SB2025070146 - Gentoo update for Qt

Description

This security bulletin contains information about 4 secuirty vulnerabilities.

1) Buffer overflow (CVE-ID: CVE-2024-25580)

The vulnerability allows a remote attacker to perform a denial of service (DoS) attack.

The vulnerability exists due to a boundary error when reading KTX images. A remote attacker can pass a specially crafted image to the application, trigger memory corruption and perform a denial of service (DoS) attack.

2) Input validation error (CVE-ID: CVE-2024-33861)

The vulnerability allows a local user to bypass implemented security restrictions.

The vulnerability exists due to an unspecified error. A local user can bypass implemented security restrictions.

3) Time-of-check Time-of-use (TOCTOU) Race Condition (CVE-ID: CVE-2024-39936)

The vulnerability allows a remote attacker to bypass implemented security restrictions.

The vulnerability exists due to a race condition in HTTP2 support when establishing an encrypted connection. A remote attacker can potentially force the application to send data before the encrypted() signal, leading to potential information disclosure.

4) Heap-based buffer overflow (CVE-ID: CVE-2025-3512)

The vulnerability allows a remote attacker to execute arbitrary code on the target system.

The vulnerability exists due to a boundary error in QTextMarkdownImporter when processing an incorrectly formatted markdown file. A remote attacker can pass specially crafted data to the application, trigger a heap-based buffer overflow and execute arbitrary code on the target system.

Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.

Remediation

Install update from vendor's website.

References

• https://security.gentoo.org/glsa/202506-06