[Development] WebSocket Module [CVE-2018-21035]

Sze Howe Koh szehowe.koh at gmail.com
Mon Mar 9 13:06:54 CET 2020

On Mon, 9 Mar 2020 at 19:11, <enstone83 at gmail.com> wrote:
> Hi,
> I provided a patch for CVE-2018-21035, present in Qt5 WebSocket Module.
> However apparently since the patch adds a new API it cannot go into Qt5.
> This vulnerability makes the Qt5 WebSocket module totally unusable for
> use in non-trusted environment (like Internet).
> Is there anything to do about it ?
> https://nvd.nist.gov/vuln/detail/CVE-2018-21035
> https://bugreports.qt.io/browse/QTBUG-70693
> https://codereview.qt-project.org/c/qt/qtwebsockets/+/284735


I suggest escalating this to the Security team for their attention
(see https://quips-qt-io.herokuapp.com/quip-0015-Security-Policy.html

On a related note, is Kurt Pattyn still the Maintainer for Qt
WebSockets [1]? He has been quiet on codereview.qt.io since May 2014
[2] and on GitHub since Feb 2019 [3].


[1] https://wiki.qt.io/Maintainers
[2] https://codereview.qt-project.org/q/owner:pattyn.kurt%2540gmail.com
[3] https://github.com/KurtPattyn?tab=overview&from=2019-12-01&to=2019-12-31

More information about the Development mailing list