Products Openwall GNU/*/Linux   server OS Linux Kernel Runtime Guard John the Ripper   password cracker Free & Open Source for any platform in the cloud Pro for Linux Pro for macOS Wordlists   for password cracking passwdqc   policy enforcement Free & Open Source for Unix Pro for Windows (Active Directory) yescrypt   KDF & password hashing yespower   Proof-of-Work (PoW) crypt_blowfish   password hashing phpass   ditto in PHP tcb   better password shadowing Pluggable Authentication Modules scanlogd   port scan detector popa3d   tiny POP3 daemon blists   web interface to mailing lists msulogin   single user mode login php_mt_seed   mt_rand() cracker Services Publications Articles Presentations Resources Mailing lists Community wiki Source code repositories (GitHub) Source code repositories (CVSweb) File archive & mirrors How to verify digital signatures OVE IDs What's new

Message-ID: <20250424183209.GA22610@openwall.com>
Date: Thu, 24 Apr 2025 20:32:09 +0200
From: Solar Designer <solar@...nwall.com>
To: 田世林 <tianshilin@...pin.org>
Cc: oss-security <oss-security@...ts.openwall.com>
Subject: Re: CVE-2025-3512: Qt Base QTextMarkdownImporter Front Matter Buffer Overflow

Hi,

Thank you for bringing this to oss-security!  As I also communicated
privately, as a moderator I had to repair this message's content prior
to approving it because the text/plain section was garbled to the point
of being unreadable.  This is why the delay (message received April 22,
approved April 24).  However, I did not edit any of the content beyond
making it look right in text/plain, so I post this follow-up instead:

On Tue, Apr 22, 2025 at 11:36:46AM +0000, 田世林 wrote:
> A heap buffer overflow vulnerability exists in `QTextMarkdownImporter`.
> When parsing the front matter of a Markdown file, the code assumes that
> more characters (e.g., a newline) will be present in the input after
> finding the closing marker `---`. However, if the input stream ends with
> the `----` delimiter and lacks a trailing newline, calling
> `QStringView::sliced()` will attempt to access characters beyond the end
> of the string, causing the program to crash.

This reads like it's an out-of-bounds read, _not_ a buffer overflow - or
if it somehow _is_ a buffer overflow, then the description is lacking.

Can we please try and label vulnerabilities correctly?  There appears to
be a growing trend towards calling OOB reads "buffer overflows".  Just
this month on oss-security, we saw this for a giflib bug and then for
two libxml2 bugs, and now QTextMarkdownImporter is like the fourth with
this same kind of mis-labeling in here this month.

Thanks, and sorry for maybe sounding negative - I don't mean to be.

Alexander

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.