SUSE-SU-2015:1359-1: moderate: Security update for libqt4

Fri Aug 7 03:10:40 MDT 2015

   SUSE Security Update: Security update for libqt4
______________________________________________________________________________

Announcement ID:    SUSE-SU-2015:1359-1
Rating:             moderate
References:         #847880 #921999 #927806 #927807 #927808 #929688 

Cross-References:   CVE-2015-0295 CVE-2015-1858 CVE-2015-1859
                    CVE-2015-1860
Affected Products:
                    SUSE Linux Enterprise Workstation Extension 12
                    SUSE Linux Enterprise Software Development Kit 12
                    SUSE Linux Enterprise Server 12
                    SUSE Linux Enterprise Desktop 12
______________________________________________________________________________

   An update that solves four vulnerabilities and has two
   fixes is now available.

Description:

   The libqt4 library was updated to fix several security and non security
   issues.

   The following vulnerabilities were fixed:
   - bsc#921999: CVE-2015-0295: division by zero when processing malformed
     BMP files
   - bsc#927806: CVE-2015-1858: segmentation fault in BMP Qt Image Format
     Handling
   - bsc#927807: CVE-2015-1859: segmentation fault in ICO Qt Image Format
     Handling
   - bsc#927808: CVE-2015-1860: segmentation fault in GIF Qt Image Format
     Handling

   The following non-secuirty issues were fixed:
   - bsc#929688: Critical Problem in Qt Network Stack
   - bsc#847880: kde/qt rendering error in qemu cirrus i586
   - Update use-freetype-default.diff to use same method as with
     libqt5-qtbase package: Qt itself already does runtime check whether
     subpixel rendering is available, but only when
     FT_CONFIG_OPTION_SUBPIXEL_RENDERING is defined. Thus it is enough to
     only remove that condition
   - The -devel subpackage requires Mesa-devel, not only at build time
   - Fixed compilation on SLE_11_SP3 by making it build against Mesa-devel on
     that system
   - Replace patch l-qclipboard_fix_recursive.patch with
     qtcore-4.8.5-qeventdispatcher-recursive.patch. The later one seems to
     work better and really resolves the issue in LibreOffice
   - Added kde4_qt_plugin_path.patch, so kde4 plugins are magically
     found/known outside kde4 enviroment/session
   - added _constraints. building took up to 7GB of disk space on s390x, and
     more than 6GB on x86_64
   - Add 3 patches for Qt bugs to make LibreOffice KDE4 file picker work
     properly again:
     * Add glib-honor-ExcludeSocketNotifiers-flag.diff (QTBUG-37380)
     * Add l-qclipboard_fix_recursive.patch (QTBUG-34614)
     * Add l-qclipboard_delay.patch (QTBUG-38585)

Patch Instructions:

   To install this SUSE Security Update use YaST online_update.
   Alternatively you can run the command listed for your product:

   - SUSE Linux Enterprise Workstation Extension 12:

      zypper in -t patch SUSE-SLE-WE-12-2015-380=1

   - SUSE Linux Enterprise Software Development Kit 12:

      zypper in -t patch SUSE-SLE-SDK-12-2015-380=1

   - SUSE Linux Enterprise Server 12:

      zypper in -t patch SUSE-SLE-SERVER-12-2015-380=1

   - SUSE Linux Enterprise Desktop 12:

      zypper in -t patch SUSE-SLE-DESKTOP-12-2015-380=1

   To bring your system up-to-date, use "zypper patch".

Package List:

   - SUSE Linux Enterprise Workstation Extension 12 (x86_64):

      libqt4-debuginfo-32bit-4.8.6-4.2
      libqt4-sql-mysql-32bit-4.8.6-4.1
      libqt4-sql-postgresql-32bit-4.8.6-4.1
      libqt4-sql-postgresql-4.8.6-4.1
      libqt4-sql-sqlite-32bit-4.8.6-4.2
      libqt4-sql-sqlite-debuginfo-32bit-4.8.6-4.2
      libqt4-sql-unixODBC-32bit-4.8.6-4.1
      libqt4-sql-unixODBC-4.8.6-4.1

   - SUSE Linux Enterprise Software Development Kit 12 (ppc64le s390x x86_64):

      libqt4-debuginfo-4.8.6-4.2
      libqt4-debugsource-4.8.6-4.2
      libqt4-devel-4.8.6-4.2
      libqt4-devel-debuginfo-4.8.6-4.2
      libqt4-devel-doc-4.8.6-4.6
      libqt4-devel-doc-debuginfo-4.8.6-4.6
      libqt4-devel-doc-debugsource-4.8.6-4.6
      libqt4-linguist-4.8.6-4.2
      libqt4-linguist-debuginfo-4.8.6-4.2
      libqt4-private-headers-devel-4.8.6-4.2
      libqt4-sql-postgresql-4.8.6-4.1
      libqt4-sql-unixODBC-4.8.6-4.1

   - SUSE Linux Enterprise Software Development Kit 12 (s390x x86_64):

      libqt4-sql-postgresql-32bit-4.8.6-4.1
      libqt4-sql-unixODBC-32bit-4.8.6-4.1

   - SUSE Linux Enterprise Software Development Kit 12 (noarch):

      libqt4-devel-doc-data-4.8.6-4.6

   - SUSE Linux Enterprise Server 12 (ppc64le s390x x86_64):

      libqt4-4.8.6-4.2
      libqt4-debuginfo-4.8.6-4.2
      libqt4-debugsource-4.8.6-4.2
      libqt4-devel-doc-debuginfo-4.8.6-4.6
      libqt4-devel-doc-debugsource-4.8.6-4.6
      libqt4-qt3support-4.8.6-4.2
      libqt4-qt3support-debuginfo-4.8.6-4.2
      libqt4-sql-4.8.6-4.2
      libqt4-sql-debuginfo-4.8.6-4.2
      libqt4-sql-mysql-4.8.6-4.1
      libqt4-sql-sqlite-4.8.6-4.2
      libqt4-sql-sqlite-debuginfo-4.8.6-4.2
      libqt4-x11-4.8.6-4.2
      libqt4-x11-debuginfo-4.8.6-4.2
      qt4-x11-tools-4.8.6-4.6
      qt4-x11-tools-debuginfo-4.8.6-4.6

   - SUSE Linux Enterprise Server 12 (s390x x86_64):

      libqt4-32bit-4.8.6-4.2
      libqt4-debuginfo-32bit-4.8.6-4.2
      libqt4-qt3support-32bit-4.8.6-4.2
      libqt4-qt3support-debuginfo-32bit-4.8.6-4.2
      libqt4-sql-32bit-4.8.6-4.2
      libqt4-sql-debuginfo-32bit-4.8.6-4.2
      libqt4-x11-32bit-4.8.6-4.2
      libqt4-x11-debuginfo-32bit-4.8.6-4.2

   - SUSE Linux Enterprise Desktop 12 (x86_64):

      libqt4-32bit-4.8.6-4.2
      libqt4-4.8.6-4.2
      libqt4-debuginfo-32bit-4.8.6-4.2
      libqt4-debuginfo-4.8.6-4.2
      libqt4-debugsource-4.8.6-4.2
      libqt4-qt3support-32bit-4.8.6-4.2
      libqt4-qt3support-4.8.6-4.2
      libqt4-qt3support-debuginfo-32bit-4.8.6-4.2
      libqt4-qt3support-debuginfo-4.8.6-4.2
      libqt4-sql-32bit-4.8.6-4.2
      libqt4-sql-4.8.6-4.2
      libqt4-sql-debuginfo-32bit-4.8.6-4.2
      libqt4-sql-debuginfo-4.8.6-4.2
      libqt4-sql-mysql-32bit-4.8.6-4.1
      libqt4-sql-mysql-4.8.6-4.1
      libqt4-sql-postgresql-32bit-4.8.6-4.1
      libqt4-sql-postgresql-4.8.6-4.1
      libqt4-sql-sqlite-32bit-4.8.6-4.2
      libqt4-sql-sqlite-4.8.6-4.2
      libqt4-sql-sqlite-debuginfo-32bit-4.8.6-4.2
      libqt4-sql-sqlite-debuginfo-4.8.6-4.2
      libqt4-sql-unixODBC-32bit-4.8.6-4.1
      libqt4-sql-unixODBC-4.8.6-4.1
      libqt4-x11-32bit-4.8.6-4.2
      libqt4-x11-4.8.6-4.2
      libqt4-x11-debuginfo-32bit-4.8.6-4.2
      libqt4-x11-debuginfo-4.8.6-4.2

References:

   https://www.suse.com/security/cve/CVE-2015-0295.html
   https://www.suse.com/security/cve/CVE-2015-1858.html
   https://www.suse.com/security/cve/CVE-2015-1859.html
   https://www.suse.com/security/cve/CVE-2015-1860.html
   https://bugzilla.suse.com/847880
   https://bugzilla.suse.com/921999
   https://bugzilla.suse.com/927806
   https://bugzilla.suse.com/927807
   https://bugzilla.suse.com/927808
   https://bugzilla.suse.com/929688