blob: 9034265a48ae1e61c80bb7adb5720c0888f77bbe [file] [log] [blame]
<?xml version="1.0" encoding="utf-8"?>
<glsa id="200708-16">
<title>Qt: Multiple format string vulnerabilities</title>
Format string vulnerabilities in Qt 3 may lead to the remote execution of
arbitrary code in some Qt applications.
<product type="ebuild">qt</product>
<announced>August 22, 2007</announced>
<revised>August 22, 2007: 01</revised>
<access>remote, local</access>
<package name="x11-libs/qt" auto="yes" arch="*">
<unaffected range="ge">3.3.8-r3</unaffected>
<vulnerable range="lt">3.3.8-r3</vulnerable>
Qt is a cross-platform GUI framework, which is used e.g. by KDE.
Tim Brown of Portcullis Computer Security Ltd and Dirk Mueller of KDE
reported multiple format string errors in qWarning() calls in files
qtextedit.cpp, qdatatable.cpp, qsqldatabase.cpp, qsqlindex.cpp,
qsqlrecord.cpp, qglobal.cpp, and qsvgdevice.cpp.
<impact type="normal">
An attacker could trigger one of the vulnerabilities by causing a Qt
application to parse specially crafted text, which may lead to the
execution of arbitrary code.
There is no known workaround at this time.
All Qt 3 users should upgrade to the latest version:
# emerge --sync
# emerge --ask --oneshot --verbose &quot;=x11-libs/qt-3*&quot;</code>
<uri link="">CVE-2007-3388</uri>
<metadata tag="requester" timestamp="Wed, 15 Aug 2007 17:25:28 +0000">
<metadata tag="bugReady" timestamp="Wed, 15 Aug 2007 17:25:45 +0000">
<metadata tag="submitter" timestamp="Sun, 19 Aug 2007 22:38:33 +0000">