Control: tags -1 - fixed-upstream Control: reassign -1 qt5-image-formats-plugins Control: retitle -1 buffer overflow in the mng plugin for Qt (CVE-2020-23884)
The upstream fix in Nomacs was for MS Windows only: "I removed the qmng.dll plugin from Windows version. MNG files will not work by default in nomacs on Windows." because the MS Windows version of Nomacs was providing this pluging. And this is not a Nomacs bug for Debian (see below). On 2023-06-06 22:27:01 +0930, and...@lists.savchenko.net wrote: > I think this should be filled against > https://tracker.debian.org/pkg/qtimageformats-opensource-src > > Explanation: > https://github.com/nomacs/nomacs/issues/516#issuecomment-1578313635 If I understand correctly, the buffer overflow was in the qmng.dll plugin for Windows (which Nomacs for MS Windows was including). And the explanation says "the problem affects other Qt-based viewers too" if Debian's libqmng.so is buggy too. This plugin comes from the qt5-image-formats-plugins package, so I'm reassigning the bug, assuming that the bug was in common Qt code for both Windows and Linux. If the bug was in Windows-only code, it can be closed. BTW, I don't understand https://github.com/nomacs/nomacs/issues/516#issuecomment-667859911 which says "Qt does not support it anymore" about mng. The given link is https://doc.qt.io/qt-5/qtimageformats-index.html where I can see: MNG / Multiple-image Network Graphics / Read / Yes (Not bundled) So it is claimed to be supported (for reading), as long as a 3rd party codec is provided, which is the case in Debian: cventin:~> ldd /usr/lib/x86_64-linux-gnu/qt5/plugins/imageformats/libqmng.so [...] libmng.so.1 => /lib/x86_64-linux-gnu/libmng.so.1 (0x00007fc3c3600000) [...] provided by the libmng1 package. -- Vincent Lefèvre <vinc...@vinc17.net> - Web: <https://www.vinc17.net/> 100% accessible validated (X)HTML - Blog: <https://www.vinc17.net/blog/> Work: CR INRIA - computer arithmetic / AriC project (LIP, ENS-Lyon)
