[Announce] Security advisory: QXmlStreamReader

List for announcements regarding Qt releases and development announce at qt-project.org
Fri Jul 7 12:30:36 CEST 2023


A recently reported potential buffer overflow issue in QXmlStreamReader has been assigned the CVE id CVE-2023-37369

When given specifically crafted data then QXmlStreamReader can end up causing a buffer overflow and subsequently a crash.

Solution: Validate any XML being passed to QXmlStreamReader that is not already trusted. Alternatively apply the attached patch or update to Qt 5.15.15, Qt 6.2.10, or Qt 6.5.2

Patches:

dev: https://codereview.qt-project.org/c/qt/qtbase/+/455027
Qt 6.5: https://codereview.qt-project.org/c/qt/qtbase/+/488206 or https://download.qt.io/official_releases/qt/6.5/CVE-2023-37369-qtbase-6.5.diff
Qt 6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-37369-qtbase-6.2.diff
Qt 5.15: https://download.qt.io/official_releases/qt/5.15/CVE-2023-37369-qtbase-5.15.diff

Kind regards,
Andy
--
Andy Shaw
Director, Technical Customer Success 
The Qt Company



More information about the Announce mailing list