CVE-2021-3481

NameCVE-2021-3481
DescriptionA flaw was found in Qt. An out-of-bounds read vulnerability was found in QRadialFetchSimd in qt/qtbase/src/gui/painting/qdrawhelper_p.h in Qt/Qtbase. While rendering and displaying a crafted Scalable Vector Graphics (SVG) file this flaw may lead to an unauthorized memory access. The highest threat from this vulnerability is to data confidentiality and the application availability.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, bugtraq, EDB, Metasploit, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, Mageia, GitHub advisories/code/issues, web search, more)
ReferencesDLA-2885-1, DLA-2895-1
Debian Bugs986798

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
qt4-x11 (PTS)buster4:4.8.7+dfsg-18+deb10u1vulnerable
qtsvg-opensource-src (PTS)buster5.11.3-2vulnerable
bullseye5.15.2-3fixed
bookworm, sid5.15.6-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
qt4-x11sourcestretch4:4.8.7+dfsg-11+deb9u3DLA-2895-1
qt4-x11source(unstable)(unfixed)
qtsvg-opensource-srcsourcestretch5.7.1~20161021-2.1+deb9u1DLA-2885-1
qtsvg-opensource-srcsource(unstable)5.15.2-3986798

Notes

[buster] - qtsvg-opensource-src <no-dsa> (Minor issue)
[buster] - qt4-x11 <no-dsa> (Minor issue)
https://bugzilla.redhat.com/show_bug.cgi?id=1931444
https://bugreports.qt.io/browse/QTBUG-91507
https://codereview.qt-project.org/gitweb?p=qt%2Fqtsvg.git;a=commit;h=bfd6ee0d8cf34b63d32adf10ed93daa0086b359f (qt/qtsvg/dev)
https://codereview.qt-project.org/gitweb?p=qt%2Fqtsvg.git;a=commit;h=0fa522904d65b73d48d5fadf690131e9ebb58d2a (qt/qtsvg/6.0)
https://codereview.qt-project.org/gitweb?p=qt%2Fqtsvg.git;a=commit;h=9f7ccbfc68d20d0dc2ddc1e7dee5572dcf7dcd48 (qt/qtsvg/6.1)
https://bugs.chromium.org/p/oss-fuzz/issues/detail?id=31668
https://codereview.qt-project.org/c/qt/qtsvg/+/337587

Search for package or bug name: Reporting problems