[Announce] Security advisory: Qt SVG

List for announcements regarding Qt releases and development announce at qt-project.org
Mon May 15 12:03:50 CEST 2023


Hi,

A recent potential divide by zero in Qt SVG has been reported and has been assigned the CVE id CVE-2023-32573.

In QSvgFont, the m_unitsPerEm variable initialization is mishandled so if a SVG file that uses font-face without units-per-em set is passed to QSvgRenderer to render then it can trigger a division by zero.

Solution: Apply the following patch or update to Qt 5.15.14, Qt 6.2.9 or Qt 6.5.1

Patches:

dev: https://codereview.qt-project.org/c/qt/qtsvg/+/474093
Qt 6.5: https://codereview.qt-project.org/c/qt/qtsvg/+/474404 or https://download.qt.io/official_releases/qt/6.5/CVE-2023-32573-qtsvg-6.5.diff
Qt 6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-32573-qtsvg-6.2.diff
Qt 5.15: https://download.qt.io/official_releases/qt/5.15/CVE-2023-32573-qtsvg-5.15.diff

Kind regards,
Andy
--
Andy Shaw
Director, Technical Customer Success 
The Qt Company


More information about the Announce mailing list