Bug 1118599 (CVE-2018-19869) - VUL-1: CVE-2018-19869: libqt5-qtsvg: Fix crash when parsing malformed url reference
Summary: VUL-1: CVE-2018-19869: libqt5-qtsvg: Fix crash when parsing malformed url ref...
Status: RESOLVED FIXED
Alias: CVE-2018-19869
Product: SUSE Security Incidents
Classification: Novell Products
Component: Incidents (show other bugs)
Version: unspecified
Hardware: Other Other
: P4 - Low : Normal
Target Milestone: ---
Assignee: Security Team bot
QA Contact: Security Team bot
URL: https://smash.suse.de/issue/220284/
Whiteboard: CVSSv3:SUSE:CVE-2018-19869:4.0:(AV:L/...
Keywords:
Depends on:
Blocks:
 
Reported: 2018-12-06 08:38 UTC by Alexander Bergmann
Modified: 2024-05-07 09:28 UTC (History)
1 user (show)

See Also:
Found By: ---
Services Priority:
Business Priority:
Blocker: ---
Marketing QA Status: ---
IT Deployment: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Alexander Bergmann 2018-12-06 08:38:25 UTC 
CVE-2018-19869, Qt Svg: Fix crash when parsing malformed url reference

Fix crash when parsing malformed url reference

The parsing did not check for end of input.

Change-Id: I56a478877d242146395977b767511425d2b8ced1
Reviewed-by: Lars Knoll <lars.knoll@qt.io>

Upstream fix:
https://codereview.qt-project.org/#/c/234142/
Comment 2 Max Lin 2018-12-17 09:23:22 UTC 
MRs has been accepted, back to security team.
Comment 3 Swamp Workflow Management 2019-04-02 16:22:00 UTC 
openSUSE-SU-2019:1116-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1118599
CVE References: CVE-2018-19869
Sources used:
openSUSE Leap 15.0 (src):    libqt5-qtsvg-5.9.4-lp150.2.3.2

*** NOTE: This information is not intended to be used for external
    communication, because this may only be a partial fix.
    If you have questions please reach out to maintenance coordination.
Comment 7 Swamp Workflow Management 2020-04-17 13:24:56 UTC 
SUSE-SU-2020:1021-1: An update that solves three vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1118595,1118596,1118599,1121214
CVE References: CVE-2018-15518,CVE-2018-19869,CVE-2018-19873
Sources used:
SUSE Linux Enterprise Workstation Extension 12-SP5 (src):    libqt4-4.8.7-8.13.1, libqt4-sql-plugins-4.8.7-8.13.1
SUSE Linux Enterprise Workstation Extension 12-SP4 (src):    libqt4-4.8.7-8.13.1, libqt4-sql-plugins-4.8.7-8.13.1
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libqt4-4.8.7-8.13.1, libqt4-devel-doc-4.8.7-8.13.1, libqt4-sql-plugins-4.8.7-8.13.1
SUSE Linux Enterprise Software Development Kit 12-SP4 (src):    libqt4-4.8.7-8.13.1, libqt4-devel-doc-4.8.7-8.13.1, libqt4-sql-plugins-4.8.7-8.13.1
SUSE Linux Enterprise Server 12-SP5 (src):    libqt4-4.8.7-8.13.1, libqt4-devel-doc-4.8.7-8.13.1, libqt4-sql-plugins-4.8.7-8.13.1
SUSE Linux Enterprise Server 12-SP4 (src):    libqt4-4.8.7-8.13.1, libqt4-devel-doc-4.8.7-8.13.1, libqt4-sql-plugins-4.8.7-8.13.1

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 8 OBSbugzilla Bot 2020-09-14 17:10:17 UTC 
This is an autogenerated message for OBS integration:
This bug (1118599) was mentioned in
https://build.opensuse.org/request/show/834336 15.1 / libqt4
Comment 9 Swamp Workflow Management 2020-09-18 22:16:38 UTC 
openSUSE-SU-2020:1452-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1118595,1118596,1118599,1121214,1176315
CVE References: CVE-2018-15518,CVE-2018-19869,CVE-2018-19873,CVE-2020-17507
JIRA References: 
Sources used:
openSUSE Leap 15.1 (src):    libqt4-4.8.7-lp151.9.3.1, libqt4-devel-doc-4.8.7-lp151.9.3.1, libqt4-sql-plugins-4.8.7-lp151.9.3.1
Comment 10 Swamp Workflow Management 2020-09-22 13:14:43 UTC 
openSUSE-SU-2020:1500-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1118595,1118596,1118599,1121214,1176315
CVE References: CVE-2018-15518,CVE-2018-19869,CVE-2018-19873,CVE-2020-17507
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP1 (src):    libqt4-4.8.7-bp151.4.3.1, libqt4-devel-doc-4.8.7-bp151.4.3.1, libqt4-sql-plugins-4.8.7-bp151.4.3.1
Comment 11 Swamp Workflow Management 2020-09-22 16:22:05 UTC 
openSUSE-SU-2020:1501-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1118595,1118596,1118599,1121214,1176315
CVE References: CVE-2018-15518,CVE-2018-19869,CVE-2018-19873,CVE-2020-17507
JIRA References: 
Sources used:
openSUSE Leap 15.2 (src):    libqt4-4.8.7-lp152.10.3.1, libqt4-devel-doc-4.8.7-lp152.10.3.1, libqt4-sql-plugins-4.8.7-lp152.10.3.1
Comment 12 Swamp Workflow Management 2020-09-25 22:19:51 UTC 
openSUSE-SU-2020:1530-1: An update that solves four vulnerabilities and has one errata is now available.

Category: security (moderate)
Bug References: 1118595,1118596,1118599,1121214,1176315
CVE References: CVE-2018-15518,CVE-2018-19869,CVE-2018-19873,CVE-2020-17507
JIRA References: 
Sources used:
openSUSE Backports SLE-15-SP2 (src):    libqt4-4.8.7-bp152.4.3.1, libqt4-devel-doc-4.8.7-bp152.4.3.1, libqt4-sql-plugins-4.8.7-bp152.4.3.1
Comment 13 Swamp Workflow Management 2020-10-14 16:19:42 UTC 
SUSE-SU-2020:2924-1: An update that fixes one vulnerability is now available.

Category: security (moderate)
Bug References: 1118599
CVE References: CVE-2018-19869
JIRA References: 
Sources used:
SUSE Linux Enterprise Software Development Kit 12-SP5 (src):    libqt5-qtsvg-5.6.2-3.3.110
SUSE Linux Enterprise Server 12-SP5 (src):    libqt5-qtsvg-5.6.2-3.3.110

NOTE: This line indicates an update has been released for the listed product(s). At times this might be only a partial fix. If you have questions please reach out to maintenance coordination.
Comment 17 Thomas Leroy 2024-05-07 09:28:29 UTC 
All done, closing.