Hi,

zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in 
inflate in inflate.c via a large gzip header extra field and has been assigned 
the CVE id CVE-2022-37434. 

As this only affects applications that call inflateGetHeader directly then 
applications using Qt are not directly affected by this at all. The symbol may 
still be exploited if used in conjunction with another vulnerability or if the 
application uses this function directly.

Solution: Apply the following patches (two from Gerrit, or single downloadable 
patch) or update to Qt 6.4.0, Qt 6.3.2, Qt 6.2.6 or Qt 5.15.11

Patches:
dev: https://codereview.qt-project.org/c/qt/qtbase/+/429597 and 
https://codereview.qt-project.org/c/qt/qtbase/+/430422
Qt 6.4: https://codereview.qt-project.org/c/qt/qtbase/+/429655 and 
https://codereview.qt-project.org/c/qt/qtbase/+/430870
Qt 6.3: https://codereview.qt-project.org/c/qt/qtbase/+/429654 and 
https://codereview.qt-project.org/c/qt/qtbase/+/430919 or 
https://download.qt.io/official_releases/qt/6.3/CVE-2022-37434-qtbase-6.3.patch
Qt 6.2: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/429679 and 
https://codereview.qt-project.org/c/qt%2Ftqtc-qtbase/+/430921 or 
https://download.qt.io/official_releases/qt/6.2/CVE-2022-37434-qtbase-6.2.patch
Qt 5.15: https://codereview.qt-project.org/c/qt%2Ftqtc-qtbase/+/429680 and 
https://codereview.qt-project.org/c/qt%2Ftqtc-qtbase/+/430922 or 
https://download.qt.io/official_releases/qt/5.15/CVE-2022-37434-qtbase-5.15.patch

Kind regards,
Andy
--
Andy Shaw
Director, Technical Customer Success 
The Qt Company

_______________________________________________
Announce mailing list
annou...@qt-project.org
https://lists.qt-project.org/listinfo/announce
_______________________________________________
Development mailing list
Development@qt-project.org
https://lists.qt-project.org/listinfo/development

Reply via email to