[Announce] Security advisory: Potential Integer Overflow in Qt's HTTP2 implementation

List for announcements regarding Qt releases and development announce at qt-project.org
Tue Jan 2 12:00:00 CET 2024 

Hi,

A recently reported potential integer overflow issue in Qt’s HTTP2 implementation has been assigned the CVE id CVE-2023-51714.

An issue was discovered in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2.

If the HTTP2 implementation receives more then 4GiB in total headers, or more than 2GiB for any given header pair, then the internal buffers may overflow.

Solution: Apply the following two patches or update to Qt 5.15.17, Qt 6.2.11, 6.5.4 or 6.6.2

Patches:
dev: https://codereview.qt-project.org/c/qt/qtbase/+/524864 and https://codereview.qt-project.org/c/qt/qtbase/+/524865/3
Qt 6.6: https://codereview.qt-project.org/c/qt/qtbase/+/525295 and https://codereview.qt-project.org/c/qt/qtbase/+/525297/3 or https://download.qt.io/official_releases/qt/6.6/0001-CVE-2023-51714-qtbase-6.6.diff and https://download.qt.io/official_releases/qt/6.6/0002-CVE-2023-51714-qtbase-6.6.diff 
Qt 6.5: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/525624 and https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/525625/1 or https://download.qt.io/official_releases/qt/6.5/0001-CVE-2023-51714-qtbase-6.5.diff and https://download.qt.io/official_releases/qt/6.5/0002-CVE-2023-51714-qtbase-6.5.diff 
Qt 6.2: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/525709 and https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/525710 or https://download.qt.io/official_releases/qt/6.2/0001-CVE-2023-51714-qtbase-6.2.diff and https://download.qt.io/official_releases/qt/6.2/0002-CVE-2023-51714-qtbase-6.2.diff 
Qt 5.15: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/525874 and https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/525875 or https://download.qt.io/official_releases/qt/5.15/0001-CVE-2023-51714-qtbase-5.15.diff and https://download.qt.io/official_releases/qt/5.15/0002-CVE-2023-51714-qtbase-5.15.diff 


Kind regards,
Andy
--
Andy Shaw
Director, Technical Customer Success 
The Qt Company

More information about the Announce mailing list