CVE-2021-38593

Published: 12 August 2021

Qt 5.0.0 through 6.1.2 has an out-of-bounds write in QOutlineMapper::convertPath (called from QRasterPaintEngine::fill and QPaintEngineEx::stroke).

Priority

Medium

CVSS 3 base score: 7.5

Status

Package Release Status
qtbase-opensource-src
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.10 (Impish Indri) Needs triage

Ubuntu 21.04 (Hirsute Hippo) Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Needs triage

Ubuntu 18.04 LTS (Bionic Beaver)
Released (5.9.5+dfsg-0ubuntu2.6)
Ubuntu 16.04 ESM (Xenial Xerus) Not vulnerable
(code not present)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Patches:
Upstream: https://github.com/qt/qtbase/commit/1ca02cf2879a5e1511a2f2109f0925cf4c892862 (6.1)
Upstream: https://github.com/qt/qtbase/commit/202143ba41f6ac574f1858214ed8bf4a38b73ccd (6.2)
Upstream: https://github.com/qt/qtbase/commit/6b400e3147dcfd8cc3a393ace1bd118c93762e0c (dev)
qtbase-opensource-src-gles
Launchpad, Ubuntu, Debian
Upstream Needs triage

Ubuntu 21.10 (Impish Indri) Needs triage

Ubuntu 21.04 (Hirsute Hippo) Needs triage

Ubuntu 20.04 LTS (Focal Fossa) Needs triage

Ubuntu 18.04 LTS (Bionic Beaver) Does not exist

Ubuntu 16.04 ESM (Xenial Xerus) Ignored
(out of standard support)
Ubuntu 14.04 ESM (Trusty Tahr) Does not exist

Notes

AuthorNote
leosilva
xenial/esm is not affected, code affected is not present
mdeslaur
code was introduced in:
https://github.com/qt/qtbase/commit/6869d2463a2e0d71bd04dbc82f5d6ef4933dc510
While the patch fixes code that was only introduced in 6.0, the
code in 6.0 did introduce a fix that 5.0 didn't have.

References