svn commit: r383985 - head/security/vuxml

Raphael Kubo da Costa rakuco at FreeBSD.org
Tue Apr 14 08:33:05 UTC 2015 

Author: rakuco
Date: Tue Apr 14 08:33:04 2015
New Revision: 383985
URL: https://svnweb.freebsd.org/changeset/ports/383985

Log:
  Add entry for CVE-2015-1858, CVE-2015-1859 and CVE-2015-1860.
  
  Multiple vulnerabilities in Qt image format handling (the 3 CVEs are part of
  the same security advisory).

Modified:
  head/security/vuxml/vuln.xml

Modified: head/security/vuxml/vuln.xml
==============================================================================
--- head/security/vuxml/vuln.xml	Tue Apr 14 08:24:06 2015	(r383984)
+++ head/security/vuxml/vuln.xml	Tue Apr 14 08:33:04 2015	(r383985)
@@ -57,6 +57,48 @@ Notes:
 
 -->
 <vuxml xmlns="http://www.vuxml.org/apps/vuxml-1">
+  <vuln vid="5713bfda-e27d-11e4-b2ce-5453ed2e2b49">
+    <topic>qt4-imageformats, qt4-gui, qt5-gui -- Multiple Vulnerabilities in Qt Image Format Handling</topic>
+    <affects>
+      <package>
+	<name>qt4-imageformats</name>
+	<range><lt>4.8.6_3</lt></range>
+      </package>
+      <package>
+	<name>qt4-gui</name>
+	<range><lt>4.8.6_5</lt></range>
+      </package>
+      <package>
+	<name>qt5-gui</name>
+	<range><lt>5.4.1_1</lt></range>
+      </package>
+    </affects>
+    <description>
+      <body xmlns="http://www.w3.org/1999/xhtml">
+	<p>Richard J. Moore reports:</p>
+	<blockquote cite="http://lists.qt-project.org/pipermail/announce/2015-April/000067.html">
+	  <p>Due to two recent vulnerabilities identified in the built-in image
+	  format handling code, it was decided that this area required further
+	  testing to determine if further issues remained. Fuzzing using
+	  afl-fuzz located a number of issues in the handling of BMP, ICO and
+	  GIF files. The issues exposed included denial of service and buffer
+	  overflows leading to heap corruption. It is possible the latter could
+	  be used to perform remote code execution.</p>
+	</blockquote>
+      </body>
+    </description>
+    <references>
+      <mlist>http://lists.qt-project.org/pipermail/announce/2015-April/000067.html</mlist>
+      <cvename>CVE-2015-1858</cvename>
+      <cvename>CVE-2015-1859</cvename>
+      <cvename>CVE-2015-1860</cvename>
+    </references>
+    <dates>
+      <discovery>2015-04-12</discovery>
+      <entry>2015-04-14</entry>
+    </dates>
+  </vuln>
+
   <vuln vid="d4379f59-3e9b-49eb-933b-61de4d0b0fdb">
     <topic>Ruby -- OpenSSL Hostname Verification Vulnerability</topic>
     <affects>

More information about the svn-ports-head mailing list