[Development] WebSocket Module [CVE-2018-21035]

Mårten Nordheim marten.nordheim at qt.io
Mon Mar 9 15:34:43 CET 2020



On 09.03.2020 13:06, Sze Howe Koh wrote:
> On Mon, 9 Mar 2020 at 19:11, <enstone83 at gmail.com> wrote:
>> Hi,
>>
>> I provided a patch for CVE-2018-21035, present in Qt5 WebSocket Module.
>> However apparently since the patch adds a new API it cannot go into Qt5.
>>
>> This vulnerability makes the Qt5 WebSocket module totally unusable for
>> use in non-trusted environment (like Internet).
>>
>> Is there anything to do about it ?
>>
>> https://nvd.nist.gov/vuln/detail/CVE-2018-21035
>> https://bugreports.qt.io/browse/QTBUG-70693
>> https://codereview.qt-project.org/c/qt/qtwebsockets/+/284735
> 
> Hi,
> 
> I suggest escalating this to the Security team for their attention
> (see https://quips-qt-io.herokuapp.com/quip-0015-Security-Policy.html
> ).
> 
> On a related note, is Kurt Pattyn still the Maintainer for Qt
> WebSockets [1]? He has been quiet on codereview.qt.io since May 2014
> [2] and on GitHub since Feb 2019 [3].
> 

Yes, Kurt still has the role.

Mårten


More information about the Development mailing list