Bug 2222767 (CVE-2023-38197)

Summary: CVE-2023-38197 qtbase: infinite loops in QXmlStreamReader
Product: [Other] Security Response Reporter: Zack Miele <zmiele>
Component: vulnerabilityAssignee: Nobody <nobody>
Status: NEW --- QA Contact:
Severity: medium Docs Contact:
Priority: medium    
Version: unspecifiedCC: desktop-qa-list, jgrulich
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: qt 5.15.15, qt 6.2.10, qt 6.5.3 Doc Type: If docs needed, set a value
Doc Text:
A vulnerability was found in Qtbase, where it is vulnerable to a denial of service caused by an infinite loop flaw in the QXmlStreamReader() function. This flaw occurs because the QXmlStreamReader function accepts multiple DOCTYPE elements containing DTD fragments in the XML prolog and the XML body. Well-formed but invalid XML files - with multiple DTD fragments in prolog and body, combined with recursive entity expansions, causes infinite loops in QXmlStreamReader. By persuading a victim to open specially crafted XML content, an attacker can cause a denial of service condition.
 Story Points: ---
Clone Of: Environment:
Last Closed: Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 2222770, 2222771, 2222772, 2222773, 2222847, 2222848, 2222849, 2222850    
Bug Blocks: 2222769    

Description Zack Miele 2023-07-13 16:47:22 UTC 
An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.

https://codereview.qt-project.org/c/qt/qtbase/+/488960

QXmlStreamReader accepted multiple DOCTYPE elements, containing DTD fragments in the XML prolog, and in the XML body. Well-formed but invalid XML files - with multiple DTD fragments in prolog and body, combined with recursive entity expansions - have caused infinite loops in QXmlStreamReader.
Comment 2 TEJ RATHI 2023-07-14 05:48:37 UTC 
Created mingw-qt5-qtbase tracking bugs for this issue:

Affects: fedora-all [bug 2222847]


Created mingw-qt6-qtbase tracking bugs for this issue:

Affects: fedora-all [bug 2222848]


Created qt5-qtbase tracking bugs for this issue:

Affects: fedora-all [bug 2222849]


Created qt6-qtbase tracking bugs for this issue:

Affects: fedora-all [bug 2222850]
Comment 3 errata-xmlrpc 2023-11-07 08:14:43 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6369 https://access.redhat.com/errata/RHSA-2023:6369
Comment 4 errata-xmlrpc 2023-11-14 15:18:15 UTC 
This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6967 https://access.redhat.com/errata/RHSA-2023:6967