Gentoo Archives: gentoo-announce

From: Sune Kloppenborg Jeppesen <jaervosz@g.o>
To: gentoo-announce@l.g.o
Cc: bugtraq@×××××××××××××.com, full-disclosure@××××××××××××××.uk, security-alerts@×××××××××××××.com
Subject: [gentoo-announce] [ GLSA 200509-18 ] Qt: Buffer overflow in the included zlib library
Date: Mon, 26 Sep 2005 21:07:13
Message-Id: 200509262151.10249.jaervosz@gentoo.org
1 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
2 Gentoo Linux Security Advisory GLSA 200509-18
3 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
4 http://security.gentoo.org/
5 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
6
7 Severity: Normal
8 Title: Qt: Buffer overflow in the included zlib library
9 Date: September 26, 2005
10 Bugs: #100683
11 ID: 200509-18
12
13 - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - -
14
15 Synopsis
16 ========
17
18 Qt is vulnerable to a buffer overflow which could potentially lead to
19 the execution of arbitrary code.
20
21 Background
22 ==========
23
24 Qt is a cross-platform GUI toolkit used by KDE.
25
26 Affected packages
27 =================
28
29 -------------------------------------------------------------------
30 Package / Vulnerable / Unaffected
31 -------------------------------------------------------------------
32 1 x11-libs/qt < 3.3.4-r8 >= 3.3.4-r8
33
34 Description
35 ===========
36
37 Qt links to a bundled vulnerable version of zlib when emerged with the
38 zlib USE-flag disabled. This may lead to a buffer overflow.
39
40 Impact
41 ======
42
43 By creating a specially crafted compressed data stream, attackers can
44 overwrite data structures for applications that use Qt, resulting in a
45 Denial of Service or potentially arbitrary code execution.
46
47 Workaround
48 ==========
49
50 Emerge Qt with the zlib USE-flag enabled.
51
52 Resolution
53 ==========
54
55 All Qt users should upgrade to the latest version:
56
57 # emerge --sync
58 # emerge --ask --oneshot --verbose ">=x11-libs/qt-3.3.4-r8"
59
60 Availability
61 ============
62
63 This GLSA and any updates to it are available for viewing at
64 the Gentoo Security Website:
65
66 http://security.gentoo.org/glsa/glsa-200509-18.xml
67
68 Concerns?
69 =========
70
71 Security is a primary focus of Gentoo Linux and ensuring the
72 confidentiality and security of our users machines is of utmost
73 importance to us. Any security concerns should be addressed to
74 security@g.o or alternatively, you may file a bug at
75 http://bugs.gentoo.org.
76
77 License
78 =======
79
80 Copyright 2005 Gentoo Foundation, Inc; referenced text
81 belongs to its owner(s).
82
83 The contents of this document are licensed under the
84 Creative Commons - Attribution / Share Alike license.
85
86 http://creativecommons.org/licenses/by-sa/2.0