Your submission was sent successfully! Close

CVE-2021-38593

Published: 12 August 2021

Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
qtbase-opensource-src
Launchpad, Ubuntu, Debian
bionic
Released (5.9.5+dfsg-0ubuntu2.6)
focal Needs triage

hirsute Ignored
(reached end-of-life)
impish Needs triage

jammy Needs triage

trusty Does not exist

upstream Needs triage

xenial Not vulnerable
(code not present)
qtbase-opensource-src-gles
Launchpad, Ubuntu, Debian
bionic Does not exist

focal Needs triage

hirsute Ignored
(reached end-of-life)
impish Needs triage

jammy Needs triage

trusty Does not exist

upstream Needs triage

xenial Ignored
(out of standard support)

Notes

AuthorNote
leosilva
xenial/esm is not affected, code affected is not present
mdeslaur
code was introduced in:
https://github.com/qt/qtbase/commit/6869d2463a2e0d71bd04dbc82f5d6ef4933dc510
While the patch fixes code that was only introduced in 6.0, the
code in 6.0 did introduce a fix that 5.0 didn't have.

References

Bugs