[Development] [Announce] Security advisory: Loading invalid QML image source impacts Qt

List for announcements regarding Qt releases and development via Announce announce at qt-project.org
Thu Oct 19 12:00:17 CEST 2023


Hi,

An issue when loading an invalid QML image source has been reported and has been assigned the CVE id CVE-2023-45872. 

When an invalid source is used to indicate an image to be loaded is specified then it will end up trying to load it as a SVG file which will trigger a crash in Qt SVG. This does not affect Qt 5.15.x or Qt 6.5.3

Solution: As a workaround, validate that the image source urls are valid beforehand. Or apply the following patch or update to Qt 6.2.11, Qt 6.6.1.

Patches:
dev: https://codereview.qt-project.org/c/qt/qtbase/+/503026
6.6: https://codereview.qt-project.org/c/qt/qtbase/+/504234 or https://download.qt.io/official_releases/qt/6.6/CVE-2023-45872-qtsvg-6.6.0.diff
6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-45872-qtsvg-6.2.10.diff

Kind regards,
Andy
--
Andy Shaw
Director, Technical Customer Success 
The Qt Company

_______________________________________________
Announce mailing list
Announce at qt-project.org
https://lists.qt-project.org/listinfo/announce


More information about the Development mailing list