=7f345f2a1c8d9f60
- https://code.qt.io/cgit/qt/qtbase.git/commit/?id=9378ba2ae857df7e
- https://code.qt.io/cgit/qt/qtbase.git/commit/?id=81998f50d039a631
- https://code.qt.io/cgit/qt/qtbase.git/commit/?id=cca8ed0547405b1c

CVE References

Revision history for this message
Robert Löhning (rlohning) wrote :
Revision history for this message
Robert Löhning (rlohning) wrote :
Revision history for this message
Robert Löhning (rlohning) wrote :

To test for the issue:

1. Install libqt5svg5-dev and its dependencies.
2. Build the attached project with the system's version of Qt:
   /usr/bin/qmake test-2021-38593.pro && make
3. Start the resulting binary and pass the path to the included input file as first parameter:
   ./test-2021-38593 ./input.svg
   The binary should return immediately and without error messages. If it doesn't, you might be affected.

Revision history for this message
Robert Löhning (rlohning) wrote :

Correction for building the test program:

1. Install libqt5svg5-dev, qtbase5-dev and their dependencies.
2. Build the attached project with the system's version of Qt:
   /usr/lib/qt5/bin/qmake test-2021-38593.pro && make
3. Start the resulting binary and pass the path to the included input file as first parameter:
   ./test-2021-38593 ./input.svg
   The binary should return immediately and without error messages. If it doesn't, you might be affected.

Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

tags: added: community-security
information type: Private Security → Public Security
Changed in qtsvg-opensource-src (Ubuntu):
status: New → Confirmed
affects: qtsvg-opensource-src (Ubuntu) → qtbase-opensource-src (Ubuntu)
Changed in qtbase-opensource-src (Ubuntu):
assignee: nobody → Dmitry Shachnev (mitya57)
status: Confirmed → In Progress
Revision history for this message
Launchpad Janitor (janitor) wrote :

This bug was fixed in the package qtbase-opensource-src - 5.15.2+dfsg-14

---------------
qtbase-opensource-src (5.15.2+dfsg-14) unstable; urgency=medium

  * Backport four upstream commits to fix massive memory consumption when
    rendering specially crafted SVG files (CVE-2021-38593, LP: #1950193).
  * Update symbols files from buildds’ logs.
  * Override some source-is-missing and unpack-message-for-orig warnings.

 -- Dmitry Shachnev <email address hidden> Sun, 28 Nov 2021 17:12:50 +0300

Changed in qtbase-opensource-src (Ubuntu):
status: In Progress → Fix Released
Revision history for this message
Robert Löhning (rlohning) wrote :

Thank you picking this up Dmitry and sorry for not replying earlier.

Anything I can do now to help this arrive in 20.04?

Revision history for this message
Dmitry Shachnev (mitya57) wrote :

> Anything I can do now to help this arrive in 20.04?

No, I just need to find some free time again. Thanks for reminding me.

description: updated
Revision history for this message
Brian Murray (brian-murray) wrote :

Does this also need fixing in impish? I'm not very concerned about hirsute given it will be EoL in January.

Revision history for this message
Brian Murray (brian-murray) wrote : Please test proposed package

Hello Robert, or anyone else affected,

Accepted qtbase-opensource-src into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/qtbase-opensource-src/5.15.2+dfsg-12ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-impish. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in qtbase-opensource-src (Ubuntu Impish):
status: New → Fix Committed
tags: added: verification-needed verification-needed-impish
Changed in qtbase-opensource-src (Ubuntu Focal):
status: New → Fix Committed
tags: added: verification-needed-focal
Revision history for this message
Brian Murray (brian-murray) wrote :

Hello Robert, or anyone else affected,

Accepted qtbase-opensource-src into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/qtbase-opensource-src/5.12.8+dfsg-0ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Revision history for this message
Ubuntu SRU Bot (ubuntu-sru-bot) wrote : Autopkgtest regression report (qtbase-opensource-src/5.15.2+dfsg-12ubuntu1)

All autopkgtests for the newly accepted qtbase-opensource-src (5.15.2+dfsg-12ubuntu1) for impish have finished running.
The following regressions have been reported in tests triggered by the package:

kmediaplayer/5.86.0-0ubuntu1 (armhf)
octomap/1.9.5+dfsg-1 (armhf)
kwayland/4:5.86.0-0ubuntu1 (armhf)
octave/6.2.0-1 (armhf)
libqapt/3.0.5-1ubuntu1 (armhf)
libqaccessibilityclient/0.4.1-1build1 (armhf)
libreoffice/1:7.2.3-0ubuntu0.21.10.1 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/impish/update_excuses.html#qtbase-opensource-src

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message
Robert Löhning (rlohning) wrote :

I tested this in a VM with a freshly installed Ubuntu 20.04 Desktop. Following the steps in the description with released version 5.12.8+dfsg-0ubuntu1 freezes the entire VM.

After upgrading all the Qt packages to 5.12.8+dfsg-0ubuntu2 from proposed repo, the test program finishes immediately as expected. To upgrade, I used the following command line:

sudo aptitude install -V qtbase5-dev/focal-proposed libqt5concurrent5/focal-proposed libqt5core5a/focal-proposed libqt5dbus5/focal-proposed libqt5gui5/focal-proposed qt5-qmake/focal-proposed qtbase5-dev-tools/focal-proposed qt5-qmake-bin/focal-proposed libqt5network5/focal-proposed libqt5printsupport5/focal-proposed libqt5sql5/focal-proposed libqt5test5/focal-proposed libqt5widgets5/focal-proposed libqt5xml5/focal-proposed

tags: added: verification-done-focal
removed: verification-needed-focal
Revision history for this message
Dmitry Shachnev (mitya57) wrote :

Tested in an Impish chroot:

root@mitya57:/test# time ./test-2021-38593 ./input.svg
Testing for CVE-2021-38593...
If the test doesn't finish immediately, you probably are affected.
Test finished.

real 0m0.033s
user 0m0.004s
sys 0m0.017s
root@mitya57:/test# echo $?
0
root@mitya57:/test# apt policy libqt5gui5
libqt5gui5:
  Installed: 5.15.2+dfsg-12ubuntu1
  Candidate: 5.15.2+dfsg-12ubuntu1
  Version table:
 *** 5.15.2+dfsg-12ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu impish-proposed/universe amd64 Packages
        100 /var/lib/dpkg/status
     5.15.2+dfsg-12 500
        500 http://archive.ubuntu.com/ubuntu impish/universe amd64 Packages

With the version from release pocket, the test program does not finish after 30 seconds.

tags: added: verification-done verification-done-impish
removed: verification-needed verification-needed-impish
Revision history for this message
Marc Deslauriers (mdeslaur) wrote :

This update needs to go in the -security pocket since it is a security fix, but it likely can't just be copied, it would need to be rebuilt.

Revision history for this message
Dmitry Shachnev (mitya57) wrote :

Marc, can you do it please? You can take my changes but use a different version number so that it's rebuilt. Then we will ask the SRU team to remove the versions in -proposed.

Revision history for this message
Paulo Flabiano Smorigo (pfsmorigo) wrote :

Hello, I'm doing build for the -security pocket as Marc suggested. Will be published soon.

Revision history for this message
Dmitry Shachnev (mitya57) wrote :

Ok, thank you Paulo.

As advised by Brian, I'm adding block-proposed tags to make sure the current packages don't get accidentally released.

tags: added: block-proposed-focal block-proposed-impish
Revision history for this message
Paulo Flabiano Smorigo (pfsmorigo) wrote :

I've just published focal and impish updates into the -security pocket.

focal: 5.12.8+dfsg-0ubuntu2.1
impish: 5.15.2+dfsg-12ubuntu1.1

Revision history for this message
Brian Murray (brian-murray) wrote :

I'm manually setting the bug tasks to Fix Released as this bug wasn't referenced in the changelog entry.

Changed in qtbase-opensource-src (Ubuntu Focal):
status: Fix Committed → Fix Released
Changed in qtbase-opensource-src (Ubuntu Impish):
status: Fix Committed → Fix Released
tags: removed: block-proposed-focal block-proposed-impish
Revision history for this message
Paulo Flabiano Smorigo (pfsmorigo) wrote :

Thanks! I didn't add the LP number because it was in the previous changelog entry. It seems that it needs to be in the latest one in order to identify it correctly.

Revision history for this message
Brian Murray (brian-murray) wrote : Re: [Bug 1950193] Re: libqt5svg5 affected by CVE-2021-38593

On Thu, Jan 06, 2022 at 05:24:57PM -0000, Paulo Flabiano Smorigo wrote:
> Thanks! I didn't add the LP number because it was in the previous
> changelog entry. It seems that it needs to be in the latest one in order
> to identify it correctly.

I think you could work around this by using the -v argument to debuild
which will create a source.changes file with different contents e.g.

debuild ... -v5.15.2+dfsg-12

--
Brian Murray

Revision history for this message
Robert Löhning (rlohning) wrote :

I received the update. Thank you!

To post a comment you must log in.
This report contains Public Security information  
Everyone can see this security related information.

Other bug subscribers