Security advisory: zlib in Qt
安全咨询:Qt中的zlib
September 12, 2022 by Andy Shaw | Comments
2022年9月12日 由安迪·肖|评论
zlib through 1.2.12 has a heap-based buffer over-read or buffer overflow in inflate in inflate.c via a large gzip header extra field and has been assigned the CVE id CVE-2022-37434.
zlib到1.2.12在时有基于堆的缓冲区溢出读取或缓冲区溢出。通过一个大的gzip报头额外字段,并被分配了CVE id CVE-2022-37434。
As this only affects applications that call inflateGetHeader directly then applications using Qt are not directly affected by this at all. The symbol may still be exploited if used in conjunction with another vulnerability or if the application uses this function directly.
由于这只会影响直接调用InflategeHeader的应用程序,因此使用Qt的应用程序根本不会受到直接影响。如果与另一个漏洞结合使用或应用程序直接使用此功能,该符号仍可能被利用。
Solution: Apply the following patches (two from Gerrit, or single downloadable patch) or update to Qt 6.4.0, Qt 6.3.2, Qt 6.2.6 or Qt 5.15.11
解决方案:应用以下修补程序(两个来自Gerrit,或一个可下载的修补程序)或更新到Qt 6.4.0、Qt 6.3.2、Qt 5.15.11
Patches:
dev: https://codereview.qt-project.org/c/qt/qtbase/+/429597 and https://codereview.qt-project.org/c/qt/qtbase/+/430422
Qt 6.4: https://codereview.qt-project.org/c/qt/qtbase/+/429655 and https://codereview.qt-project.org/c/qt/qtbase/+/430870
Qt 6.3: https://codereview.qt-project.org/c/qt/qtbase/+/429654 and https://codereview.qt-project.org/c/qt/qtbase/+/430919 or https://download.qt.io/official_releases/qt/6.3/CVE-2022-37434-qtbase-6.3.patch
Qt 6.2: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/429679 and https://codereview.qt-project.org/c/qt%2Ftqtc-qtbase/+/430921 or https://download.qt.io/official_releases/qt/6.2/CVE-2022-37434-qtbase-6.2.patch
Qt 5.15: https://codereview.qt-project.org/c/qt%2Ftqtc-qtbase/+/429680 and https://codereview.qt-project.org/c/qt%2Ftqtc-qtbase/+/430922 or https://download.qt.io/official_releases/qt/5.15/CVE-2022-37434-qtbase-5.15.patch