libqt5svg5 affected by CVE-2021-38593

To test for the issue:

1. Install libqt5svg5-dev and its dependencies.
2. Build the attached project with the system's version of Qt:
   /usr/bin/qmake test-2021-38593.pro && make
3. Start the resulting binary and pass the path to the included input file as first parameter:
   ./test-2021-38593 ./input.svg
   The binary should return immediately and without error messages. If it doesn't, you might be affected.

Correction for building the test program:

1. Install libqt5svg5-dev, qtbase5-dev and their dependencies.
2. Build the attached project with the system's version of Qt:
   /usr/lib/qt5/bin/qmake test-2021-38593.pro && make
3. Start the resulting binary and pass the path to the included input file as first parameter:
   ./test-2021-38593 ./input.svg
   The binary should return immediately and without error messages. If it doesn't, you might be affected.

Thanks for taking the time to report this bug and helping to make Ubuntu better. Since the package referred to in this bug is in universe or multiverse, it is community maintained. If you are able, I suggest coordinating with upstream and posting a debdiff for this issue. When a debdiff is available, members of the security team will review it and publish the package. See the following link for more information: https://wiki.ubuntu.com/SecurityTeam/UpdateProcedures

This bug was fixed in the package qtbase-opensource-src - 5.15.2+dfsg-14

---------------
qtbase-opensource-src (5.15.2+dfsg-14) unstable; urgency=medium

  * Backport four upstream commits to fix massive memory consumption when
    rendering specially crafted SVG files (CVE-2021-38593, LP: #1950193).
  * Update symbols files from buildds’ logs.
  * Override some source-is-missing and unpack-message-for-orig warnings.

 -- Dmitry Shachnev <email address hidden> Sun, 28 Nov 2021 17:12:50 +0300

Thank you picking this up Dmitry and sorry for not replying earlier.

Anything I can do now to help this arrive in 20.04?

> Anything I can do now to help this arrive in 20.04?

No, I just need to find some free time again. Thanks for reminding me.

Does this also need fixing in impish? I'm not very concerned about hirsute given it will be EoL in January.

Hello Robert, or anyone else affected,

Accepted qtbase-opensource-src into impish-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/qtbase-opensource-src/5.15.2+dfsg-12ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-impish to verification-done-impish. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-impish. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Hello Robert, or anyone else affected,

Accepted qtbase-opensource-src into focal-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/qtbase-opensource-src/5.12.8+dfsg-0ubuntu2 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested, what testing has been performed on the package and change the tag from verification-needed-focal to verification-done-focal. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-focal. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

All autopkgtests for the newly accepted qtbase-opensource-src (5.15.2+dfsg-12ubuntu1) for impish have finished running.
The following regressions have been reported in tests triggered by the package:

kmediaplayer/5.86.0-0ubuntu1 (armhf)
octomap/1.9.5+dfsg-1 (armhf)
kwayland/4:5.86.0-0ubuntu1 (armhf)
octave/6.2.0-1 (armhf)
libqapt/3.0.5-1ubuntu1 (armhf)
libqaccessibilityclient/0.4.1-1build1 (armhf)
libreoffice/1:7.2.3-0ubuntu0.21.10.1 (armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/impish/update_excuses.html#qtbase-opensource-src

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

I tested this in a VM with a freshly installed Ubuntu 20.04 Desktop. Following the steps in the description with released version 5.12.8+dfsg-0ubuntu1 freezes the entire VM.

After upgrading all the Qt packages to 5.12.8+dfsg-0ubuntu2 from proposed repo, the test program finishes immediately as expected. To upgrade, I used the following command line:

sudo aptitude install -V qtbase5-dev/focal-proposed libqt5concurrent5/focal-proposed libqt5core5a/focal-proposed libqt5dbus5/focal-proposed libqt5gui5/focal-proposed qt5-qmake/focal-proposed qtbase5-dev-tools/focal-proposed qt5-qmake-bin/focal-proposed libqt5network5/focal-proposed libqt5printsupport5/focal-proposed libqt5sql5/focal-proposed libqt5test5/focal-proposed libqt5widgets5/focal-proposed libqt5xml5/focal-proposed

Tested in an Impish chroot:

root@mitya57:/test# time ./test-2021-38593 ./input.svg
Testing for CVE-2021-38593...
If the test doesn't finish immediately, you probably are affected.
Test finished.

real 0m0.033s
user 0m0.004s
sys 0m0.017s
root@mitya57:/test# echo $?
0
root@mitya57:/test# apt policy libqt5gui5
libqt5gui5:
  Installed: 5.15.2+dfsg-12ubuntu1
  Candidate: 5.15.2+dfsg-12ubuntu1
  Version table:
 *** 5.15.2+dfsg-12ubuntu1 500
        500 http://archive.ubuntu.com/ubuntu impish-proposed/universe amd64 Packages
        100 /var/lib/dpkg/status
     5.15.2+dfsg-12 500
        500 http://archive.ubuntu.com/ubuntu impish/universe amd64 Packages

With the version from release pocket, the test program does not finish after 30 seconds.

This update needs to go in the -security pocket since it is a security fix, but it likely can't just be copied, it would need to be rebuilt.

Marc, can you do it please? You can take my changes but use a different version number so that it's rebuilt. Then we will ask the SRU team to remove the versions in -proposed.

Hello, I'm doing build for the -security pocket as Marc suggested. Will be published soon.

Ok, thank you Paulo.

As advised by Brian, I'm adding block-proposed tags to make sure the current packages don't get accidentally released.

I've just published focal and impish updates into the -security pocket.

focal: 5.12.8+dfsg-0ubuntu2.1
impish: 5.15.2+dfsg-12ubuntu1.1

I'm manually setting the bug tasks to Fix Released as this bug wasn't referenced in the changelog entry.

Thanks! I didn't add the LP number because it was in the previous changelog entry. It seems that it needs to be in the latest one in order to identify it correctly.

On Thu, Jan 06, 2022 at 05:24:57PM -0000, Paulo Flabiano Smorigo wrote:
> Thanks! I didn't add the LP number because it was in the previous
> changelog entry. It seems that it needs to be in the latest one in order
> to identify it correctly.

I think you could work around this by using the -v argument to debuild
which will create a source.changes file with different contents e.g.

debuild ... -v5.15.2+dfsg-12

--
Brian Murray

I received the update. Thank you!