CVE-2024-36048

NameCVE-2024-36048
DescriptionQAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1071973, 1071974

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
qt6-networkauth (PTS)bookworm6.4.2-1vulnerable
sid, trixie6.7.2-2fixed
qtnetworkauth-everywhere-src (PTS)bullseye5.15.2-2vulnerable
bookworm5.15.8-2vulnerable
sid, trixie5.15.15-2fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
qt6-networkauthsource(unstable)6.7.2-21071973
qtnetworkauth-everywhere-srcsource(unstable)5.15.13-31071974

Notes

[bookworm] - qtnetworkauth-everywhere-src <ignored> (Minor issue)
[bullseye] - qtnetworkauth-everywhere-src <no-dsa> (Minor issue)
[buster] - qtnetworkauth-everywhere-src <postponed> (Minor issue)
[bookworm] - qt6-networkauth <ignored> (Minor issue)
https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560317 (security fix)
https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560368 (followup/finetuning)
Search for package or bug name: Reporting problems