Skip to main content

Security advisory: Loading invalid QML image source impacts Qt

Oct 19, 2023

by Andy Shaw
Comments

An issue when loading an invalid QML image source has been reported and has been assigned the CVE id CVE-2023-45872.

When an invalid source is used to indicate an image to be loaded is specified then it will end up trying to load it as a SVG file which will trigger a crash in Qt SVG. This does not affect Qt 5.15.x or Qt 6.5.3

Solution: As a workaround, validate that the image source urls are valid beforehand. Or apply the following patch or update to Qt 6.2.11, Qt 6.6.1.

Patches:

dev: https://codereview.qt-project.org/c/qt/qtsvg/+/510674
6.6: https://codereview.qt-project.org/c/qt/qtsvg/+/510692 or https://download.qt.io/official_releases/qt/6.6/CVE-2023-45872-qtsvg-6.6.0.diff
6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-45872-qtsvg-6.2.10.diff

Blog Topics

Comments

Subscribe to our blog

Try Qt 6.11 Now!

Download the latest release here: www.qt.io/download

Qt 6.11 is now available, with new features and improvements for application developers and device creators.

We're Hiring

Check out all our open positions here and follow us on Instagram to see what it's like to be #QtPeople.

Related Articles

A Cross-Platform C# UI Framework via Qt’s Bridging Technology

A Cross-Platform C# UI Framework via Qt’s Bridging Technology

Every C# UI framework comes with a familiar pattern: Windows-first, Linux..

Read Article
Security advisory: Untrusted Search Path vulnerability in OpenSSL backend certificate loading mechanism of Qt

Security advisory: Untrusted Search Path vulnerability in OpenSSL backend certificate loading mechanism of Qt

Untrusted Search Path vulnerability in the OpenSSL backend certificate..

Read Article
AI Assisted Design in Qt Design Studio: AI Assistant Just Got Smarter

AI Assisted Design in Qt Design Studio: AI Assistant Just Got Smarter

Qt Design Studio 4.8.2 ships a major upgrade to the AI assistant,..

Read Article