The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a vigilance database and tools to fix them.

Vulnerability of Qt: denial of service via BMP

Synthesis of the vulnerability 

An attacker can invite the user of a Qt application to use a malicious BMP image, in order to trigger a denial of service.
Vulnerable products: Fedora, openSUSE, Slackware, Ubuntu, Unix (platform) ~ not comprehensive.
Severity of this weakness: 2/4.
Creation date: 24/03/2015.
Références of this bulletin: CVE-2015-0295, FEDORA-2015-2886, FEDORA-2015-2895, FEDORA-2015-2897, FEDORA-2015-2901, FEDORA-2015-6925, openSUSE-SU-2015:0573-1, SSA:2015-111-13, USN-2626-1, VIGILANCE-VUL-16446.

Description of the vulnerability 

The Qt product supports images in BMP format.

However, if the color mask is invalid, the read_dib_body() function performs a division by zero.

An attacker can therefore invite the user of a Qt application to use a malicious BMP image, in order to trigger a denial of service.
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

This computer vulnerability announce impacts software or systems such as Fedora, openSUSE, Slackware, Ubuntu, Unix (platform) ~ not comprehensive.

Our Vigil@nce team determined that the severity of this cybersecurity bulletin is medium.

The trust level is of type confirmed by the editor, with an origin of document.

An attacker with a expert ability can exploit this threat alert.

Solutions for this threat 

Qt: patch for BMP.
A patch is available in information sources.

Fedora 21: new mingw-qt5-qtbase packages.
New packages are available:
  Fedora 21: mingw-qt5-qtbase 5.4.1-2.fc21

Fedora: new qt3 packages.
New packages are available:
  Fedora 20: qt3 3.3.8b-62.fc20
  Fedora 21: qt3 3.3.8b-62.fc21

Fedora: new qt packages.
New packages are available:
  Fedora 20: qt 4.8.6-25.fc20
  Fedora 21: qt 4.8.6-25.fc21

openSUSE 13.1: new kde packages.
New packages are available:
  openSUSE 13.1: kde4 4.11.5-488.2

Slackware: new qt packages.
New packages are available:
  Slackware 14.1: qt 4.8.6-*-1_slack14.1

Ubuntu: new libqt packages.
New packages are available:
  Ubuntu 15.04: libqt5gui5 5.4.1+dfsg-2ubuntu4.1, libqtgui4 4:4.8.6+git64-g5dc8b2b+dfsg-3~ubuntu6.1
  Ubuntu 14.10: libqt5gui5 5.3.0+dfsg-2ubuntu9.1, libqtgui4 4:4.8.6+git49-gbc62005+dfsg-1ubuntu1.1
  Ubuntu 14.04 LTS: libqt5gui5 5.2.1+dfsg-1ubuntu14.3, libqtgui4 4:4.8.5+git192-g085f851+dfsg-2ubuntu4.1
  Ubuntu 12.04 LTS: libqtgui4 4:4.8.1-0ubuntu4.9
Full bulletin, software filtering, emails, fixes, ... (Request your free trial)

Computer vulnerabilities tracking service 

Vigil@nce provides an applications vulnerabilities bulletin. The Vigil@nce team tracks computer vulnerabilities impacting systems and applications.