[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Bug#1108476: closed by Dmitry Shachnev <mitya57@debian.org> (Re: Bug#1108476: qtbase-opensource-src-gles: CVE-2025-5455)

On Mon, Jun 30, 2025 at 10:01:02AM +0000, Debian Bug Tracking System wrote:
> > CVE-2025-5455[0]:
> > | An issue was found in the private API function qDecodeDataUrl() in
> > | QtCore, which is used in QTextDocument and QNetworkReply, and,
> > | potentially, in user code.  If the function was called with
> > | malformed data, for example, an URL that contained a "charset"
> > | parameter that lacked a value (such as "data:charset,"), and Qt was
> > | built with assertions enabled, then it would hit an assertion,
> > | resulting in a denial of service (abort).  This impacts Qt up to
> > | 5.15.18, 6.0.0->6.5.8, 6.6.0->6.8.3 and 6.9.0. This has been fixed
> > | in 5.15.19, 6.5.9, 6.8.4 and 6.9.1.
> > 
> > https://codereview.qt-project.org/c/qt/qtbase/+/642006
> 
> This does not need fixing in qtbase-opensource-src-gles. The vulnerability
> is in QtCore library, but the -gles source package does not build its own
> QtCore, it reuses one from qtbase-opensource-src.

Thanks, I've updated the Security Tracker.

Cheers,
        Moritz
Reply to: