A recently reported potential buffer overflow issue in QXmlStreamReader has been assigned the CVE id CVE-2023-38197.
QXmlStreamReader can freeze or get out of memory on recursive entity expansion, with DTD tokens in XML body. Solution: Apply the attached patch or update to Qt 5.15.15, Qt 6.2.10, or Qt 6.5.3. Note that the previous security advisory patch for QXmlStreamReader needs to be applied previously in addition before applying this one. Patches: dev: https://codereview.qt-project.org/c/qt/qtbase/+/488960 Qt 6.5: https://codereview.qt-project.org/c/qt/qtbase/+/490550 or https://download.qt.io/official_releases/qt/6.5/CVE-2023-38197-qtbase-6.5.diff Qt 6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-38197-qtbase-6.2.diff Qt 5.15: https://download.qt.io/official_releases/qt/5.15/CVE-2023-38197-qtbase-5.15.diff Kind regards, Andy -- Andy Shaw Director, Technical Customer Success The Qt Company _______________________________________________ Announce mailing list annou...@qt-project.org https://lists.qt-project.org/listinfo/announce -- Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
