*** This bug is a security vulnerability *** Public security bug reported:
[Vulnerability Information] CVE-2025-3512 There is a Heap-based Buffer Overflow vulnerability in QTextMarkdownImporter. This requires an incorrectly formatted markdown file to be passed to QTextMarkdownImporter to trigger the overflow. This issue affects Qt from 6.8.0 to 6.8.4. Versions up to 6.6.0 are known to be unaffected, and the fix is in 6.8.4 and later. Plucky will ship with 6.8.3, and Oracular has 6.6.2. Our current main focus is to get this in prior to the release of Plucky. [Exploit Impact] This impacts any program using QTextMarkdownImporter. While nothing in the archive besides Qt itself seems to use QTextMarkdownImporter, QTextDocumentWriter *does* have usage in the archive, according to codesearch.debian.org. Reference: https://sources.debian.org/src/qt6-base/6.8.2+dfsg-5/src/gui/text/qtextdocumentwriter.cpp/?hl=234#L234 Rough, potential list of impacted packages (this also includes Qt 5, so the list should be pruned, but this should at least give you a rough idea): python-anyqt openorienteering-mapper skrooge qtmultimedia-opensource-src pyqt6 qtwebengine-opensource-src qgis grantlee5 parley kreport klayout qtquickcontrols2-opensource-src iwyu qtbase-opensource-src libqtpas picard qt6-webengine qtbase-opensource-src-gles calligra lazarus plume-creator okular algobox retext pyside2 pyside6 chessx qtx11extras-opensource-src pyqt5 deepin-log-viewer qt6-svg qtdeclarative-opensource-src-gles qtsvg-opensource-src libmlocale qtdeclarative-opensource-src kdevelop-python klatexformula feathernotes calibre qttools-opensource-src qt6-tools geshi eric marknote qt6-base qt6-declarative kstars featherpad kmail qtrvsim [Commit Message] From eced22d7250fc7ba4dbafa1694bf149c2259d9ea Mon Sep 17 00:00:00 2001 From: Shawn Rutledge <shawn.rutle...@qt.io> Date: Thu, 27 Mar 2025 15:17:21 +0100 Subject: [PATCH] QTextMarkdownImporter: Fix heap-buffer-overflow After finding the end marker `---`, the code expected more characters beyond: typically at least a trailing newline. But QStringView::sliced() crashes if asked for a substring that starts at or beyond the end. Now it's restructured into a separate splitFrontMatter() function, and we're stricter, tolerating only `---\n` or `---\r\n` as marker lines. So the code is easier to prove correct, and we don't need to check characters between the end of the marker and the end of the line (to allow inadvertent whitespace, for example). If the markers are not valid, the Markdown parser will see them as thematic breaks, as it would have done if we were not extracting the Front Matter beforehand. Amends e10c9b5c0f8f194a79ce12dcf9b6b5cb19976942 and bffddc6a993c4b6b64922e8d327bdf32e0d4975a Credit to OSS-Fuzz which found this as issue 42533775. [ChangeLog][QtGui][Text] Fixed a heap buffer overflow in QTextMarkdownImporter. The first marker for Front Matter must begin at the first character of a Markdown document, and both markers must be exactly ---\n or ---\r\n. Done-with: Marc Mutz <marc.m...@qt.io> Fixes: QTBUG-135284 Pick-to: 6.9 6.8 Change-Id: I66412d21ecc0c4eabde443d70865ed2abad86d89 Reviewed-by: Marc Mutz <marc.m...@qt.io> (cherry picked from commit 25986746947798e1a22d0830d3bcb11a55fcd3ae) Reviewed-by: Qt Cherry-pick Bot <cherrypick_...@qt-project.org> --- src/gui/text/qtextmarkdownimporter.cpp | 63 ++++++++++++++----- .../data/front-marker-malformed1.md | 3 + .../data/front-marker-malformed2.md | 5 ++ .../data/front-marker-malformed3.md | 4 ++ .../data/oss-fuzz-42533775.md | 1 + .../qtextmarkdownimporter/data/yaml-crlf.md | 10 +++ .../tst_qtextmarkdownimporter.cpp | 15 ++++- 7 files changed, 84 insertions(+), 17 deletions(-) create mode 100644 tests/auto/gui/text/qtextmarkdownimporter/data/front-marker-malformed1.md create mode 100644 tests/auto/gui/text/qtextmarkdownimporter/data/front-marker-malformed2.md create mode 100644 tests/auto/gui/text/qtextmarkdownimporter/data/front-marker-malformed3.md create mode 100644 tests/auto/gui/text/qtextmarkdownimporter/data/oss-fuzz-42533775.md create mode 100644 tests/auto/gui/text/qtextmarkdownimporter/data/yaml-crlf.md [Proof of Concept, Testing Plan, and Regression Potential] Aaron Rainbolt (~arraybolt3) prepared a Proof of Concept to test this. I have attached both the screenshots and the proof of concept tarball. This is a small, standard CMake-based Qt 6 application. It needs to be ran on a system with a GUI. You are encouraged to read the Proof of Concept before running it. This is also the basic testing plan, besides generally ensuring Qt-based Markdown functionality works as intended. We will be thoroughly testing this as part of the Plucky release candidate testing this upcoming week, and other distributions with Qt 6.8 have also been adopting this patch. Tests have also been added as a part of this patch, to ensure functionality does not regress. Lastly, two Ubuntu Developers, Simon Quigley and Aaron Rainbolt, have tested the Proof of Concept, and can verify basic functionality works. A review from the Ubuntu Security Team, both on the fix itself and the documentation provided here, would be excellent. [Additional Information] Upstream code review: https://codereview.qt-project.org/c/qt/qtbase/+/635546 Upstream commit: https://codereview.qt-project.org/gitweb?p=qt/qtbase.git;a=patch;h=eced22d7250fc7ba4dbafa1694bf149c2259d9ea Debian bug: https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1103022 Debian security tracker: https://security-tracker.debian.org/tracker/CVE-2025-3512 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-3512 ** Affects: qt6-base (Ubuntu) Importance: Critical Assignee: Simon Quigley (tsimonq2) Status: In Progress ** Attachment added: "Proof of Concept, authored by Aaron Rainbolt (BSD0-licensed)" https://bugs.launchpad.net/bugs/2107302/+attachment/5871609/+files/mdpoc.tar.gz -- You received this bug notification because you are a member of Ubuntu Bugs, which is subscribed to Ubuntu. https://bugs.launchpad.net/bugs/2107302 Title: CVE-2025-3512: Heap-based Buffer Overflow vulnerability in QTextMarkdownImporter To manage notifications about this bug go to: https://bugs.launchpad.net/ubuntu/+source/qt6-base/+bug/2107302/+subscriptions -- ubuntu-bugs mailing list ubuntu-bugs@lists.ubuntu.com https://lists.ubuntu.com/mailman/listinfo/ubuntu-bugs
