Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.

The remote Oracle Linux 5 host has packages installed that are affected by multiple vulnerabilities as referenced in the ELSA-2007-0883 advisory.

    [3.3.6-23]
     - Resolves: #277011, Qt UTF8 improper character expansion, CVE-2007-0242
     - Resolves: #269141, Qt off by one buffer overflow, CVE-2007-413

Tenable has extracted the preceding description block directly from the Oracle Linux security advisory.

Note that Nessus has not tested for these issues but has instead relied only on the application's self-reported version number.

A flaw was found in the way Qt expanded certain UTF8 characters. It was possible to prevent a Qt-based application from properly sanitizing user supplied input. This could, for example, result in a cross-site scripting attack against the Konqueror web browser.
(CVE-2007-0242)

A buffer overflow flaw was found in the way Qt expanded malformed Unicode strings. If an application linked against Qt parsed a malicious Unicode string, it could lead to a denial of service or possibly allow the execution of arbitrary code. (CVE-2007-4137)

An off-by-one error in the QUtf8Decoder::toUnicode() method has been found which may allow a denial of service attack with specially crafted UTF-8 character sequences that trigger a buffer overflow.
(CVE-2007-4137)

This update fixes a buffer overflow in qt3 while handling UTF8 characters. (CVE-2007-4137)

Several local/remote vulnerabilities have been discovered in the Qt GUI library. The Common Vulnerabilities and Exposures project identifies the following problems :

  - CVE-2007-3388     Tim Brown and Dirk Muller discovered several format     string vulnerabilities in the handling of error     messages, which might lead to the execution of arbitrary     code.

  - CVE-2007-4137     Dirk Muller discovered an off-by-one buffer overflow in     the Unicode handling, which might lead to the execution     of arbitrary code.

Dirk Mueller discovered that UTF8 strings could be made to cause a small buffer overflow. A remote attacker could exploit this by sending specially crafted strings to applications that use the Qt3 library for UTF8 processing, potentially leading to arbitrary code execution with user privileges, or a denial of service.

Note that Tenable Network Security has extracted the preceding description block directly from the Ubuntu security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

- Mon Sep 17 2007 Than Ngo <than at redhat.com> -     1:3.3.8-7

    - bz292941, CVE-2007-4137

    - Wed Aug 29 2007 Than Ngo <than at redhat.com> -       1:3.3.8-6.fc7.1

    - cleanup security patch

    - Tue Aug 28 2007 Than Ngo <than at redhat.com> -       1:3.3.8-6.fc7

    - CVE-2007-3388 qt3 format string flaw

    - Thu Jun 14 2007 Than Ngo <than at redhat.com> -       1:3.3.8-5.fc7.1

    - backport to fix #bz243722, bz#244148, Applications       using qt-mysql crash if database is removed before       QApplication is destroyed

  - Mon Apr 23 2007 Than Ngo <than at redhat.com> -     1:3.3.8-5.fc7

    - apply patch to fix fontrendering problem in gu_IN       #228451,#228452

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

The remote host is affected by the vulnerability described in GLSA-200710-28 (Qt: Buffer overflow)

    Dirk Mueller from the KDE development team discovered a boundary error     in file qutfcodec.cpp when processing Unicode strings.
  Impact :

    A remote attacker could send a specially crafted Unicode string to a     vulnerable Qt application, possibly resulting in the remote execution     of arbitrary code with the privileges of the user running the     application. Note that the boundary error is present but reported to be     not exploitable in 4.x series.
  Workaround :

    There is no known workaround at this time.

- Mon Sep 17 2007 Than Ngo <than at redhat.com> -     1:3.3.8-2.fc6

    - bz292951, CVE-2007-4137

    - Wed Aug 29 2007 Than Ngo <than at redhat.com> -       1:3.3.8-1.fc6.1

    - CVE-2007-3388 qt format string flaw

    - bz#234635, CVE-2007-0242 qt UTF8 improper character       expansion

Note that Tenable Network Security has extracted the preceding description block directly from the Fedora security advisory. Tenable has attempted to automatically clean and format it as much as possible without introducing additional issues.

Updated qt packages that correct two security flaws are now available.

This update has been rated as having important security impact by the Red Hat Security Response Team.

Qt is a software toolkit that simplifies the task of writing and maintaining GUI (Graphical User Interface) applications for the X Window System.

A flaw was found in the way Qt expanded certain UTF8 characters. It was possible to prevent a Qt-based application from properly sanitizing user-supplied input. This could, for example, result in a cross-site scripting attack against the Konqueror web browser.
(CVE-2007-0242)

A buffer overflow flaw was found in the way Qt expanded malformed Unicode strings. If an application linked against Qt parsed a malicious Unicode string, it could lead to a denial of service or possibly allow the execution of arbitrary code. (CVE-2007-4137)

Users of Qt should upgrade to these updated packages, which contain a backported patch to correct these issues.

A buffer overflow was found in how Qt expanded malformed Unicode strings. If an application linked against Qt parsed a malicious Unicode string, it could lead to a denial of service or potentially allow for the execution of arbitrary code.

Updated packages have been patched to prevent this issue. Although the problem is not exploitable in Qt4, patched packages have been issued regardless.

ID	Name	Product	Family	Severity
67568	Oracle Linux 5 : Important: / qt (ELSA-2007-0883)	Nessus	Oracle Linux Local Security Checks	medium
60250	Scientific Linux Security Update : qt on SL5.x, SL4.x, SL3.x i386/x86_64	Nessus	Scientific Linux Local Security Checks	high
41152	SuSE9 Security Update : qt3 (YOU Patch Number 11795)	Nessus	SuSE Local Security Checks	high
29566	SuSE 10 Security Update : qt3 (ZYPP Patch Number 4420)	Nessus	SuSE Local Security Checks	high
29261	Debian DSA-1426-1 : qt-x11-free - several vulnerabilities	Nessus	Debian Local Security Checks	high
28118	Ubuntu 6.06 LTS / 6.10 / 7.04 : qt-x11-free vulnerability (USN-513-1)	Nessus	Ubuntu Local Security Checks	high
27760	Fedora 7 : qt-3.3.8-7.fc7 (2007-2216)	Nessus	Fedora Local Security Checks	high
27579	GLSA-200710-28 : Qt: Buffer overflow	Nessus	Gentoo Local Security Checks	high
27415	openSUSE 10 Security Update : qt3 (qt3-4421)	Nessus	SuSE Local Security Checks	high
26083	Fedora Core 6 : qt-3.3.8-2.fc6 (2007-703)	Nessus	Fedora Local Security Checks	high
26051	RHEL 2.1 / 3 / 4 / 5 : qt (RHSA-2007:0883)	Nessus	Red Hat Local Security Checks	high
26049	Mandrake Linux Security Advisory : qt (MDKSA-2007:183)	Nessus	Mandriva Local Security Checks	high
26028	CentOS 3 / 4 / 5 : qt (CESA-2007:0883)	Nessus	CentOS Local Security Checks	high

Detections

Analytics

CVE-2007-4137

high

Tenable Plugins

medium

high

high

high

high

high

high

high

high

high

high

high

high