Vulnerability CVE-2023-37369: Information

Description

In Qt before 5.15.15, 6.x before 6.2.9, and 6.3.x through 6.5.x before 6.5.2, there can be an application crash in QXmlStreamReader via a crafted XML string that triggers a situation in which a prefix is greater than a length.

Severity: HIGH (7.5) Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H

URL: https://nvd.nist.gov/vuln/detail/CVE-2023-37369

Published: Aug. 20, 2023

Modified: May 1, 2024

Fixed packages

Package name	Branch	Fixed in version	Version from repository	Errata ID	Task #	State
qt5-webengine	sisyphus	5.15.15-alt1	5.15.16-alt5	ALT-PU-2023-5566-1	329396	Fixed
qt5-webengine	p10	5.15.15-alt1	5.15.16-alt4	ALT-PU-2023-5570-2	329398	Fixed
qt5-webengine	p11	5.15.15-alt1	5.15.16-alt5	ALT-PU-2023-5566-1	329396	Fixed
qt6-3d	sisyphus	6.6.0-alt1	6.6.2-alt1.1	ALT-PU-2023-7237-1	334016	Fixed
qt6-3d	sisyphus_e2k	6.6.1-alt1.1	6.6.2-alt1.1	ALT-PU-2024-2658-1	-	Fixed
qt6-3d	sisyphus_riscv64	6.6.0-alt1	6.6.2-alt1.1	ALT-PU-2023-7352-1	-	Fixed
qt6-3d	p11	6.6.0-alt1	6.6.2-alt1.1	ALT-PU-2023-7237-1	334016	Fixed
qt6-5compat	sisyphus	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7228-1	334016	Fixed
qt6-5compat	sisyphus_e2k	6.6.1-alt1	6.6.2-alt1	ALT-PU-2024-2636-1	-	Fixed
qt6-5compat	sisyphus_riscv64	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7349-1	-	Fixed
qt6-5compat	p11	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7228-1	334016	Fixed
qt6-base	sisyphus	6.6.0-alt1	6.6.2-alt3	ALT-PU-2023-7225-1	334016	Fixed
qt6-base	sisyphus_e2k	6.6.1-alt1.E2K.1	6.6.2-alt3.E2K.2	ALT-PU-2024-2656-1	-	Fixed
qt6-base	sisyphus_riscv64	6.6.0-alt1	6.6.2-alt3	ALT-PU-2023-7350-1	-	Fixed
qt6-base	p10	6.4.2-alt5	6.4.2-alt5	ALT-PU-2024-3485-2	342087	Fixed
qt6-base	p10_e2k	6.4.2-alt5.E2K.1	6.4.2-alt5.E2K.1	ALT-PU-2024-4219-1	-	Fixed
qt6-base	p11	6.6.0-alt1	6.6.2-alt3	ALT-PU-2023-7225-1	334016	Fixed
qt6-charts	sisyphus	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7235-1	334016	Fixed
qt6-charts	sisyphus_e2k	6.6.1-alt1	6.6.2-alt1	ALT-PU-2024-2645-1	-	Fixed
qt6-charts	sisyphus_riscv64	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7353-1	-	Fixed
qt6-charts	p11	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7235-1	334016	Fixed
qt6-connectivity	sisyphus	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7231-1	334016	Fixed
qt6-connectivity	sisyphus_e2k	6.6.1-alt1	6.6.2-alt1	ALT-PU-2024-2642-1	-	Fixed
qt6-connectivity	sisyphus_riscv64	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7342-1	-	Fixed
qt6-connectivity	p11	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7231-1	334016	Fixed
qt6-datavis3d	sisyphus	6.6.1-alt1	6.6.2-alt1	ALT-PU-2024-1120-1	338043	Fixed
qt6-datavis3d	sisyphus_riscv64	6.6.1-alt1	6.6.2-alt1	ALT-PU-2024-1133-1	-	Fixed
qt6-datavis3d	sisyphus_loongarch64	6.6.1-alt1	6.6.2-alt1	ALT-PU-2024-1141-1	-	Fixed
qt6-datavis3d	p11	6.6.1-alt1	6.6.2-alt1	ALT-PU-2024-1120-1	338043	Fixed
qt6-declarative	sisyphus	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7215-1	334016	Fixed
qt6-declarative	sisyphus_e2k	6.6.1-alt2	6.6.2-alt1	ALT-PU-2024-2651-1	-	Fixed
qt6-declarative	sisyphus_riscv64	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7334-1	-	Fixed
qt6-declarative	p11	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7215-1	334016	Fixed
qt6-imageformats	sisyphus	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7220-1	334016	Fixed
qt6-imageformats	sisyphus_e2k	6.6.1-alt1	6.6.2-alt1	ALT-PU-2024-2641-1	-	Fixed
qt6-imageformats	sisyphus_riscv64	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7341-1	-	Fixed
qt6-imageformats	p11	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7220-1	334016	Fixed
qt6-multimedia	sisyphus	6.6.0-alt1	6.6.2-alt1.1	ALT-PU-2023-7217-1	334016	Fixed
qt6-multimedia	sisyphus_e2k	6.6.1-alt1.1	6.6.2-alt1.1	ALT-PU-2024-2657-1	-	Fixed
qt6-multimedia	sisyphus_riscv64	6.6.0-alt1	6.6.2-alt1.1	ALT-PU-2023-7337-1	-	Fixed
qt6-multimedia	p11	6.6.0-alt1	6.6.2-alt1.1	ALT-PU-2023-7217-1	334016	Fixed
qt6-networkauth	sisyphus	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7236-1	334016	Fixed
qt6-networkauth	sisyphus_e2k	6.6.1-alt1	6.6.2-alt1	ALT-PU-2024-2647-1	-	Fixed
qt6-networkauth	sisyphus_riscv64	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7347-1	-	Fixed
qt6-networkauth	p11	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7236-1	334016	Fixed
qt6-positioning	sisyphus	6.6.0-alt1	6.6.2-alt1.1	ALT-PU-2023-7222-1	334016	Fixed
qt6-positioning	sisyphus_riscv64	6.6.0-alt1	6.6.2-alt1.1	ALT-PU-2023-7344-1	-	Fixed
qt6-positioning	p11	6.6.0-alt1	6.6.2-alt1.1	ALT-PU-2023-7222-1	334016	Fixed
qt6-quicktimeline	sisyphus	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7224-1	334016	Fixed
qt6-quicktimeline	sisyphus_e2k	6.6.1-alt1	6.6.2-alt1	ALT-PU-2024-2644-1	-	Fixed
qt6-quicktimeline	sisyphus_riscv64	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7348-1	-	Fixed
qt6-quicktimeline	p11	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7224-1	334016	Fixed
qt6-remoteobjects	sisyphus	6.6.2-alt1	6.6.2-alt1	ALT-PU-2024-2801-1	341139	Fixed
qt6-remoteobjects	sisyphus_e2k	6.6.2-alt1	6.6.2-alt1	ALT-PU-2024-2982-1	-	Fixed
qt6-remoteobjects	sisyphus_riscv64	6.6.2-alt1	6.6.2-alt1	ALT-PU-2024-3743-1	-	Fixed
qt6-remoteobjects	sisyphus_loongarch64	6.6.2-alt1	6.6.2-alt1	ALT-PU-2024-2916-1	-	Fixed
qt6-remoteobjects	p11	6.6.2-alt1	6.6.2-alt1	ALT-PU-2024-2801-1	341139	Fixed
qt6-scxml	sisyphus	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7234-1	334016	Fixed
qt6-scxml	sisyphus_e2k	6.6.1-alt1	6.6.2-alt1	ALT-PU-2024-2643-1	-	Fixed
qt6-scxml	sisyphus_riscv64	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7345-1	-	Fixed
qt6-scxml	p11	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7234-1	334016	Fixed
qt6-sensors	sisyphus	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7221-1	334016	Fixed
qt6-sensors	sisyphus_e2k	6.6.1-alt1	6.6.2-alt1	ALT-PU-2024-2640-1	-	Fixed
qt6-sensors	sisyphus_riscv64	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7343-1	-	Fixed
qt6-sensors	p11	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7221-1	334016	Fixed
qt6-serialport	sisyphus	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7230-1	334016	Fixed
qt6-serialport	sisyphus_e2k	6.6.1-alt1	6.6.2-alt1	ALT-PU-2024-2639-1	-	Fixed
qt6-serialport	sisyphus_riscv64	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7340-1	-	Fixed
qt6-serialport	p11	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7230-1	334016	Fixed
qt6-shadertools	sisyphus	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7226-1	334016	Fixed
qt6-shadertools	sisyphus_e2k	6.6.1-alt2	6.6.2-alt1	ALT-PU-2024-2652-1	-	Fixed
qt6-shadertools	sisyphus_riscv64	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7333-1	-	Fixed
qt6-shadertools	p11	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7226-1	334016	Fixed
qt6-svg	sisyphus	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7227-1	334016	Fixed
qt6-svg	sisyphus_e2k	6.6.1-alt3	6.6.2-alt1	ALT-PU-2024-2649-1	-	Fixed
qt6-svg	sisyphus_riscv64	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7336-1	-	Fixed
qt6-svg	p11	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7227-1	334016	Fixed
qt6-tools	sisyphus	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7216-1	334016	Fixed
qt6-tools	sisyphus_e2k	6.6.1-alt2	6.6.2-alt1	ALT-PU-2024-2650-1	-	Fixed
qt6-tools	sisyphus_riscv64	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7351-1	-	Fixed
qt6-tools	p11	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7216-1	334016	Fixed
qt6-translations	sisyphus	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7223-1	334016	Fixed
qt6-translations	sisyphus_e2k	6.6.1-alt1	6.6.2-alt1	ALT-PU-2024-2634-1	-	Fixed
qt6-translations	sisyphus_riscv64	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7335-1	-	Fixed
qt6-translations	p11	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7223-1	334016	Fixed
qt6-virtualkeyboard	sisyphus	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7233-1	334016	Fixed
qt6-virtualkeyboard	sisyphus_e2k	6.6.1-alt1	6.6.2-alt1	ALT-PU-2024-2646-1	-	Fixed
qt6-virtualkeyboard	sisyphus_riscv64	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7346-1	-	Fixed
qt6-virtualkeyboard	p11	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7233-1	334016	Fixed
qt6-wayland	sisyphus	6.6.0-alt1	6.6.2-alt2	ALT-PU-2023-7219-1	334016	Fixed
qt6-wayland	sisyphus_e2k	6.6.1-alt1	6.6.2-alt2	ALT-PU-2024-2648-1	-	Fixed
qt6-wayland	sisyphus_riscv64	6.6.0-alt1	6.6.2-alt2	ALT-PU-2023-7339-1	-	Fixed
qt6-wayland	p11	6.6.0-alt1	6.6.2-alt2	ALT-PU-2023-7219-1	334016	Fixed
qt6-webchannel	sisyphus	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7218-1	334016	Fixed
qt6-webchannel	sisyphus_e2k	6.6.1-alt1	6.6.2-alt1	ALT-PU-2024-2638-1	-	Fixed
qt6-webchannel	sisyphus_riscv64	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7354-1	-	Fixed
qt6-webchannel	p11	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7218-1	334016	Fixed
qt6-webengine	sisyphus	6.6.0-alt1	6.6.2-alt3	ALT-PU-2023-7232-1	334016	Fixed
qt6-webengine	p11	6.6.0-alt1	6.6.2-alt3	ALT-PU-2023-7232-1	334016	Fixed
qt6-websockets	sisyphus	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7229-1	334016	Fixed
qt6-websockets	sisyphus_e2k	6.6.1-alt1	6.6.2-alt1	ALT-PU-2024-2637-1	-	Fixed
qt6-websockets	sisyphus_riscv64	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7338-1	-	Fixed
qt6-websockets	p11	6.6.0-alt1	6.6.2-alt1	ALT-PU-2023-7229-1	334016	Fixed

References to Advisories, Solutions, and Tools

Hyperlink	Resource
https://codereview.qt-project.org/c/qt/qtbase/+/455027	Patch
https://bugreports.qt.io/browse/QTBUG-114829	Exploit
[debian-lts-announce] 20230822 [SECURITY] [DLA 3539-1] qt4-x11 security update	Mailing List Third Party Advisory
FEDORA-2023-0e68827d36
FEDORA-2023-fd45b50121
[debian-lts-announce] 20240430 [SECURITY] [DLA 3805-1] qtbase-opensource-src security update

Affected configurations:
1. Configuration 1
  cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:*
  Start including
  6.0.0
  End excliding
  6.2.9
  cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:*
  End excliding
  5.15.15
  cpe:2.3:a:qt:qt:*:*:*:*:*:*:*:*
  Start including
  6.3.0
  End excliding
  6.5.2
  
  Configuration 2
  cpe:2.3:o:debian:debian_linux:10.0:*:*:*:*:*:*:*

Version: v24.5.3

Vulnerability CVE-2023-37369: Information

Description

Fixed packages

References to Advisories, Solutions, and Tools

Configuration 1

Configuration 2