June 01, 2023 by Andy Shaw | Comments
A recent buffer overflow issue in Qt Network has been reported and has been assigned the CVE id CVE-2023-33285.
QDnsLookup may read outside the bounds of the buffer it allocated to receive the DNS reply with certain, specially crafted replies that violate the DNS protocol.
QDnsLookup only parses DNS replies as a result of a DNS query initiated by the user application, explicitly with this class. This class is usually used by applications that specifically need support for DNS records, such as obtaining an MX for email delivery, and is not used in normal domain name resolution. It is currently not used by any other class in Qt.
To exploit this, the attacker must obtain a valid DNS query and must reply from the correct IP address of the server queried (usually, by controlling the DNS server used by the victim system, such as in a public WiFi scenario).
Attacks from further remote locations may be possible, but intermediary DNS servers may reject this malformed answer and not propagate it.
This only affects Unix based platforms, Windows is not affected at all.
Solution: Apply the following patch or update to Qt 5.15.14, Qt 6.2.9 or Qt 6.5.1
Patches:
dev: https://codereview.qt-project.org/c/qt/qtbase/+/477644
Qt 6.5: https://codereview.qt-project.org/c/qt/qtbase/+/477704 or https://download.qt.io/official_releases/qt/6.5/CVE-2023-33285-qtbase-6.5.diff
Qt 6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-33285-qtbase-6.2.diff
Qt 5.15: https://download.qt.io/official_releases/qt/5.15/CVE-2023-33285-qtbase-5.15.diff
Download the latest release here: www.qt.io/download.
Qt 6.5 is the latest Long-Term-Support release with all you need for C++ cross-platform app development.
Check out all our open positions here and follow us on Instagram to see what it's like to be #QtPeople.
Sep 22, 2023
An issue on Windows with the GDI font engine has been reported and has..
Sep 5, 2023
We are happy to announce the release of the Qt Visual Studio Tools version..
Jul 18, 2023
A recently reported potential buffer overflow issue in QXmlStreamReader..
Qt Group includes The Qt Company Oy and its global subsidiaries and affiliates.