summaryrefslogtreecommitdiff
path: root/metadata/glsa/glsa-201603-10.xml
blob: 25d2e3672b6eadc95a2838ac474634ec84820519 (plain)
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
<?xml version="1.0" encoding="UTF-8"?>
<!DOCTYPE glsa SYSTEM "http://www.gentoo.org/dtd/glsa.dtd">
<glsa id="201603-10">
  <title>QtGui: Multiple vulnerabilities </title>
  <synopsis>Multiple vulnerabilities have been found in QtGui allowing remote
    attackers to execute arbitrary code or cause Denial of Service.
  </synopsis>
  <product type="ebuild"/>
  <announced>2016-03-12</announced>
  <revised count="2">2016-03-12</revised>
  <bug>546174</bug>
  <access>remote</access>
  <affected>
    <package name="dev-qt/qtgui" auto="yes" arch="*">
      <unaffected range="ge">5.4.1-r1</unaffected>
      <unaffected range="rge">4.8.6-r4</unaffected>
      <unaffected range="rge">4.8.7</unaffected>
      <vulnerable range="lt">5.4.1-r1</vulnerable>
    </package>
  </affected>
  <background>
    <p>QtGui is the GUI module and platform plugins for the Qt framework</p>
  </background>
  <description>
    <p>Multiple buffer overflow vulnerabilities have been discovered in QtGui. 
      It is possible for remote attackers to construct specially crafted BMP,
      ICO, or GIF images that lead to buffer overflows. After successfully
      overflowing the buffer the remote attacker can then cause a Denial of
      Service or execute arbitrary code.
    </p>
  </description>
  <impact type="normal">
    <p>A remote attacker could possibly execute arbitrary code or cause Denial
      of Service.
    </p>
  </impact>
  <workaround>
    <p>There is no known work around at this time.</p>
  </workaround>
  <resolution>
    <p>All QtGui 4.8 users should upgrade to the latest version:</p>
    
    <code>
      # emerge --sync
      # emerge --ask --oneshot --verbose "&gt;=dev-qt/qtgui-4.8.6-r4"
    </code>
    
    <p>All QtGui 5.4 users should upgrade to the latest version:</p>
    
    <code>
      # emerge --sync
      # emerge --ask --oneshot --verbose "&gt;=dev-qt/qtgui-5.4.1-r1"
    </code>
  </resolution>
  <references>
    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1858">CVE-2015-1858</uri>
    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1859">CVE-2015-1859</uri>
    <uri link="https://nvd.nist.gov/nvd.cfm?cvename=CVE-2015-1860">CVE-2015-1860</uri>
  </references>
  <metadata tag="requester" timestamp="2015-12-31T05:00:23Z">
    BlueKnight
  </metadata>
  <metadata tag="submitter" timestamp="2016-03-12T12:25:16Z">b-man</metadata>
</glsa>