[Announce] Qt Security Advisory: DoS vulnerability in the BMP image handler
List for announcements regarding Qt releases and development
announce at qt-project.org
Fri Feb 27 15:14:20 CET 2015
Qt Project Security Advisory
----------------------------
Title: DoS vulnerability in the BMP image handler
Risk Rating: Low
CVE: CVE-2015-0295
Platforms: All
Modules: QtBase
Versions: All versions before 5.5
Author: Richard J. Moore <rich at kde.org>
Date: 22 February 2015
Overview
--------
The builtin BMP decoder in QtGui prior to Qt 5.5 contained a bug that would
lead to a divsion by zero when loading certain corrupt BMP files. This in
turn
would cause the application loading these hand crafted BMPs to crash.
Details
-------
It is possible to construct BMP files such that when calculating the masks
required to extract the colour components a division by zero occurred.
Impact
------
An application loading the malicious BMP file will crash.
Workaround
----------
None
Solution
--------
Upgrade to Qt 5.5 once released or apply the patches below:
For Qt 5.0 to 5.4:
https://codereview.qt-project.org/106929
For Qt 4.8:
https://codereview.qt-project.org/107108
Credits
=======
The Qt security team would like to thank Fabian Vogt for reporting the
issue.
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.qt-project.org/pipermail/announce/attachments/20150227/b128888d/attachment.html>
More information about the Announce
mailing list