Skip to main content

Security advisory: Loading invalid QML image source impacts Qt

Oct 19, 2023

by Andy Shaw
Comments

An issue when loading an invalid QML image source has been reported and has been assigned the CVE id CVE-2023-45872.

When an invalid source is used to indicate an image to be loaded is specified then it will end up trying to load it as a SVG file which will trigger a crash in Qt SVG. This does not affect Qt 5.15.x or Qt 6.5.3

Solution: As a workaround, validate that the image source urls are valid beforehand. Or apply the following patch or update to Qt 6.2.11, Qt 6.6.1.

Patches:

dev: https://codereview.qt-project.org/c/qt/qtsvg/+/510674
6.6: https://codereview.qt-project.org/c/qt/qtsvg/+/510692 or https://download.qt.io/official_releases/qt/6.6/CVE-2023-45872-qtsvg-6.6.0.diff
6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-45872-qtsvg-6.2.10.diff

Blog Topics

Comments

Subscribe to our blog

Try Qt 6.11 Now!

Download the latest release here: www.qt.io/download

Qt 6.11 is now available, with new features and improvements for application developers and device creators.

We're Hiring

Check out all our open positions here and follow us on Instagram to see what it's like to be #QtPeople.

Related Articles

What's new in QML Tooling in 6.11, part 3: context property support

What's new in QML Tooling in 6.11, part 3: context property support

The latest Qt release, Qt 6.11, is just around the corner. This short blog..

Read Article
What's new in QML tooling in Qt 6.11, part 2: new qmllint warnings

What's new in QML tooling in Qt 6.11, part 2: new qmllint warnings

The latest Qt release, Qt 6.11, is just around the corner. This short blog..

Read Article
Security advisory: Recently reported dr_wav issue impacts Qt

Security advisory: Recently reported dr_wav issue impacts Qt

A recently reported issue regarding the loading of specifically crafted..

Read Article