Subnavigation

Security advisory: QXmlStreamReader

July 18, 2023 by Andy Shaw | Comments

A recently reported potential buffer overflow issue in QXmlStreamReader has been assigned the CVE id CVE-2023-38197.

QXmlStreamReader can freeze or get out of memory on recursive entity expansion, with DTD tokens in XML body.

Solution: Apply the attached patch or update to Qt 5.15.15, Qt 6.2.10, or Qt 6.5.3. Note that the previous security advisory patch for QXmlStreamReader needs to be applied previously in addition before applying this one.

Patches:
dev: https://codereview.qt-project.org/c/qt/qtbase/+/488960
Qt 6.5: https://codereview.qt-project.org/c/qt/qtbase/+/490550 or https://download.qt.io/official_releases/qt/6.5/CVE-2023-38197-qtbase-6.5.diff
Qt 6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-38197-qtbase-6.2.diff
Qt 5.15: https://download.qt.io/official_releases/qt/5.15/CVE-2023-38197-qtbase-5.15.diff
Blog Topics:

Comments

Subscribe to our newsletter

Subscribe Newsletter

Try Qt 6.9 Now!

Download the latest release here: www.qt.io/download.

Qt 6.9 is now available, with new features and improvements for application developers and device creators.

We're Hiring

Check out all our open positions here and follow us on Instagram to see what it's like to be #QtPeople.

Read Next

Apr 11, 2025

Security advisory: A Heap-buffer-overflow issue in QTextMarkdownImporter impacts Qt

A Heap-buffer-overflow issue in QTextMarkdownImporter has been discovered..

Read Article

Apr 9, 2025

Qt Group Authorized as a CVE Numbering Authority (CNA) by the CVE Program

Qt Group has been authorized by the Common Vulnerabilities and Exposures..

Read Article

Apr 7, 2025

Security advisory: A Denial-of-Service type of security issue in Qt XML module impacts Qt

A Denial-of-Service type of security issue in QDom classes of Qt XML..

Read Article