2222767 – (CVE-2023-38197) CVE-2023-38197 qtbase: infinite loops in QXmlStreamReader

Bug 2222767 (CVE-2023-38197) - CVE-2023-38197 qtbase: infinite loops in QXmlStreamReader

Summary: CVE-2023-38197 qtbase: infinite loops in QXmlStreamReader

Keywords:
Status:	NEW
Alias:	CVE-2023-38197
Product:	Security Response
Classification:	Other
Component:	vulnerability
Sub Component:
Version:	unspecified
Hardware:	All
OS:	Linux
Priority:	medium
Severity:	medium
Target Milestone:	---
Assignee:	Nobody
QA Contact:
Docs Contact:
URL:
Whiteboard:
Depends On:	2222849 2222850 2222770 2222771 2222772 2222773 2222847 2222848
Blocks:	2222769
TreeView+	depends on / blocked

Reported:	2023-07-13 16:47 UTC by Zack Miele
Modified:	2023-12-11 07:08 UTC (History)
CC List:	2 users (show)
Fixed In Version:	qt 5.15.15, qt 6.2.10, qt 6.5.3
Doc Type:	If docs needed, set a value
Doc Text:	A vulnerability was found in Qtbase, where it is vulnerable to a denial of service caused by an infinite loop flaw in the QXmlStreamReader() function. This flaw occurs because the QXmlStreamReader function accepts multiple DOCTYPE elements containing DTD fragments in the XML prolog and the XML body. Well-formed but invalid XML files - with multiple DTD fragments in prolog and body, combined with recursive entity expansions, causes infinite loops in QXmlStreamReader. By persuading a victim to open specially crafted XML content, an attacker can cause a denial of service condition.
Clone Of:
Environment:
Last Closed:
Embargoed:

Attachments	(Terms of Use)

Links
System	ID	Private	Priority	Status	Summary	Last Updated
Red Hat Product Errata	RHSA-2023:6369	0	None	None	None	2023-11-07 08:14:44 UTC
Red Hat Product Errata	RHSA-2023:6967	0	None	None	None	2023-11-14 15:18:16 UTC

Description Zack Miele 2023-07-13 16:47:22 UTC

An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.

https://codereview.qt-project.org/c/qt/qtbase/+/488960

QXmlStreamReader accepted multiple DOCTYPE elements, containing DTD fragments in the XML prolog, and in the XML body. Well-formed but invalid XML files - with multiple DTD fragments in prolog and body, combined with recursive entity expansions - have caused infinite loops in QXmlStreamReader.

Comment 2 TEJ RATHI 2023-07-14 05:48:37 UTC

Created mingw-qt5-qtbase tracking bugs for this issue:

Affects: fedora-all [bug 2222847]


Created mingw-qt6-qtbase tracking bugs for this issue:

Affects: fedora-all [bug 2222848]


Created qt5-qtbase tracking bugs for this issue:

Affects: fedora-all [bug 2222849]


Created qt6-qtbase tracking bugs for this issue:

Affects: fedora-all [bug 2222850]

Comment 3 errata-xmlrpc 2023-11-07 08:14:43 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 9

Via RHSA-2023:6369 https://access.redhat.com/errata/RHSA-2023:6369

Comment 4 errata-xmlrpc 2023-11-14 15:18:15 UTC

This issue has been addressed in the following products:

  Red Hat Enterprise Linux 8

Via RHSA-2023:6967 https://access.redhat.com/errata/RHSA-2023:6967

Note You need to log in before you can comment on or make changes to this bug.