Qt: Buffer Overflow — GLSA 202501-08

A vulnerability has been discovered in Qt, where a buffer overflow can lead to denial of service.

Affected packages

dev-qt/qtbase on all architectures
Affected versions < 6.5.2
Unaffected versions >= 6.5.2
dev-qt/qtcore on all architectures
Affected versions < 5.15.10-r1
Unaffected versions >= 5.15.10-r1

Background

Qt is a cross-platform application development framework.

Description

When given specifically crafted data then QXmlStreamReader can end up causing a buffer overflow and subsequently a crash or freeze or get out of memory on recursive entity expansion, with DTD tokens in XML body.

Impact

Please review the referenced CVE identifiers for details.

Workaround

There is no known workaround at this time.

Resolution

All Qt users should upgrade to the latest version:

 # emerge --sync
 # emerge --ask --oneshot --verbose ">=dev-qt/qtcore-5.15.10-r1"
 # emerge --ask --oneshot --verbose ">=dev-qt/qtbase-6.5.2"
 

References

Release date
January 23, 2025

Latest revision
January 23, 2025: 1

Severity
normal

Exploitable
local

Bugzilla entries