[Announce] Security Advisory: QXmlStreamReader
List for announcements regarding Qt releases and development
announce at qt-project.org
Tue Jul 18 15:00:16 CEST 2023
A recently reported potential buffer overflow issue in QXmlStreamReader has been assigned the CVE id CVE-2023-38197.
QXmlStreamReader can freeze or get out of memory on recursive entity expansion, with DTD tokens in XML body.
Solution: Apply the attached patch or update to Qt 5.15.15, Qt 6.2.10, or Qt 6.5.3. Note that the previous security advisory patch for QXmlStreamReader needs to be applied previously in addition before applying this one.
Patches:
dev: https://codereview.qt-project.org/c/qt/qtbase/+/488960
Qt 6.5: https://codereview.qt-project.org/c/qt/qtbase/+/490550 or https://download.qt.io/official_releases/qt/6.5/CVE-2023-38197-qtbase-6.5.diff
Qt 6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-38197-qtbase-6.2.diff
Qt 5.15: https://download.qt.io/official_releases/qt/5.15/CVE-2023-38197-qtbase-5.15.diff
Kind regards,
Andy
--
Andy Shaw
Director, Technical Customer Success
The Qt Company
More information about the Announce
mailing list