Bug 2187154 (CVE-2023-24607)

Summary: CVE-2023-24607 qt5: A possible DOS involving the Qt SQL ODBC driver plugin
Product: [Other] Security Response Reporter: Avinash Hanwate <ahanwate>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: jgrulich
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: If docs needed, set a value
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2187156, 2217696, 2217697    
Bug Blocks: 2187155    

Description Avinash Hanwate 2023-04-17 05:30:50 UTC 
Qt before 6.4.3 allows a denial of service via a crafted string when the SQL ODBC driver plugin is used and the size of SQLTCHAR is 4. The affected versions are 5.x before 5.15.13, 6.x before 6.2.8, and 6.3.x before 6.4.3.

https://codereview.qt-project.org/c/qt/qtbase/+/456216
https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456238
https://github.com/qt/qtbase/commit/aaf1381eab6292aa0444a5eadcc24165b6e1c02d
https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/456217
https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
https://www.qt.io/blog/tag/security
https://download.qt.io/official_releases/qt/5.15/CVE-2023-24607-qtbase-5.15.diff
Comment 1 Avinash Hanwate 2023-04-17 05:32:29 UTC 
Created qt5 tracking bugs for this issue:

Affects: fedora-all [bug 2187156]