Security advisory: QXmlStreamReader

July 07, 2023 by Andy Shaw | Comments

A recently reported potential buffer overflow issue in QXmlStreamReader has been assigned the CVE id CVE-2023-37369

When given specifically crafted data then QXmlStreamReader can end up causing a buffer overflow and subsequently a crash.

Solution: Validate any XML being passed to QXmlStreamReader that is not already trusted. Alternatively apply the attached patch or update to Qt 5.15.15, Qt 6.2.10, or Qt 6.5.2

Patches:

dev: https://codereview.qt-project.org/c/qt/qtbase/+/455027
Qt 6.5: https://codereview.qt-project.org/c/qt/qtbase/+/488206 or https://download.qt.io/official_releases/qt/6.5/CVE-2023-37369-qtbase-6.5.diff
Qt 6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-37369-qtbase-6.2.diff
Qt 5.15: https://download.qt.io/official_releases/qt/5.15/CVE-2023-37369-qtbase-5.15.diff

Blog Topics:

Comments

M ↓ Markdown

Z.H.Comstock

0 points

21 months ago

You do understand that every single patch you released for 5.15 branch is broken, do you?

Maurice Kalinowski

0 points

21 months ago

How so?

Andy Shaw

0 points

21 months ago

I double-checked this one and it does not apply on top of Qt 5.15.10 which is correct because that does not have an issue, however, to make sure the patch applies for safety's sake. I have updated the patch so it now applies cleanly against Qt 5.15.10.

Commento

Security advisory: QXmlStreamReader

Blog Topics:

Comments

Subscribe to our newsletter

Subscribe Newsletter

Try Qt 6.9 Now!

We're Hiring

Read Next

Security advisory: A Heap-buffer-overflow issue in QTextMarkdownImporter impacts Qt

Qt Group Authorized as a CVE Numbering Authority (CNA) by the CVE Program

Security advisory: A Denial-of-Service type of security issue in Qt XML module impacts Qt