CVE-2024-36048

NameCVE-2024-36048
DescriptionQAbstractOAuth in Qt Network Authorization in Qt before 5.15.17, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.6, and 6.6.x through 6.7.x before 6.7.1 uses only the time to seed the PRNG, which may result in guessable values.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
Debian Bugs1071973, 1071974

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
qt6-networkauth (PTS)bookworm6.4.2-1vulnerable
sid, trixie6.6.2-2vulnerable
qtnetworkauth-everywhere-src (PTS)buster5.11.3-2vulnerable
bullseye5.15.2-2vulnerable
bookworm5.15.8-2vulnerable
sid, trixie5.15.13-3fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
qt6-networkauthsource(unstable)(unfixed)1071973
qtnetworkauth-everywhere-srcsource(unstable)5.15.13-31071974

Notes

[bookworm] - qtnetworkauth-everywhere-src <no-dsa> (Minor issue)
[bullseye] - qtnetworkauth-everywhere-src <no-dsa> (Minor issue)
[buster] - qtnetworkauth-everywhere-src <postponed> (Minor issue)
[bookworm] - qt6-networkauth <no-dsa> (Minor issue)
https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560317
https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560368
Search for package or bug name: Reporting problems