CVE-2023-38197

NameCVE-2023-38197
DescriptionAn issue was discovered in Qt before 5.15.15, 6.x before 6.2.10, and 6.3.x through 6.5.x before 6.5.3. There are infinite loops in recursive entity expansion.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDLA-3539-1
Debian Bugs1041104, 1041105, 1041106

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
qt4-x11 (PTS)buster4:4.8.7+dfsg-18+deb10u1vulnerable
buster (security)4:4.8.7+dfsg-18+deb10u2fixed
qt6-base (PTS)bookworm6.4.2+dfsg-10vulnerable
trixie, sid6.4.2+dfsg-18vulnerable
qtbase-opensource-src (PTS)buster5.11.3+dfsg1-1+deb10u5vulnerable
buster (security)5.11.3+dfsg1-1+deb10u3vulnerable
bullseye5.15.2+dfsg-9vulnerable
bookworm5.15.8+dfsg-11vulnerable
trixie, sid5.15.10+dfsg-3fixed
qtbase-opensource-src-gles (PTS)bullseye5.15.2+dfsg-4vulnerable
bookworm5.15.8+dfsg-3vulnerable
trixie, sid5.15.10+dfsg-2vulnerable

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
qt4-x11sourcebuster4:4.8.7+dfsg-18+deb10u2DLA-3539-1
qt4-x11source(unstable)(unfixed)
qt6-basesource(unstable)(unfixed)1041104
qtbase-opensource-srcsource(unstable)5.15.10+dfsg-31041105
qtbase-opensource-src-glessource(unstable)(unfixed)1041106

Notes

[bookworm] - qt6-base <no-dsa> (Minor issue)
[bookworm] - qtbase-opensource-src-gles <no-dsa> (Minor issue)
[bullseye] - qtbase-opensource-src-gles <no-dsa> (Minor issue)
[bookworm] - qtbase-opensource-src <no-dsa> (Minor issue)
[bullseye] - qtbase-opensource-src <no-dsa> (Minor issue)
[buster] - qtbase-opensource-src <no-dsa> (Minor issue)
https://www.qt.io/blog/security-advisory-qxmlstreamreader-1
https://codereview.qt-project.org/c/qt/qtbase/+/488960

Search for package or bug name: Reporting problems