Qt Project Security Advisory ---------------------------- Title: XML Entity Expansion Denial of Service Risk Rating: Low CVE: CVE-2013-4549 Platforms: All Modules: QtBase Versions: All versions before 5.2 Author: Richard J. Moore <[email protected]> Date: 5 December 2013
Overview -------- QXmlSimpleReader in Qt versions prior to 5.2 supports expansion of internal entities in XML documents without placing restrictions to ensure the document does not cause excessive memory usage. If an application using this API processes untrusted data then the application may use unexpected amounts of memory if a malicious document is processed. Details ------- It is possible to construct XML documents using internal entities that consume large amounts of memory and other resources to process, this is known as the 'Billion Laughs' attack. Qt versions prior to 5.2 did not offer protection against this issue. Impact ------ An application loading untrusted XML data may consume arbitrary amounts of memory and CPU when attempting to parse a maliciously constructed document. Workaround ---------- None Solution -------- Upgrade to Qt 5.2 or apply the patches below: For Qt 5.1: https://codereview.qt-project.org/#change,71368 For Qt 4.8: https://codereview.qt-project.org/#change,71010 Credits ======= The Qt security team would like to thank Florian Weimer of the RedHat security team for reporting this issue and providing test cases. _______________________________________________ Announce mailing list [email protected] http://lists.qt-project.org/mailman/listinfo/announce _______________________________________________ Development mailing list [email protected] http://lists.qt-project.org/mailman/listinfo/development
