| Name | CVE-2025-12385 |
| Description | Allocation of Resources Without Limits or Throttling, Improper Validation of Specified Quantity in Input vulnerability in The Qt Company Qt on Windows, MacOS, Linux, iOS, Android, x86, ARM, 64 bit, 32 bit allows Excessive Allocation. This issue affects users of the Text component in Qt Quick. Missing validation of the width and height in the <img> tag could cause an application to become unresponsive. This issue affects Qt: from 5.0.0 through 6.5.10, from 6.6.0 through 6.8.5, from 6.9.0 through 6.10.0. |
| Source | CVE (at NVD; CERT, ENISA, LWN, oss-sec, fulldisc, Debian ELTS, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more) |
| Debian Bugs | 1122054, 1122055, 1122056 |
The table below lists information on source packages.
| Source Package | Release | Version | Status |
|---|---|---|---|
| qt6-declarative (PTS) | bookworm | 6.4.2+dfsg-1 | vulnerable |
| trixie | 6.8.2+dfsg-7 | vulnerable | |
| forky, sid | 6.9.2+dfsg-5 | vulnerable | |
| qtdeclarative-opensource-src (PTS) | bullseye | 5.15.2+dfsg-6 | vulnerable |
| bookworm | 5.15.8+dfsg-3 | vulnerable | |
| trixie | 5.15.15+dfsg-3 | vulnerable | |
| forky, sid | 5.15.17+dfsg-4 | fixed | |
| qtdeclarative-opensource-src-gles (PTS) | bullseye | 5.15.2+dfsg-2 | vulnerable |
| bookworm | 5.15.8+dfsg-1 | vulnerable | |
| trixie | 5.15.15+dfsg-2 | vulnerable | |
| forky, sid | 5.15.17+dfsg-2 | vulnerable |
The information below is based on the following data on fixed versions.
| Package | Type | Release | Fixed Version | Urgency | Origin | Debian Bugs |
|---|---|---|---|---|---|---|
| qt6-declarative | source | (unstable) | (unfixed) | 1122054 | ||
| qtdeclarative-opensource-src | source | (unstable) | 5.15.17+dfsg-4 | 1122055 | ||
| qtdeclarative-opensource-src-gles | source | (unstable) | (unfixed) | 1122056 |
[trixie] - qt6-declarative <no-dsa> (Minor issue)
[bookworm] - qt6-declarative <no-dsa> (Minor issue)
[trixie] - qtdeclarative-opensource-src <no-dsa> (Minor issue)
[bookworm] - qtdeclarative-opensource-src <no-dsa> (Minor issue)
[bullseye] - qtdeclarative-opensource-src <postponed> (Minor issue)
[trixie] - qtdeclarative-opensource-src-gles <no-dsa> (Minor issue)
[bookworm] - qtdeclarative-opensource-src-gles <no-dsa> (Minor issue)
[bullseye] - qtdeclarative-opensource-src-gles <postponed> (Minor issue)
https://codereview.qt-project.org/c/qt/qtdeclarative/+/687239
https://codereview.qt-project.org/c/qt/qtdeclarative/+/687766