CVE-2021-38593: 
NixOS vulnerability analysis and mitigation

Qt 5.x before 5.15.6 and 6.x through 6.1.2 has an out-of-bounds write vulnerability in QOutlineMapper::convertPath, which is called from QRasterPaintEngine::fill and QPaintEngineEx::stroke functions. The vulnerability was discovered in June 2021 and was assigned CVE-2021-38593 (NVD).

The vulnerability is classified as an out-of-bounds write (CWE-787) with a CVSS v3.1 base score of 7.5 (HIGH). The issue occurs in the QOutlineMapper::convertPath function when it's called from QRasterPaintEngine::fill and QPaintEngineEx::stroke. The vulnerable code was introduced in Qt 6.0 through commit 6869d2463a2e (Ubuntu).

The vulnerability could lead to a denial of service condition through an out-of-bounds write. It affects the availability of the system, with no direct impact on confidentiality or integrity (NVD).

Multiple patches have been released to address this vulnerability. The fixes are available in Qt 5.15.6 and later versions for the 5.x series, and in versions after 6.1.2 for the 6.x series. The patches were implemented through several commits including 1ca02cf2879a5e, 202143ba41f6ac5, and 6b400e3147dcfd8c (NVD).

Various Linux distributions have responded to this vulnerability by releasing security updates. Fedora released updates for versions 35 and 36, and Gentoo issued an advisory (GLSA 202402-03) recommending users to upgrade to version 5.15.9-r1 or later (Fedora, Gentoo).