Subnavigation

Security advisory: zlib in Qt

September 12, 2022 by Andy Shaw | Comments

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field and has been assigned the CVE id CVE-2022-37434.

As this only affects applications that call inflateGetHeader directly then applications using Qt are not directly affected by this at all. The symbol may still be exploited if used in conjunction with another vulnerability or if the application uses this function directly.

Solution: Apply the following patches (two from Gerrit, or single downloadable patch) or update to Qt 6.4.0, Qt 6.3.2, Qt 6.2.6 or Qt 5.15.11

Patches:

dev: https://codereview.qt-project.org/c/qt/qtbase/+/429597 and https://codereview.qt-project.org/c/qt/qtbase/+/430422
Qt 6.4: https://codereview.qt-project.org/c/qt/qtbase/+/429655 and https://codereview.qt-project.org/c/qt/qtbase/+/430870
Qt 6.3: https://codereview.qt-project.org/c/qt/qtbase/+/429654 and https://codereview.qt-project.org/c/qt/qtbase/+/430919 or https://download.qt.io/official_releases/qt/6.3/CVE-2022-37434-qtbase-6.3.patch
Qt 6.2: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/429679 and https://codereview.qt-project.org/c/qt%2Ftqtc-qtbase/+/430921 or https://download.qt.io/official_releases/qt/6.2/CVE-2022-37434-qtbase-6.2.patch
Qt 5.15: https://codereview.qt-project.org/c/qt%2Ftqtc-qtbase/+/429680 and https://codereview.qt-project.org/c/qt%2Ftqtc-qtbase/+/430922 or https://download.qt.io/official_releases/qt/5.15/CVE-2022-37434-qtbase-5.15.patch
Blog Topics:

Comments

Subscribe to our newsletter

Subscribe Newsletter

By submitting the form, you agree that Qt Group will process and store your personal information according to the Privacy Policy and may send you communications related to your request. You may unsubscribe from all communications at any time by clicking Unsubscribe or Manage Preferences in the footer of our emails.

Try Qt 6.8 Now!

Download the latest release here: www.qt.io/download.

Qt 6.8 release focuses on technology trends like spatial computing & XR, complex data visualization in 2D & 3D, and ARM-based development for desktop.

We're Hiring

Check out all our open positions here and follow us on Instagram to see what it's like to be #QtPeople.

Read Next

Mar 12, 2025

Extended Security Maintenance for Qt 5.15 begins May 2025

Standard support for Qt 5.15 will end after 26th of May 2025, as..

Read Article

Feb 5, 2025

Which is the best LLM for prompting QML code (featuring DeepSeek v3)

Claude 3.5 Sonnet is the best LLM to write QML code when prompted in..

Read Article

Jan 21, 2025

Security advisory: A read past the end of the buffer and division by zero security issue in QLowEnergyController on Linux impacts Qt

A read past the end of the buffer and division by zero security issue in..

Read Article