Lucene search

K

Andy ShawQT:20CF96597A72E76838A8F4BB05834645

HistoryMay 15, 2023 - 12:00 a.m.

Security advisory: Qt SVG

2023-05-1500:00:00

Andy Shaw

www.qt.io

7

security advisory

qt svg

divide by zero

cve-2023-32573

patch

update

qsvgfont

qsvgrenderer

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

6.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

40.7%

A recent potential divide by zero in Qt SVG has been reported and has been assigned the CVE id CVE-2023-32573.

In QSvgFont, the m_unitsPerEm variable initialization is mishandled so if a SVG file that uses font-face without units-per-em set is passed to QSvgRenderer to render then it can trigger a division by zero.

Solution: Apply the following patch or update to Qt 5.15.14, Qt 6.2.9 or Qt 6.5.1

Patches:

dev: <https://codereview.qt-project.org/c/qt/qtsvg/+/474093>
Qt 6.5: <https://codereview.qt-project.org/c/qt/qtsvg/+/474404> or <https://download.qt.io/official_releases/qt/6.5/CVE-2023-32573-qtsvg-6.5.diff>
Qt 6.2: <https://download.qt.io/official_releases/qt/6.2/CVE-2023-32573-qtsvg-6.2.diff>
Qt 5.15: <https://download.qt.io/official_releases/qt/5.15/CVE-2023-32573-qtsvg-5.15.diff>

6.5 Medium

CVSS3

Attack Vector

NETWORK

Attack Complexity

LOW

Privileges Required

NONE

User Interaction

REQUIRED

Scope

UNCHANGED

Confidentiality Impact

NONE

Integrity Impact

NONE

Availability Impact

HIGH

CVSS:3.1/AV:N/AC:L/PR:N/UI:R/S:U/C:N/I:N/A:H

6.4 Medium

AI Score

Confidence

High

0.001 Low

EPSS

Percentile

40.7%

Related for QT:20CF96597A72E76838A8F4BB05834645

redhat3 nessus21 amazon1 nvd1 osv4 alpinelinux1 openvas11 ubuntucve1 cve1 oraclelinux2 almalinux2 veracode1 redhatcve1 cbl_mariner2 debiancve1 prion1 cvelist1 fedora1 gentoo1 mageia1 debian1 ibm2 ics1