[Development] [Announce] Qt Project Security Advisory: XML Entity Expansion Denial of Service
List for announcements regarding Qt releases and development
announce at qt-project.org
Thu Dec 5 09:51:37 CET 2013
Qt Project Security Advisory
----------------------------
Title: XML Entity Expansion Denial of Service
Risk Rating: Low
CVE: CVE-2013-4549
Platforms: All
Modules: QtBase
Versions: All versions before 5.2
Author: Richard J. Moore <rich at kde.org>
Date: 5 December 2013
Overview
--------
QXmlSimpleReader in Qt versions prior to 5.2 supports expansion of internal
entities in XML documents without placing restrictions to ensure the document
does not cause excessive memory usage. If an application using this API
processes untrusted data then the application may use unexpected amounts of
memory if a malicious document is processed.
Details
-------
It is possible to construct XML documents using internal entities that consume
large amounts of memory and other resources to process, this is known as the
'Billion Laughs' attack. Qt versions prior to 5.2 did not offer protection
against this issue.
Impact
------
An application loading untrusted XML data may consume arbitrary amounts of
memory and CPU when attempting to parse a maliciously constructed document.
Workaround
----------
None
Solution
--------
Upgrade to Qt 5.2 or apply the patches below:
For Qt 5.1:
https://codereview.qt-project.org/#change,71368
For Qt 4.8:
https://codereview.qt-project.org/#change,71010
Credits
=======
The Qt security team would like to thank Florian Weimer of the RedHat security
team for reporting this issue and providing test cases.
_______________________________________________
Announce mailing list
Announce at qt-project.org
http://lists.qt-project.org/mailman/listinfo/announce
More information about the Development
mailing list