Red Hat update for qt5
Security Bulletin
This security bulletin contains information about 3 vulnerabilities.
1) Buffer overflow
EUVDB-ID: #VU27496
Risk: Medium
CVSSv3.1: 6.5 [CVSS:3.1/AV:N/AC:H/PR:N/UI:R/S:U/C:H/I:H/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-19869
CWE-ID:
CWE-119 - Memory corruption
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to execute arbitrary code on the target system.
The vulnerability exists due to a boundary error when processing SVG images within the qsvghandler.cpp file in Qt. A remote attacker can create a specially crafted image, pass it to he application that uses Qt library for SVG processing, trigger memory corruption and execute arbitrary code on the target system.
Successful exploitation of this vulnerability may result in complete compromise of vulnerable system.
MitigationInstall updates from vendor's website.
qt5-qttools (Red Hat package): 5.11.1-9.el8
qt5-qtbase (Red Hat package): 5.11.1-7.el8
Red Hat Enterprise Linux for x86_64: 8.0
sip (Red Hat package): before 4.19.19-1.el8
qt5-qtxmlpatterns (Red Hat package): before 5.12.5-1.el8
qt5-qtx11extras (Red Hat package): before 5.12.5-1.el8
qt5-qtwebsockets (Red Hat package): before 5.12.5-1.el8
qt5-qtwebchannel (Red Hat package): before 5.12.5-1.el8
qt5-qtwayland (Red Hat package): before 5.12.5-1.el8
qt5-qttranslations (Red Hat package): before 5.12.5-1.el8
qt5-qtsvg (Red Hat package): before 5.12.5-1.el8
qt5-qtserialport (Red Hat package): before 5.12.5-1.el8
qt5-qtserialbus (Red Hat package): before 5.12.5-1.el8
qt5-qtsensors (Red Hat package): before 5.12.5-1.el8
qt5-qtscript (Red Hat package): before 5.12.5-1.el8
qt5-qtquickcontrols2 (Red Hat package): before 5.12.5-1.el8
qt5-qtquickcontrols (Red Hat package): before 5.12.5-1.el8
qt5-qtmultimedia (Red Hat package): before 5.12.5-1.el8
qt5-qtlocation (Red Hat package): before 5.12.5-1.el8
qt5-qtimageformats (Red Hat package): before 5.12.5-1.el8
qt5-qtgraphicaleffects (Red Hat package): before 5.12.5-1.el8
qt5-qtdoc (Red Hat package): before 5.12.5-1.el8
qt5-qtdeclarative (Red Hat package): before 5.12.5-1.el8
qt5-qtconnectivity (Red Hat package): before 5.12.5-1.el8
qt5-qtcanvas3d (Red Hat package): before 5.12.5-1.el8
qt5-qt3d (Red Hat package): before 5.12.5-2.el8
qt5 (Red Hat package): before 5.12.5-3.el8
qgnomeplatform (Red Hat package): before 0.4-3.el8
python-qt5 (Red Hat package): before 5.13.1-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2020:1665
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
2) Resource exhaustion
EUVDB-ID: #VU27497
Risk: Medium
CVSSv3.1: 5.9 [CVSS:3.1/AV:N/AC:H/PR:N/UI:N/S:C/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-19871
CWE-ID:
CWE-400 - Resource exhaustion
Exploit availability: No
DescriptionThe vulnerability allows a remote attacker to perform a denial of service (DoS) attack.
The vulnerability exists due to application does not properly control consumption of internal resources within QTgaFile in Qt. A remote attacker can trigger resource exhaustion and perform a denial of service (DoS) attack.
MitigationInstall updates from vendor's website.
qt5-qttools (Red Hat package): 5.11.1-9.el8
qt5-qtbase (Red Hat package): 5.11.1-7.el8
Red Hat Enterprise Linux for x86_64: 8.0
sip (Red Hat package): before 4.19.19-1.el8
qt5-qtxmlpatterns (Red Hat package): before 5.12.5-1.el8
qt5-qtx11extras (Red Hat package): before 5.12.5-1.el8
qt5-qtwebsockets (Red Hat package): before 5.12.5-1.el8
qt5-qtwebchannel (Red Hat package): before 5.12.5-1.el8
qt5-qtwayland (Red Hat package): before 5.12.5-1.el8
qt5-qttranslations (Red Hat package): before 5.12.5-1.el8
qt5-qtsvg (Red Hat package): before 5.12.5-1.el8
qt5-qtserialport (Red Hat package): before 5.12.5-1.el8
qt5-qtserialbus (Red Hat package): before 5.12.5-1.el8
qt5-qtsensors (Red Hat package): before 5.12.5-1.el8
qt5-qtscript (Red Hat package): before 5.12.5-1.el8
qt5-qtquickcontrols2 (Red Hat package): before 5.12.5-1.el8
qt5-qtquickcontrols (Red Hat package): before 5.12.5-1.el8
qt5-qtmultimedia (Red Hat package): before 5.12.5-1.el8
qt5-qtlocation (Red Hat package): before 5.12.5-1.el8
qt5-qtimageformats (Red Hat package): before 5.12.5-1.el8
qt5-qtgraphicaleffects (Red Hat package): before 5.12.5-1.el8
qt5-qtdoc (Red Hat package): before 5.12.5-1.el8
qt5-qtdeclarative (Red Hat package): before 5.12.5-1.el8
qt5-qtconnectivity (Red Hat package): before 5.12.5-1.el8
qt5-qtcanvas3d (Red Hat package): before 5.12.5-1.el8
qt5-qt3d (Red Hat package): before 5.12.5-2.el8
qt5 (Red Hat package): before 5.12.5-3.el8
qgnomeplatform (Red Hat package): before 0.4-3.el8
python-qt5 (Red Hat package): before 5.13.1-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2020:1665
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
3) Division by zero
EUVDB-ID: #VU18316
Risk: Medium
CVSSv3.1: 5.7 [CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H/E:U/RL:O/RC:C]
CVE-ID: CVE-2018-19872
CWE-ID:
CWE-369 - Divide By Zero
Exploit availability: No
DescriptionInstall updates from vendor's website.
qt5-qttools (Red Hat package): 5.11.1-9.el8
qt5-qtbase (Red Hat package): 5.11.1-7.el8
Red Hat Enterprise Linux for x86_64: 8.0
sip (Red Hat package): before 4.19.19-1.el8
qt5-qtxmlpatterns (Red Hat package): before 5.12.5-1.el8
qt5-qtx11extras (Red Hat package): before 5.12.5-1.el8
qt5-qtwebsockets (Red Hat package): before 5.12.5-1.el8
qt5-qtwebchannel (Red Hat package): before 5.12.5-1.el8
qt5-qtwayland (Red Hat package): before 5.12.5-1.el8
qt5-qttranslations (Red Hat package): before 5.12.5-1.el8
qt5-qtsvg (Red Hat package): before 5.12.5-1.el8
qt5-qtserialport (Red Hat package): before 5.12.5-1.el8
qt5-qtserialbus (Red Hat package): before 5.12.5-1.el8
qt5-qtsensors (Red Hat package): before 5.12.5-1.el8
qt5-qtscript (Red Hat package): before 5.12.5-1.el8
qt5-qtquickcontrols2 (Red Hat package): before 5.12.5-1.el8
qt5-qtquickcontrols (Red Hat package): before 5.12.5-1.el8
qt5-qtmultimedia (Red Hat package): before 5.12.5-1.el8
qt5-qtlocation (Red Hat package): before 5.12.5-1.el8
qt5-qtimageformats (Red Hat package): before 5.12.5-1.el8
qt5-qtgraphicaleffects (Red Hat package): before 5.12.5-1.el8
qt5-qtdoc (Red Hat package): before 5.12.5-1.el8
qt5-qtdeclarative (Red Hat package): before 5.12.5-1.el8
qt5-qtconnectivity (Red Hat package): before 5.12.5-1.el8
qt5-qtcanvas3d (Red Hat package): before 5.12.5-1.el8
qt5-qt3d (Red Hat package): before 5.12.5-2.el8
qt5 (Red Hat package): before 5.12.5-3.el8
qgnomeplatform (Red Hat package): before 0.4-3.el8
python-qt5 (Red Hat package): before 5.13.1-1.el8
External linkshttp://access.redhat.com/errata/RHSA-2020:1665
Q & A
Can this vulnerability be exploited remotely?
Yes. This vulnerability can be exploited by a remote non-authenticated attacker via the Internet.
Is there known malware, which exploits this vulnerability?
No. We are not aware of malware exploiting this vulnerability.
