libqt5svg5 affected by CVE-2021-38593
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
qtbase-opensource-src (Ubuntu) |
Fix Released
|
Undecided
|
Dmitry Shachnev | ||
Focal |
Fix Released
|
Undecided
|
Unassigned | ||
Impish |
Fix Released
|
Undecided
|
Unassigned |
Bug Description
[Impact]
libqt5svg5 5.12.8-0ubuntu1 in Ubuntu 20.04 is affected by CVE-2021-38593:
https:/
Trying to open the attached svg file will block one core at 100% and occupy much memory. Depending on the configuration, it might even run out of memory and crash. This is fixed upstream by:
https:/
The original issue is public since July 29th.
[Test Plan]
1. Install libqt5svg5-dev, qtbase5-dev and their dependencies.
2. Build the attached project with the system's version of Qt:
/usr/
3. Start the resulting binary and pass the path to the included input file as first parameter:
./test-
The binary should return immediately and without error messages. If it doesn't, you might be affected.
[Where problems could occur]
The fix tries to skip drawing dashes that would be invisible anyway. So a potential problem may that it skips too much. In fact, this has already happened, and upstream had to adjust the fix.
[Other Info]
The patch is a combination of the following upstream commits:
- https:/
- https:/
- https:/
- https:/
CVE References
affects: | qtsvg-opensource-src (Ubuntu) → qtbase-opensource-src (Ubuntu) |
Changed in qtbase-opensource-src (Ubuntu): | |
assignee: | nobody → Dmitry Shachnev (mitya57) |
status: | Confirmed → In Progress |
description: | updated |
To test for the issue:
1. Install libqt5svg5-dev and its dependencies. 2021-38593 ./input.svg
2. Build the attached project with the system's version of Qt:
/usr/bin/qmake test-2021-38593.pro && make
3. Start the resulting binary and pass the path to the included input file as first parameter:
./test-
The binary should return immediately and without error messages. If it doesn't, you might be affected.