Alerts This Week
Warning Icon 1 1,111
Alerts This Week
Warning Icon 1 1,111

Gentoo: GLSA-202501-08 Moderate: Qt Buffer Overflow Denial of Service

gentoo
Calendar Grey January 23, 2025
Dist Gentoo Esm H88
Delve into Gentoo's GLSA 202501-08: Tackling a medium severity buffer overflow within the Qt framework, which affects the reliability of services.
A vulnerability has been discovered in Qt, where a buffer overflow can lead to denial of service.

Summary

When given specifically crafted data then QXmlStreamReader can end up causing a buffer overflow and subsequently a crash or freeze or get out of memory on recursive entity expansion, with DTD tokens in XML body.

Resolution

All Qt users should upgrade to the latest version:
# emerge --sync # emerge --ask --oneshot --verbose ">=dev-qt/qtcore-5.15.10-r1" # emerge --ask --oneshot --verbose ">=dev-qt/qtbase-6.5.2"

References

[ 1 ] CVE-2023-37369 https://nvd.nist.gov/vuln/detail/CVE-2023-37369 [ 2 ] CVE-2023-38197 https://nvd.nist.gov/vuln/detail/CVE-2023-38197

Availability

This GLSA and any updates to it are available for viewing at the Gentoo Security Website:
https://security.gentoo.org/glsa/202501-08
style>.gentoo_availability{display:block;}

Concerns

Security is a primary focus of Gentoo Linux and ensuring the confidentiality and security of our users' machines is of utmost importance to us. Any security concerns should be addressed to security@gentoo.org or alternatively, you may file a bug at https://bugs.gentoo.org.

Severity: Normal
Title: Qt: Buffer Overflow
Date: January 23, 2025
Bugs: #911790
ID: 202501-08

Synopsis

A vulnerability has been discovered in Qt, where a buffer overflow can lead to denial of service.

Background

Qt is a cross-platform application development framework.

Get the latest News and Insights

Get the latest Linux and open source security news straight to your inbox.

Affected Packages

Package Vulnerable Unaffected ------------- ------------ ------------- dev-qt/qtbase < 6.5.2 >= 6.5.2 dev-qt/qtcore < 5.15.10-r1 >= 5.15.10-r1

Impact

Please review the referenced CVE identifiers for details.

Workaround

There is no known workaround at this time.

Your message here