RedHat: RHSA-2021-2328:01 Important: qt5-qtimageformats security up...
-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA256

=====================================================================
                   Red Hat Security Advisory

Synopsis:          Important: qt5-qtimageformats security update
Advisory ID:       RHSA-2021:2328-01
Product:           Red Hat Enterprise Linux
Advisory URL:      https://access.redhat.com/errata/RHSA-2021:2328
Issue date:        2021-06-08
Cross references:  1961742 1961743 1961744 1961745
CVE Names:         CVE-2018-25011 CVE-2018-25014 CVE-2020-36328 
                   CVE-2020-36329 
=====================================================================

1. Summary:

An update for qt5-qtimageformats is now available for Red Hat Enterprise
Linux 7.

Red Hat Product Security has rated this update as having a security impact
of Important. A Common Vulnerability Scoring System (CVSS) base score,
which gives a detailed severity rating, is available for each vulnerability
from the CVE link(s) in the References section.

2. Relevant releases/architectures:

Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64
Red Hat Enterprise Linux Server Optional (v. 7) - noarch
Red Hat Enterprise Linux Workstation (v. 7) - x86_64
Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch

3. Description:

The Qt Image Formats in an add-on module for the core Qt Gui library that
provides support for additional image formats including MNG, TGA, TIFF,
WBMP, and WebP.

Security Fix(es):

* libwebp: heap-based buffer overflow in PutLE16() (CVE-2018-25011)

* libwebp: use of uninitialized value in ReadSymbol() (CVE-2018-25014)

* libwebp: heap-based buffer overflow in WebPDecode*Into functions
(CVE-2020-36328)

* libwebp: use-after-free in EmitFancyRGB() in dec/io_dec.c
(CVE-2020-36329)

For more details about the security issue(s), including the impact, a CVSS
score, acknowledgments, and other related information, refer to the CVE
page(s) listed in the References section.

4. Solution:

For details on how to apply this update, which includes the changes
described in this advisory, refer to:

https://access.redhat.com/articles/11258

5. Bugs fixed (https://bugzilla.redhat.com/):

1956829 - CVE-2020-36328 libwebp: heap-based buffer overflow in WebPDecode*Into functions
1956843 - CVE-2020-36329 libwebp: use-after-free in EmitFancyRGB() in dec/io_dec.c
1956919 - CVE-2018-25011 libwebp: heap-based buffer overflow in PutLE16()
1956927 - CVE-2018-25014 libwebp: use of uninitialized value in ReadSymbol()

6. Package List:

Red Hat Enterprise Linux Server (v. 7):

Source:
qt5-qtimageformats-5.9.7-2.el7_9.src.rpm

ppc64:
qt5-qtimageformats-5.9.7-2.el7_9.ppc.rpm
qt5-qtimageformats-5.9.7-2.el7_9.ppc64.rpm
qt5-qtimageformats-debuginfo-5.9.7-2.el7_9.ppc.rpm
qt5-qtimageformats-debuginfo-5.9.7-2.el7_9.ppc64.rpm

ppc64le:
qt5-qtimageformats-5.9.7-2.el7_9.ppc64le.rpm
qt5-qtimageformats-debuginfo-5.9.7-2.el7_9.ppc64le.rpm

s390x:
qt5-qtimageformats-5.9.7-2.el7_9.s390.rpm
qt5-qtimageformats-5.9.7-2.el7_9.s390x.rpm
qt5-qtimageformats-debuginfo-5.9.7-2.el7_9.s390.rpm
qt5-qtimageformats-debuginfo-5.9.7-2.el7_9.s390x.rpm

x86_64:
qt5-qtimageformats-5.9.7-2.el7_9.i686.rpm
qt5-qtimageformats-5.9.7-2.el7_9.x86_64.rpm
qt5-qtimageformats-debuginfo-5.9.7-2.el7_9.i686.rpm
qt5-qtimageformats-debuginfo-5.9.7-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux Server Optional (v. 7):

noarch:
qt5-qtimageformats-doc-5.9.7-2.el7_9.noarch.rpm

Red Hat Enterprise Linux Workstation (v. 7):

Source:
qt5-qtimageformats-5.9.7-2.el7_9.src.rpm

x86_64:
qt5-qtimageformats-5.9.7-2.el7_9.i686.rpm
qt5-qtimageformats-5.9.7-2.el7_9.x86_64.rpm
qt5-qtimageformats-debuginfo-5.9.7-2.el7_9.i686.rpm
qt5-qtimageformats-debuginfo-5.9.7-2.el7_9.x86_64.rpm

Red Hat Enterprise Linux Workstation Optional (v. 7):

noarch:
qt5-qtimageformats-doc-5.9.7-2.el7_9.noarch.rpm

These packages are GPG signed by Red Hat for security.  Our key and
details on how to verify the signature are available from
https://access.redhat.com/security/team/key/

7. References:

https://access.redhat.com/security/cve/CVE-2018-25011
https://access.redhat.com/security/cve/CVE-2018-25014
https://access.redhat.com/security/cve/CVE-2020-36328
https://access.redhat.com/security/cve/CVE-2020-36329
https://access.redhat.com/security/updates/classification/#important

8. Contact:

The Red Hat security contact is . More contact
details at https://access.redhat.com/security/team/contact/

Copyright 2021 Red Hat, Inc.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1

iQIVAwUBYL/yfNzjgjWX9erEAQiqXw/9HBTADT69X6MtPfJT3nEMponvcebRj7DY
6BpTyvPkqDlW/3t/cW3IZ4zw7CXxvpcUTX0KGc5cRSuGcyFr6gWModlpMhhLQsyH
SLqyoR7wNr8pAFWNx4qQWSQbUtAQBiiSv2+4qlge/Sgg/JepzGF8458RcoVuWvRm
8lbwSwIgkck+0+6DW9zzRygkrTJSZXClZQevBRpdfyxMXFDpflfHTSoK/0HzcP+H
gEPsnKwPmdRssROQUczbyjr3WwTQivMTrlh6ippGjbDwrg/dJ1z3LfgD/i+3/pM2
1t3B97bIqLoXkPqBEoxZ6Lenw+re9LffsnGcwF1xfn0NjuxS/lT8MXHQAvLt8/lh
cBfCSgfwtv08hWK7Xme4kU/fG0e30ae+VqnI8cjAH1/yA4gNj2ZrVn8O/T9XKewJ
NWSP97Yk9TdApHrWLbzcyXzXfx+KH473fbVvCXogSYKEu5yoMLK8yfNieU8Dc0qZ
l0oVEiC9Z0BJI+xTGfEb1EfBiBmxqGUyk6Na3VaiOkhoJoI1MTcux5YYHA4GBmzl
9m6cqpNeZ+didTUNiXOgVo9ksAhpQk22AbZswNYVxy9pCiaRXt2Ah4I5OXijYiLu
zkqrEU1ZwLr8EbBSRzFU2UBp+Wf/Vbp8t3pltYPJqc3vAFgvI2dA2luS0f+jIi4V
xUr9Mv4P1kM=
=o8wl
-----END PGP SIGNATURE-----

--
RHSA-announce mailing list
[email protected]
https://listman.redhat.com/mailman/listinfo/rhsa-announce

RedHat: RHSA-2021-2328:01 Important: qt5-qtimageformats security update

An update for qt5-qtimageformats is now available for Red Hat Enterprise Linux 7

Summary

The Qt Image Formats in an add-on module for the core Qt Gui library that provides support for additional image formats including MNG, TGA, TIFF, WBMP, and WebP.
Security Fix(es):
* libwebp: heap-based buffer overflow in PutLE16() (CVE-2018-25011)
* libwebp: use of uninitialized value in ReadSymbol() (CVE-2018-25014)
* libwebp: heap-based buffer overflow in WebPDecode*Into functions (CVE-2020-36328)
* libwebp: use-after-free in EmitFancyRGB() in dec/io_dec.c (CVE-2020-36329)
For more details about the security issue(s), including the impact, a CVSS score, acknowledgments, and other related information, refer to the CVE page(s) listed in the References section.

Solution

For details on how to apply this update, which includes the changesdescribed in this advisory, refer to:https://access.redhat.com/articles/11258

References

https://access.redhat.com/security/cve/CVE-2018-25011 https://access.redhat.com/security/cve/CVE-2018-25014 https://access.redhat.com/security/cve/CVE-2020-36328 https://access.redhat.com/security/cve/CVE-2020-36329 https://access.redhat.com/security/updates/classification/#important

Package List

Red Hat Enterprise Linux Server (v. 7):
Source: qt5-qtimageformats-5.9.7-2.el7_9.src.rpm
ppc64: qt5-qtimageformats-5.9.7-2.el7_9.ppc.rpm qt5-qtimageformats-5.9.7-2.el7_9.ppc64.rpm qt5-qtimageformats-debuginfo-5.9.7-2.el7_9.ppc.rpm qt5-qtimageformats-debuginfo-5.9.7-2.el7_9.ppc64.rpm
ppc64le: qt5-qtimageformats-5.9.7-2.el7_9.ppc64le.rpm qt5-qtimageformats-debuginfo-5.9.7-2.el7_9.ppc64le.rpm
s390x: qt5-qtimageformats-5.9.7-2.el7_9.s390.rpm qt5-qtimageformats-5.9.7-2.el7_9.s390x.rpm qt5-qtimageformats-debuginfo-5.9.7-2.el7_9.s390.rpm qt5-qtimageformats-debuginfo-5.9.7-2.el7_9.s390x.rpm
x86_64: qt5-qtimageformats-5.9.7-2.el7_9.i686.rpm qt5-qtimageformats-5.9.7-2.el7_9.x86_64.rpm qt5-qtimageformats-debuginfo-5.9.7-2.el7_9.i686.rpm qt5-qtimageformats-debuginfo-5.9.7-2.el7_9.x86_64.rpm
Red Hat Enterprise Linux Server Optional (v. 7):
noarch: qt5-qtimageformats-doc-5.9.7-2.el7_9.noarch.rpm
Red Hat Enterprise Linux Workstation (v. 7):
Source: qt5-qtimageformats-5.9.7-2.el7_9.src.rpm
x86_64: qt5-qtimageformats-5.9.7-2.el7_9.i686.rpm qt5-qtimageformats-5.9.7-2.el7_9.x86_64.rpm qt5-qtimageformats-debuginfo-5.9.7-2.el7_9.i686.rpm qt5-qtimageformats-debuginfo-5.9.7-2.el7_9.x86_64.rpm
Red Hat Enterprise Linux Workstation Optional (v. 7):
noarch: qt5-qtimageformats-doc-5.9.7-2.el7_9.noarch.rpm
These packages are GPG signed by Red Hat for security. Our key and details on how to verify the signature are available from https://access.redhat.com/security/team/key/

Severity
Advisory ID: RHSA-2021:2328-01
Product: Red Hat Enterprise Linux
Advisory URL: https://access.redhat.com/errata/RHSA-2021:2328
Issued Date: : 2021-06-08
Cross references: 1961742 1961743 1961744 1961745
CVE Names: CVE-2018-25011 CVE-2018-25014 CVE-2020-36328 CVE-2020-36329

Topic

An update for qt5-qtimageformats is now available for Red Hat EnterpriseLinux 7.Red Hat Product Security has rated this update as having a security impactof Important. A Common Vulnerability Scoring System (CVSS) base score,which gives a detailed severity rating, is available for each vulnerabilityfrom the CVE link(s) in the References section.

Relevant Releases Architectures

Red Hat Enterprise Linux Server (v. 7) - ppc64, ppc64le, s390x, x86_64

Red Hat Enterprise Linux Server Optional (v. 7) - noarch

Red Hat Enterprise Linux Workstation (v. 7) - x86_64

Red Hat Enterprise Linux Workstation Optional (v. 7) - noarch

Bugs Fixed

1956829 - CVE-2020-36328 libwebp: heap-based buffer overflow in WebPDecode*Into functions

1956843 - CVE-2020-36329 libwebp: use-after-free in EmitFancyRGB() in dec/io_dec.c

1956919 - CVE-2018-25011 libwebp: heap-based buffer overflow in PutLE16()

1956927 - CVE-2018-25014 libwebp: use of uninitialized value in ReadSymbol()

We use cookies to provide and improve our services. By using our site, you consent to our Cookie Policy.