qtbase-opensource-src-gles - Debian Package Tracker

general

source: qtbase-opensource-src-gles (main)
version: 5.15.15+dfsg-2
maintainer: Debian Qt/KDE Maintainers (archive) (DMD)
uploaders: Simon Quigley [DMD] – Dmitry Shachnev [DMD] – Sune Vuorela [DMD] – Pino Toscano [DMD] – Timo Jyrinki [DMD]
arch: any
std-ver: 4.7.0
VCS: Git (Browse, QA)

versions [more versions can be listed by madison] [old versions available from snapshot.debian.org]

[pool directory]

oldstable: 5.15.2+dfsg-4
stable: 5.15.8+dfsg-3
testing: 5.15.15+dfsg-2
unstable: 5.15.15+dfsg-2

versioned links

5.15.2+dfsg-4: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.15.8+dfsg-3: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]
5.15.15+dfsg-2: [.dsc, use dget on this link to retrieve source package] [changelog] [copyright] [rules] [control]

binaries

libqt5gui5-gles
qtbase5-gles-dev (1 bugs: 0, 1, 0, 0)
qtbase5-private-gles-dev

action needed

A new upstream version is available: 5.15.17 high

A new upstream version 5.15.17 is available, you should consider packaging it.

Created: 2024-11-18 Last update: 2025-06-03 21:33

1 security issue in trixie high

There is 1 open security issue in trixie.

1 important issue:

CVE-2025-5455: An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code. If the function was called with malformed data, for example, an URL that contained a "charset" parameter that lacked a value (such as "data:charset,"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service (abort). This impacts Qt up to 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.

Created: 2025-06-02 Last update: 2025-06-03 06:32

1 security issue in sid high

There is 1 open security issue in sid.

1 important issue:

CVE-2025-5455: An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code. If the function was called with malformed data, for example, an URL that contained a "charset" parameter that lacked a value (such as "data:charset,"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service (abort). This impacts Qt up to 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.

Created: 2025-06-02 Last update: 2025-06-03 06:32

9 security issues in bullseye high

There are 9 open security issues in bullseye.

1 important issue:

CVE-2025-5455: An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code. If the function was called with malformed data, for example, an URL that contained a "charset" parameter that lacked a value (such as "data:charset,"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service (abort). This impacts Qt up to 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.

8 issues postponed or untriaged:

CVE-2022-25255: (needs triaging) In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and UNIX, QProcess could execute a binary from the current working directory when not found in the PATH.
CVE-2023-32763: (needs triaging) An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. When a SVG file with an image inside it is rendered, a QTextLayout buffer overflow can be triggered.
CVE-2023-33285: (needs triaging) An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
CVE-2023-34410: (needs triaging) An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
CVE-2023-37369: (needs triaging) In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
CVE-2023-38197: (needs triaging) An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
CVE-2023-51714: (needs triaging) An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.
CVE-2024-25580: (needs triaging) An issue was discovered in gui/util/qktxhandler.cpp in Qt before 5.15.17, 6.x before 6.2.12, 6.3.x through 6.5.x before 6.5.5, and 6.6.x before 6.6.2. A buffer overflow and application crash can occur via a crafted KTX image file.

Created: 2025-06-02 Last update: 2025-06-03 06:32

7 security issues in bookworm high

There are 7 open security issues in bookworm.

1 important issue:

CVE-2025-5455: An issue was found in the private API function qDecodeDataUrl() in QtCore, which is used in QTextDocument and QNetworkReply, and, potentially, in user code. If the function was called with malformed data, for example, an URL that contained a "charset" parameter that lacked a value (such as "data:charset,"), and Qt was built with assertions enabled, then it would hit an assertion, resulting in a denial of service (abort). This impacts Qt up to 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.

6 issues left for the package maintainer to handle:

CVE-2023-33285: (needs triaging) An issue was discovered in Qt 5.x before 5.15.14, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.1. QDnsLookup has a buffer over-read via a crafted reply from a DNS server.
CVE-2023-34410: (needs triaging) An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS does not always consider whether the root of a chain is a configured CA certificate.
CVE-2023-37369: (needs triaging) In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.
CVE-2023-38197: (needs triaging) An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
CVE-2023-51714: (needs triaging) An issue was discovered in the HTTP2 implementation in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2. network/access/http2/hpacktable.cpp has an incorrect HPack integer overflow check.
CVE-2024-25580: (needs triaging) An issue was discovered in gui/util/qktxhandler.cpp in Qt before 5.15.17, 6.x before 6.2.12, 6.3.x through 6.5.x before 6.5.5, and 6.6.x before 6.6.2. A buffer overflow and application crash can occur via a crafted KTX image file.

You can find information about how to handle these issues in the security team's documentation.

Created: 2023-05-18 Last update: 2025-06-03 06:32

lintian reports 5 warnings high

Lintian reports 5 warnings about this package. You should make the package lintian clean getting rid of them.

Created: 2023-05-25 Last update: 2025-04-10 23:01

debian/patches: 1 patch with invalid metadata, 23 patches to forward upstream high

Among the 29 debian patches available in version 5.15.15+dfsg-2 of the package, we noticed the following issues:

1 patch with invalid metadata that ought to be fixed.
23 patches where the metadata indicates that the patch has not yet been forwarded upstream. You should either forward the patch upstream or update the metadata to document its real status.

Created: 2023-02-26 Last update: 2024-10-25 23:04

Does not build reproducibly during testing normal

A package building reproducibly enables third parties to verify that the source matches the distributed binaries. It has been identified that this source package produced different results, failed to build or had other issues in a test environment. Please read about how to improve the situation!

Created: 2024-11-09 Last update: 2025-06-03 21:33

Build log checks report 2 warnings low

Build log checks report 2 warnings

Created: 2024-03-23 Last update: 2024-03-23 13:33

Standards version of the package is outdated. wishlist

The package should be updated to follow the last version of Debian Policy (Standards-Version 4.7.2 instead of 4.7.0).

Created: 2025-02-21 Last update: 2025-02-27 13:25

news

[rss feed]

[2024-11-06] qtbase-opensource-src-gles 5.15.15+dfsg-2 MIGRATED to testing (Debian testing watch)
[2024-10-25] Accepted qtbase-opensource-src-gles 5.15.15+dfsg-2 (source) into unstable (Dmitry Shachnev)
[2024-09-10] Accepted qtbase-opensource-src-gles 5.15.15+dfsg-1 (source) into experimental (Dmitry Shachnev)
[2024-05-31] qtbase-opensource-src-gles 5.15.13+dfsg-2 MIGRATED to testing (Debian testing watch)
[2024-05-21] Accepted qtbase-opensource-src-gles 5.15.13+dfsg-2 (source) into unstable (Dmitry Shachnev)
[2024-05-03] qtbase-opensource-src-gles 5.15.10+dfsg-6 MIGRATED to testing (Debian testing watch)
[2024-03-28] Accepted qtbase-opensource-src-gles 5.15.13+dfsg-1 (source) into experimental (Dmitry Shachnev)
[2024-03-23] Accepted qtbase-opensource-src-gles 5.15.10+dfsg-6 (source) into unstable (Dmitry Shachnev)
[2024-03-02] qtbase-opensource-src-gles 5.15.10+dfsg-5 MIGRATED to testing (Debian testing watch)
[2024-02-26] Accepted qtbase-opensource-src-gles 5.15.10+dfsg-5 (source) into unstable (Dmitry Shachnev)
[2024-02-17] qtbase-opensource-src-gles 5.15.10+dfsg-4 MIGRATED to testing (Debian testing watch)
[2024-02-17] qtbase-opensource-src-gles 5.15.10+dfsg-4 MIGRATED to testing (Debian testing watch)
[2024-02-11] Accepted qtbase-opensource-src-gles 5.15.10+dfsg-4 (source) into unstable (Dmitry Shachnev)
[2023-12-25] Accepted qtbase-opensource-src-gles 5.15.12+dfsg-1 (source) into experimental (Dmitry Shachnev)
[2023-11-24] qtbase-opensource-src-gles 5.15.10+dfsg-3 MIGRATED to testing (Debian testing watch)
[2023-11-14] Accepted qtbase-opensource-src-gles 5.15.10+dfsg-3 (source) into unstable (Dmitry Shachnev)
[2023-07-27] qtbase-opensource-src-gles 5.15.10+dfsg-2 MIGRATED to testing (Debian testing watch)
[2023-07-08] Accepted qtbase-opensource-src-gles 5.15.10+dfsg-2 (source) into unstable (Dmitry Shachnev)
[2023-06-12] Accepted qtbase-opensource-src-gles 5.15.10+dfsg-1 (source) into experimental (Dmitry Shachnev)
[2023-05-29] qtbase-opensource-src-gles 5.15.8+dfsg-3 MIGRATED to testing (Debian testing watch)
[2023-05-24] Accepted qtbase-opensource-src-gles 5.15.8+dfsg-3 (source) into unstable (Dmitry Shachnev)
[2023-05-14] Accepted qtbase-opensource-src-gles 5.15.9+dfsg-1 (source) into experimental (Dmitry Shachnev)
[2023-03-04] Accepted qtbase-opensource-src-gles 5.15.8+dfsg-2 (source) into unstable (Dmitry Shachnev)
[2023-01-22] qtbase-opensource-src-gles 5.15.8+dfsg-1 MIGRATED to testing (Debian testing watch)
[2023-01-13] Accepted qtbase-opensource-src-gles 5.15.8+dfsg-1 (source) into unstable (Dmitry Shachnev)
[2022-12-30] qtbase-opensource-src-gles 5.15.7+dfsg-2 MIGRATED to testing (Debian testing watch)
[2022-12-19] Accepted qtbase-opensource-src-gles 5.15.7+dfsg-2 (source) into unstable (Dmitry Shachnev)
[2022-12-06] Accepted qtbase-opensource-src-gles 5.15.7+dfsg-1 (source) into experimental (Dmitry Shachnev)
[2022-10-28] qtbase-opensource-src-gles 5.15.6+dfsg-2 MIGRATED to testing (Debian testing watch)
[2022-09-29] Accepted qtbase-opensource-src-gles 5.15.6+dfsg-2 (source) into unstable (Dmitry Shachnev)

bugs [bug history graph]

all: 4
RC: 0
I&N: 3
M&W: 1
F&P: 0
patch: 0

links

homepage
lintian (0, 5)
buildd: logs, checks, reproducibility, cross
popcon
browse source code
edit tags
other distros
security tracker
debian patches

ubuntu

[Information about Ubuntu for Debian Developers]

version: 5.15.15+dfsg-2
3 bugs