Hi,

QStringConverter has an invalid pointer being passed as a callback which can 
allow modification of the stack and has been assigned the CVE id CVE-2024-33861.

Qt itself is not vulnerable to remote attack however an application using 
QStringDecoder either directly or indirectly can be vulnerable. This affects Qt 
6.5.0->6.5.5, 6.6.x and 6.7.0.

This requires:

1) the attacker be able to tell the application a specific codec to use

2) the attacker be able to feed the application data in a specific way to cause 
the desired modification

3) the attacker what in the stack will get modified, which requires knowing the 
build of the application (and not all builds will be vulnerable)

4) the modification do anything in particular that is useful to the attacker, 
besides maybe crashing the application

Qt does not automatically use any of those codecs, so this needs the 
application to implement something using QStringDecoder to be vulnerable.

Solution: Apply the following patch or update to Qt 6.5.6 or Qt 6.7.1.

Patches:

dev: https://codereview.qt-project.org/c/qt/qtbase/+/555922
6.7: https://codereview.qt-project.org/c/qt/qtbase/+/556191 or 
https://download.qt.io/official_releases/qt/6.7/CVE-2024-33861-qtbase-6.7.diff
6.6: 
https://download.qt.io/official_releases/qt/6.6/CVE-2024-33861-qtbase-6.6.diff
6.5: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/556369 or 
https://download.qt.io/official_releases/qt/6.5/CVE-2024-33861-qtbase-6.5.diff

Kind regards,
Andy
--
Andy Shaw
Director, Technical Customer Success 
The Qt Company

_______________________________________________
Announce mailing list
annou...@qt-project.org
https://lists.qt-project.org/listinfo/announce
-- 
Development mailing list
Development@qt-project.org
https://lists.qt-project.org/listinfo/development

Reply via email to