Skip to main content

Security advisory: Loading invalid QML image source impacts Qt

Oct 19, 2023

by Andy Shaw
Comments

An issue when loading an invalid QML image source has been reported and has been assigned the CVE id CVE-2023-45872.

When an invalid source is used to indicate an image to be loaded is specified then it will end up trying to load it as a SVG file which will trigger a crash in Qt SVG. This does not affect Qt 5.15.x or Qt 6.5.3

Solution: As a workaround, validate that the image source urls are valid beforehand. Or apply the following patch or update to Qt 6.2.11, Qt 6.6.1.

Patches:

dev: https://codereview.qt-project.org/c/qt/qtsvg/+/510674
6.6: https://codereview.qt-project.org/c/qt/qtsvg/+/510692 or https://download.qt.io/official_releases/qt/6.6/CVE-2023-45872-qtsvg-6.6.0.diff
6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-45872-qtsvg-6.2.10.diff

Blog Topics

Comments

Subscribe to our blog

Try Qt 6.10 Now!

Download the latest release here: www.qt.io/download

Qt 6.10 is now available, with new features and improvements for application developers and device creators.

We're Hiring

Check out all our open positions here and follow us on Instagram to see what it's like to be #QtPeople.

Related Articles

What's new in QML Tooling in 6.11, part 1: QML Language Server (qmlls)

What's new in QML Tooling in 6.11, part 1: QML Language Server (qmlls)

The latest Qt release, Qt 6.11, is just around the corner. This short blog..

Read Article
Free QML Beginner Course: Learn QML on YouTube with Qt Academy

Free QML Beginner Course: Learn QML on YouTube with Qt Academy

Want to learn QML but don't know where to start? We've made it easier. Qt..

Read Article
Qt Quick Certification Tests Published

Qt Quick Certification Tests Published

In 2025, we launched the Qt Certification Testing Platform with the Qt..

Read Article