Qt Group Oyj

01/01/2024 | Press release | Distributed by Public on 01/02/2024 03:23

Security advisory: Potential Integer Overflow in Qt's HTTP2 implementation

Security advisory: Potential Integer Overflow in Qt's HTTP2 implementation

January 01, 2024 by Andy Shaw | Comments

A recently reported potential integer overflow issue in Qt's HTTP2 implementation has been assigned the CVE id CVE-2023-51714.

An issue was discovered in Qt before 5.15.17, 6.x before 6.2.11, 6.3.x through 6.5.x before 6.5.4, and 6.6.x before 6.6.2.

If the HTTP2 implementation receives more then 4GiB in total headers, or more than 2GiB for any given header pair, then the internal buffers may overflow.

Solution: Apply the following two patches or update to Qt 5.15.17, Qt 6.2.11, 6.5.4 or 6.6.2

Patches:

dev: https://codereview.qt-project.org/c/qt/qtbase/+/524864and https://codereview.qt-project.org/c/qt/qtbase/+/524865

Qt 6.6: https://codereview.qt-project.org/c/qt/qtbase/+/525295and https://codereview.qt-project.org/c/qt/qtbase/+/525297/3or https://download.qt.io/official_releases/qt/6.6/0001-CVE-2023-51714-qtbase-6.6.diffand https://download.qt.io/official_releases/qt/6.6/0002-CVE-2023-51714-qtbase-6.6.diff

Qt 6.5: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/525624and https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/525625/1or https://download.qt.io/official_releases/qt/6.5/0001-CVE-2023-51714-qtbase-6.5.diffand https://download.qt.io/official_releases/qt/6.5/0002-CVE-2023-51714-qtbase-6.5.diff

Qt 6.2: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/525709and https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/525710or https://download.qt.io/official_releases/qt/6.2/0001-CVE-2023-51714-qtbase-6.2.diffand https://download.qt.io/official_releases/qt/6.2/0002-CVE-2023-51714-qtbase-6.2.diff

Qt 5.15: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/525874 and https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/525875 or https://download.qt.io/official_releases/qt/5.15/0001-CVE-2023-51714-qtbase-5.15.diff and https://download.qt.io/official_releases/qt/5.15/0002-CVE-2023-51714-qtbase-5.15.diff

Share with your friends

Blog Topics: