[Development] [Announce] Security advisory: Potential Integer Overflow in Qt's HTTP2 implementation

Tue, 02 Jan 2024 03:02:16 -0800 

Hi,

A recently reported potential integer overflow issue in Qt’s HTTP2 
implementation has been assigned the CVE id CVE-2023-51714.

An issue was discovered in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 
6.5.x before 6.5.4, and 6.6.x before 6.6.2.

If the HTTP2 implementation receives more then 4GiB in total headers, or more 
than 2GiB for any given header pair, then the internal buffers may overflow.

Solution: Apply the following two patches or update to Qt 5.15.17, Qt 6.2.11, 
6.5.4 or 6.6.2

Patches:
dev: https://codereview.qt-project.org/c/qt/qtbase/+/524864 and 
https://codereview.qt-project.org/c/qt/qtbase/+/524865/3
Qt 6.6: https://codereview.qt-project.org/c/qt/qtbase/+/525295 and 
https://codereview.qt-project.org/c/qt/qtbase/+/525297/3 or 
https://download.qt.io/official_releases/qt/6.6/0001-CVE-2023-51714-qtbase-6.6.diff
 and 
https://download.qt.io/official_releases/qt/6.6/0002-CVE-2023-51714-qtbase-6.6.diff
 
Qt 6.5: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/525624 and 
https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/525625/1 or 
https://download.qt.io/official_releases/qt/6.5/0001-CVE-2023-51714-qtbase-6.5.diff
 and 
https://download.qt.io/official_releases/qt/6.5/0002-CVE-2023-51714-qtbase-6.5.diff
 
Qt 6.2: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/525709 and 
https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/525710 or 
https://download.qt.io/official_releases/qt/6.2/0001-CVE-2023-51714-qtbase-6.2.diff
 and 
https://download.qt.io/official_releases/qt/6.2/0002-CVE-2023-51714-qtbase-6.2.diff
 
Qt 5.15: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/525874 and 
https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/525875 or 
https://download.qt.io/official_releases/qt/5.15/0001-CVE-2023-51714-qtbase-5.15.diff
 and 
https://download.qt.io/official_releases/qt/5.15/0002-CVE-2023-51714-qtbase-5.15.diff
 


Kind regards,
Andy
--
Andy Shaw
Director, Technical Customer Success 
The Qt Company

_______________________________________________
Announce mailing list
annou...@qt-project.org
https://lists.qt-project.org/listinfo/announce
-- 
Development mailing list
Development@qt-project.org
https://lists.qt-project.org/listinfo/development

Reply via email to