FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

qt4-imageformats, qt4-gui, qt5-gui -- Multiple Vulnerabilities in Qt Image Format Handling

Affected packages
qt4-imageformats < 4.8.6_3
qt4-gui < 4.8.6_5
qt5-gui < 5.4.1_1

Details

VuXML ID 5713bfda-e27d-11e4-b2ce-5453ed2e2b49
Discovery 2015-04-12
Entry 2015-04-14

Richard J. Moore reports:

Due to two recent vulnerabilities identified in the built-in image format handling code, it was decided that this area required further testing to determine if further issues remained. Fuzzing using afl-fuzz located a number of issues in the handling of BMP, ICO and GIF files. The issues exposed included denial of service and buffer overflows leading to heap corruption. It is possible the latter could be used to perform remote code execution.

References

CVE Name CVE-2015-1858
CVE Name CVE-2015-1859
CVE Name CVE-2015-1860
Message http://lists.qt-project.org/pipermail/announce/2015-April/000067.html