Debian DLA-2895-1:qt4-x11 - LTS 安全性更新

high Nessus Plugin ID 157047

概要

遠端 Debian 主機上缺少一個或多個安全性更新。

說明

遠端 Debian 9 主機上安裝的多個套件受到 dla-2895 公告中提及的多個弱點影響。

- Qt 5.0.0 版到 5.15.2 版和 6.0.0 版到 6.2.1 版的 Qt SVG 的 QtPrivate: : QCommonArrayOps<QPainterPath: : Element>: : growAppend (從 QPainterPath: : addPath 和 QPathClipper: : intersect 呼叫) 中存在一個超出邊界寫入問題。(CVE-2021-45930)

- 在 Qt 中發現一個瑕疵。在 Qt/Qtbase 中 qt/qtbase/gui/painting/qdrawhelper_p.h 的 QRadialFetchSimd 中發現超出邊界讀取弱點。轉譯和顯示特製的可縮放向量圖形 (SVG) 檔案時,此瑕疵可能會導致未經授權的記憶體存取。此弱點對於資料機密性與應用程式可用性威脅最大。(CVE-2021-3481)

請注意,Nessus 並未測試此問題,而是僅依據應用程式自我報告的版本號碼作出判斷。

解決方案

升級 qt4-x11 套件。

針對 Debian 9「Stretch」,已在版本 4 中修正這些問題

另請參閱

https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=986798

https://security-tracker.debian.org/tracker/source-package/qt4-x11

https://www.debian.org/lts/security/2022/dla-2895

https://security-tracker.debian.org/tracker/CVE-2021-3481

https://security-tracker.debian.org/tracker/CVE-2021-45930

https://packages.debian.org/source/stretch/qt4-x11

Plugin 詳細資訊

嚴重性: High

ID: 157047

檔案名稱: debian_DLA-2895.nasl

版本: 1.6

類型: local

代理程式: unix

已發布: 2022/1/24

已更新: 2023/11/20

支援的感應器: Agentless Assessment, Frictionless Assessment Agent, Nessus Agent, Nessus

風險資訊

VPR

風險因素: Medium

分數: 6.0

CVSS v2

風險因素: Medium

基本分數: 4.3

時間分數: 3.4

媒介: CVSS2#AV:N/AC:M/Au:N/C:N/I:N/A:P

CVSS 評分資料來源: CVE-2021-45930

CVSS v3

風險因素: High

基本分數: 7.1

時間分數: 6.4

媒介: CVSS:3.0/AV:L/AC:L/PR:N/UI:R/S:U/C:H/I:N/A:H

時間媒介: CVSS:3.0/E:P/RL:O/RC:C

CVSS 評分資料來源: CVE-2021-3481

弱點資訊

CPE: p-cpe:/a:debian:debian_linux:libqtdbus4, p-cpe:/a:debian:debian_linux:libqtgui4, p-cpe:/a:debian:debian_linux:qdbus, p-cpe:/a:debian:debian_linux:qt4-bin-dbg, p-cpe:/a:debian:debian_linux:qt4-default, p-cpe:/a:debian:debian_linux:qt4-demos, p-cpe:/a:debian:debian_linux:qt4-demos-dbg, p-cpe:/a:debian:debian_linux:qt4-designer, p-cpe:/a:debian:debian_linux:qt4-dev-tools, p-cpe:/a:debian:debian_linux:qt4-doc, p-cpe:/a:debian:debian_linux:qt4-doc-html, p-cpe:/a:debian:debian_linux:qt4-linguist-tools, p-cpe:/a:debian:debian_linux:qt4-qmake, p-cpe:/a:debian:debian_linux:qt4-qmlviewer, p-cpe:/a:debian:debian_linux:qt4-qtconfig, p-cpe:/a:debian:debian_linux:qtcore4-l10n, cpe:/o:debian:debian_linux:9.0, p-cpe:/a:debian:debian_linux:libqt4-dbg, p-cpe:/a:debian:debian_linux:libqt4-dbus, p-cpe:/a:debian:debian_linux:libqt4-declarative, p-cpe:/a:debian:debian_linux:libqt4-declarative-folderlistmodel, p-cpe:/a:debian:debian_linux:libqt4-declarative-gestures, p-cpe:/a:debian:debian_linux:libqt4-declarative-particles, p-cpe:/a:debian:debian_linux:libqt4-declarative-shaders, p-cpe:/a:debian:debian_linux:libqt4-designer, p-cpe:/a:debian:debian_linux:libqt4-designer-dbg, p-cpe:/a:debian:debian_linux:libqt4-dev, p-cpe:/a:debian:debian_linux:libqt4-dev-bin, p-cpe:/a:debian:debian_linux:libqt4-help, p-cpe:/a:debian:debian_linux:libqt4-network, p-cpe:/a:debian:debian_linux:libqt4-opengl, p-cpe:/a:debian:debian_linux:libqt4-opengl-dev, p-cpe:/a:debian:debian_linux:libqt4-phonon, p-cpe:/a:debian:debian_linux:libqt4-qt3support, p-cpe:/a:debian:debian_linux:libqt4-qt3support-dbg, p-cpe:/a:debian:debian_linux:libqt4-script, p-cpe:/a:debian:debian_linux:libqt4-script-dbg, p-cpe:/a:debian:debian_linux:libqt4-scripttools, p-cpe:/a:debian:debian_linux:libqt4-sql, p-cpe:/a:debian:debian_linux:libqt4-sql-ibase, p-cpe:/a:debian:debian_linux:libqt4-sql-mysql, p-cpe:/a:debian:debian_linux:libqt4-sql-odbc, p-cpe:/a:debian:debian_linux:libqt4-sql-psql, p-cpe:/a:debian:debian_linux:libqt4-sql-sqlite, p-cpe:/a:debian:debian_linux:libqt4-sql-sqlite2, p-cpe:/a:debian:debian_linux:libqt4-sql-tds, p-cpe:/a:debian:debian_linux:libqt4-svg, p-cpe:/a:debian:debian_linux:libqt4-test, p-cpe:/a:debian:debian_linux:libqt4-xml, p-cpe:/a:debian:debian_linux:libqt4-xmlpatterns, p-cpe:/a:debian:debian_linux:libqt4-xmlpatterns-dbg, p-cpe:/a:debian:debian_linux:libqtcore4

必要的 KB 項目: Host/local_checks_enabled, Host/Debian/release, Host/Debian/dpkg-l

可被惡意程式利用: true

可輕鬆利用: Exploits are available

修補程式發佈日期: 2022/1/24

弱點發布日期: 2021/11/9

參考資訊

CVE: CVE-2021-3481, CVE-2021-45930