CVE-2023-38197

Name	CVE-2023-38197
Description	An issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
Source	CVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
References	DLA-3539-1, DLA-3805-1
Debian Bugs	1041104, 1041105, 1041106

Vulnerable and fixed packages

The table below lists information on source packages.

Source Package	Release	Version	Status
qt4-x11 (PTS)	buster	4:4.8.7+dfsg-18+deb10u1	vulnerable
	buster (security)	4:4.8.7+dfsg-18+deb10u2	fixed
qt6-base (PTS)	bookworm	6.4.2+dfsg-10	vulnerable
	sid, trixie	6.4.2+dfsg-21.1	vulnerable
qtbase-opensource-src (PTS)	buster	5.11.3+dfsg1-1+deb10u5	vulnerable
	buster (security)	5.11.3+dfsg1-1+deb10u6	fixed
	bullseye	5.15.2+dfsg-9	vulnerable
	bookworm	5.15.8+dfsg-11	vulnerable
	sid, trixie	5.15.10+dfsg-7.2	fixed
qtbase-opensource-src-gles (PTS)	bullseye	5.15.2+dfsg-4	vulnerable
	bookworm	5.15.8+dfsg-3	vulnerable
	trixie	5.15.10+dfsg-5	fixed
	sid	5.15.10+dfsg-6	fixed

The information below is based on the following data on fixed versions.

Package	Type	Release	Fixed Version	Origin	Debian Bugs
qt4-x11	source	buster	4:4.8.7+dfsg-18+deb10u2	DLA-3539-1
qt4-x11	source	(unstable)	(unfixed)
qt6-base	source	(unstable)	(unfixed)		1041104
qtbase-opensource-src	source	buster	5.11.3+dfsg1-1+deb10u6	DLA-3805-1
qtbase-opensource-src	source	(unstable)	5.15.10+dfsg-3		1041105
qtbase-opensource-src-gles	source	(unstable)	5.15.10+dfsg-3		1041106

Notes

[bookworm] - qt6-base <no-dsa> (Minor issue)
[bookworm] - qtbase-opensource-src-gles <no-dsa> (Minor issue)
[bullseye] - qtbase-opensource-src-gles <no-dsa> (Minor issue)
[bookworm] - qtbase-opensource-src <no-dsa> (Minor issue)
[bullseye] - qtbase-opensource-src <no-dsa> (Minor issue)
https://www.qt.io/blog/security-advisory-qxmlstreamreader-1
https://codereview.qt-project.org/c/qt/qtbase/+/488960