Blog

Security advisory: Loading invalid QML image source impacts Qt

Oct 19, 2023

Comments

An issue when loading an invalid QML image source has been reported and has been assigned the CVE id CVE-2023-45872.

When an invalid source is used to indicate an image to be loaded is specified then it will end up trying to load it as a SVG file which will trigger a crash in Qt SVG. This does not affect Qt 5.15.x or Qt 6.5.3

Solution: As a workaround, validate that the image source urls are valid beforehand. Or apply the following patch or update to Qt 6.2.11, Qt 6.6.1.

Patches:

dev: https://codereview.qt-project.org/c/qt/qtsvg/+/510674
6.6: https://codereview.qt-project.org/c/qt/qtsvg/+/510692 or https://download.qt.io/official_releases/qt/6.6/CVE-2023-45872-qtsvg-6.6.0.diff
6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-45872-qtsvg-6.2.10.diff

Share with your friends

Blog Topics

Comments

Security advisory: Type confusion and heap-buffer-overflow vulnerability in Qt SVG marker handling impacts Qt

Type Confusion and Heap-based Buffer Overflow vulnerability in the SVG..

Read Article

Security advisory: QML Code Injection in VectorImage Component in Qt declarative module impacts Qt

Improper Control of Generation of Code ('Code Injection') vulnerability in..

Read Article

What's new in QML Tooling in 6.11, part 3: context property support

The latest Qt release, Qt 6.11, is just around the corner. This short blog..

Read Article

Security advisory: Loading invalid QML image source impacts Qt

Share with your friends

Blog Topics

Comments

Subscribe to our blog

Try Qt 6.11 Now!

We're Hiring

Related Articles

Security advisory: Type confusion and heap-buffer-overflow vulnerability in Qt SVG marker handling impacts Qt

Security advisory: QML Code Injection in VectorImage Component in Qt declarative module impacts Qt

What's new in QML Tooling in 6.11, part 3: context property support