Regarding recent reported security vulnerabilities from Cisco Talos

submited by
Style Pass
2023-01-24 03:30:06

Back in October 2022, the Qt Project Security team was contacted by someone at Cisco Talos to report an issue with integer and buffer overflow issues in QML which they considered a vulnerability in Qt 6.3. This has recently been made public by Cisco Talos here. This has also resulted in two CVEs , CVE-2022-40983 and CVE-2022-43591.

When the initial report was handled by the Qt Project Security team, it was determined that the QML required to actually trigger the overflow would have to be specifically crafted to actually trigger the overflow. This could occur as a result of running untrusted QML and this is not something that QML was designed to account for. This is also indicated in the documentation -

Even though it was not considered a vulnerability by the security team for the above mentioned reason, this was a real bug and it was decided to fix it with high priority (P1) . This was communicated back to Cisco Talos at the time along with a link to the QTBUG-107619 report and two patches that were going to be integrated to solve this problem.

Leave a Comment