[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1041105: marked as done (qtbase-opensource-src: CVE-2023-38197)

Your message dated Thu, 27 Jul 2023 21:10:14 +0000
with message-id <E1qP8FS-00BLBM-Dc@fasolo.debian.org>
and subject line Bug#1041105: fixed in qtbase-opensource-src 5.15.10+dfsg-3
has caused the Debian Bug report #1041105,
regarding qtbase-opensource-src: CVE-2023-38197
to be marked as done.

This means that you claim that the problem has been dealt with.
If this is not the case it is now your responsibility to reopen the
Bug report if necessary, and/or fix the problem forthwith.

(NB: If you are a system administrator and have no idea what this
message is talking about, this may indicate a serious mail system
misconfiguration somewhere. Please contact owner@bugs.debian.org
immediately.)


-- 
1041105: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1041105
Debian Bug Tracking System
Contact owner@bugs.debian.org with problems
--- Begin Message --- 
Source: qtbase-opensource-src
X-Debbugs-CC: team@security.debian.org
Severity: important
Tags: security

Hi,

The following vulnerability was published for qtbase-opensource-src.

CVE-2023-38197[0]:
| An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and
| 6.3.x through 6.5.x before 6.5.3. There are infinite loops in
| recursive entity expansion.

https://codereview.qt-project.org/c/qt/qtbase/+/488960

If you fix the vulnerability please also make sure to include the
CVE (Common Vulnerabilities & Exposures) id in your changelog entry.

For further information see:

[0] https://security-tracker.debian.org/tracker/CVE-2023-38197
    https://www.cve.org/CVERecord?id=CVE-2023-38197

Please adjust the affected versions in the BTS as needed.

--- End Message ---
--- Begin Message --- 
Source: qtbase-opensource-src
Source-Version: 5.15.10+dfsg-3
Done: Dmitry Shachnev <mitya57@debian.org>

We believe that the bug you reported is fixed in the latest version of
qtbase-opensource-src, which is due to be installed in the Debian FTP archive.

A summary of the changes between this version and the previous one is
attached.

Thank you for reporting the bug, which will now be closed.  If you
have further comments please address them to 1041105@bugs.debian.org,
and the maintainer will reopen the bug report if appropriate.

Debian distribution maintenance software
pp.
Dmitry Shachnev <mitya57@debian.org> (supplier of updated qtbase-opensource-src package)

(This message was generated automatically at their request; if you
believe that there is a problem with it please contact the archive
administrators by mailing ftpmaster@ftp-master.debian.org)


-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

Format: 1.8
Date: Thu, 27 Jul 2023 23:01:32 +0300
Source: qtbase-opensource-src
Architecture: source
Version: 5.15.10+dfsg-3
Distribution: unstable
Urgency: medium
Maintainer: Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org>
Changed-By: Dmitry Shachnev <mitya57@debian.org>
Closes: 1041105
Changes:
 qtbase-opensource-src (5.15.10+dfsg-3) unstable; urgency=medium
 .
   [ Pino Toscano ]
   * Drop the support for the dead GNU/kFreeBSD:
     - drop the patches gnukfreebsd.diff, and nonlinux_utime.diff, as they only
       apply changes to that OS
       - drop installed files added by them
     - drop the kfreebsd-any qualifiers from the firebird-dev, and libgbm-dev
       build dependencies
     - drop the kfreebsd-any qualifiers from binary packages
     - drop the kfreebsd-any qualifiers in install files
     - drop the kfreebsd qualifiers in symbols files
   * More changes to symbols files:
     - set a symbol as linux-any, as it is Linux-specific
     - drop mips, and powerpcspe qualifiers, as those architectures are long dead
   * Remove 2 obsolete maintscript entries in 2 files.
 .
   [ Dmitry Shachnev ]
   * Backport upstream patches to make QXmlStreamReaderPrivate::fastScanName
     indicate parsing status to callers (CVE-2023-37369).
   * Backport upstream patch to make QXmlStreamReader raise error on unexpected
     tokens (CVE-2023-38197, closes: #1041105).
Checksums-Sha1:
 52d02cc766fa0b3781aac3f5de34b8eca7c2e6b3 5312 qtbase-opensource-src_5.15.10+dfsg-3.dsc
 7d5bc74e0998f2df03c731d94ea92be8612419ea 233696 qtbase-opensource-src_5.15.10+dfsg-3.debian.tar.xz
 64feff56a06ff14a0bd84b9244c7a4a5597d424d 15769 qtbase-opensource-src_5.15.10+dfsg-3_source.buildinfo
Checksums-Sha256:
 73369c1cc94b02157cd7ada0d8988d03e4d8dacb0c81b376fbdc100eb3b9c250 5312 qtbase-opensource-src_5.15.10+dfsg-3.dsc
 e4a0d19813a763d4ef7fe5d0d6b90e905a8a3ebe8fdbec540bc49c51df172d1a 233696 qtbase-opensource-src_5.15.10+dfsg-3.debian.tar.xz
 1add99533ba37725724ab92753919e28e2b4506560db6ac475e30b0cbc5bbb68 15769 qtbase-opensource-src_5.15.10+dfsg-3_source.buildinfo
Files:
 707dd0e55428b75609297b8854433b43 5312 libs optional qtbase-opensource-src_5.15.10+dfsg-3.dsc
 74c73c3bdee2d7fc5ea4c8cbebc43a94 233696 libs optional qtbase-opensource-src_5.15.10+dfsg-3.debian.tar.xz
 6a5b3a54ed55c65f317edbf1ae112f39 15769 libs optional qtbase-opensource-src_5.15.10+dfsg-3_source.buildinfo

-----BEGIN PGP SIGNATURE-----

iQJHBAEBCgAxFiEE5688gqe4PSusUZcLZkYmW1hrg8sFAmTCzbkTHG1pdHlhNTdA
ZGViaWFuLm9yZwAKCRBmRiZbWGuDy/aAD/9WQXu3/qbSCGiWMQ4A/u0LxYbjiKgK
cJtdbU2/EG6NqYp2xBTbreIHLJtslSSULl6VsVlhm0dNn/1XI+9rA6jqxcR/liXa
imKsJpboQ64vjYIZSUg9vLInlkPq9d9POQrX93MGZcKL9uE3jk2H9idvpaOpcvmM
MUblBhAisOgNr8dhF2RGb5YkvWkxHtf8xirr0xWiX9/3cLiXgkaxMsxH75eJfld8
fwD6fmd3DmyocEop6Qaw8OzGxDgWeLu+AmC3xf2i9sl+270vwZZJN3Ve45bvWCcx
8pjFsz5ANUiiMa2ro2mKVhZ/xAf/jkm3BLVEnGS9yY2j7tSQp5+4aP4F+HEkhmwh
Nt5KAmpv8YmDCfEyvEFppswhreFl1ZLYCZzE8lrbcojeCZGqssjyFeW8k47+f6N5
//gFDNT7MmJ1H8fXv0QAFOSoZh4SgKnMJ7eDlarsJJ3O519DHtPhiRCX2E6L6dkl
VrhDQF+fos6N5EuU7aJwklrZ7+xQZxRvFOQP7eKEDfA+M5dYNjIBTeBVNzZXhlX2
ESTTiMOQFcTJVvqU2keAe9f9kBT7gKW49SA/n5IiVf4H3N0IheZFByZ6lF96EKxF
eD1lQJBOGikNR3mlRrGbuW934NETIU5kC8ZqD5wGv/fBprSHuqWYxJWAfi1R11sN
XLsOH9RrO8296Q==
=nOfH
-----END PGP SIGNATURE-----

--- End Message ---
Reply to: