Regarding recent reported security vulnerabilities from Cisco Talos

Back in October 2022, the Qt Project Security team was contacted by someone at Cisco Talos to report an issue with integer and buffer overflow issues in QML which they considered a vulnerability in Qt 6.3. This has recently been made public by Cisco Talos here. This has also resulted in two CVEs , CVE-2022-40983 and CVE-2022-43591.

When the initial report was handled by the Qt Project Security team, it was determined that the QML required to actually trigger the overflow would have to be specifically crafted to actually trigger the overflow. This could occur as a result of running untrusted QML and this is not something that QML was designed to account for. This is also indicated in the documentation - https://doc.qt.io/qt-6/qtqml-documents-networktransparency.html#implications-for-application-security.

Even though it was not considered a vulnerability by the security team for the above mentioned reason, this was a real bug and it was decided to fix it with high priority (P1). This was communicated back to Cisco Talos at the time along with a link to the QTBUG-107619 report and two patches that were going to be integrated to solve this problem.

The issues reported by Cisco Talos have already been fixed for Qt 6.4.1 as that was the first release after the report came through to the Qt Project security team. And where possible, we have backported the patches to 6.2 and 5.15 in accordance to the submit policy. So although this was not handled as a security vulnerability due to the fact it depends on untrusted QML to actually cause a problem, it was considered to be a valid bug that should and was fixed with high priority.

The Qt Company and Qt Project take security vulnerabilities very seriously and also believe in full disclosure with complete information as to where a patch can be found to solve a problem and which versions of affected software are vulnerable and which are considered fixed. As a reminder, the security policy is documented as part of our QUIPs - https://quips-qt-io.herokuapp.com/quip-0015-Security-Policy.html which includes information on how to report security issues for both open source users and commercial users.

If you suspect a security issue in the Qt framework or any of the products that we provide, then please contact the Qt Project Security team at security@qt-project.org. Commercial license holders can also send a report via the Qt Account Support Center to the support team who will handle the issue further. Please do not report the issue as a bug in our public JIRA system. The Qt Project Security team will first check the issue and then handle it accordingly.

 


Blog Topics:

Comments