[Announce] [Development] Two Qt security advisorys: GDI Font Engine & WebP image format

[List for announcements regarding Qt releases and development]

It seems that the links were incorrect in my previous email so here is the whole thing again with the correct links. Apologies for any inconvenience caused!


An issue on Windows with the GDI font engine has been reported and has been assigned the CVE id CVE-2023-43114.

When corrupt font data is passed to the GDI font engine via QFontDatabase::addApplicationFont[FromData] then it can trigger a crash in the application.

Solution: As a workaround, validate that the font is safe to use beforehand. Or apply the following patch or update to Qt 5.15.16, Qt 6.2.10, Qt 6.5.3, Qt 6.6.0

Patches:

dev: https://codereview.qt-project.org/c/qt/qtbase/+/503026
6.5: https://download.qt.io/official_releases/qt/6.5/CVE-2023-43114-6.5.patch
6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-43114-6.2.patch
5.15: https://download.qt.io/official_releases/qt/5.15/CVE-2023-43114-5.15.patch

An issue in the libwebp library has been recently reported and assigned the CVE id CVE-2023-4863.

When a malicious WebP image is passed to the library then it can cause a buffer overflow.

Solution: As a workaround, update the WebP library manually to 1.3.2 and rebuild the imageformat plugin. Alternatively, apply the corresponding patch or update to Qt 5.15.16, Qt 6.2.10, Qt 6.5.3, Qt 6.6.0

Patches:

dev: https://codereview.qt-project.org/c/qt/qtimageformats/+/504175
6.5: https://download.qt.io/official_releases/qt/6.5/CVE-2023-4863-6.5.patch
6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-4863-6.2.patch
5.15: https://download.qt.io/official_releases/qt/5.15/CVE-2023-4863-5.15.patch