Security advisory: Qt Network

A recent buffer overflow issue in Qt Network has been reported and has been assigned the CVE id CVE-2023-33285.

QDnsLookup may read outside the bounds of the buffer it allocated to receive the DNS reply with certain, specially crafted replies that violate the DNS protocol.

QDnsLookup only parses DNS replies as a result of a DNS query initiated by the user application, explicitly with this class. This class is usually used by applications that specifically need support for DNS records, such as obtaining an MX for email delivery, and is not used in normal domain name resolution. It is currently not used by any other class in Qt.

To exploit this, the attacker must obtain a valid DNS query and must reply from the correct IP address of the server queried (usually, by controlling the DNS server used by the victim system, such as in a public WiFi scenario).

Attacks from further remote locations may be possible, but intermediary DNS servers may reject this malformed answer and not propagate it.

This only affects Unix based platforms, Windows is not affected at all.

Solution: Apply the following patch or update to Qt 5.15.14, Qt 6.2.9 or Qt 6.5.1

Patches:

dev: https://codereview.qt-project.org/c/qt/qtbase/+/477644
Qt 6.5: https://codereview.qt-project.org/c/qt/qtbase/+/477704 or https://download.qt.io/official_releases/qt/6.5/CVE-2023-33285-qtbase-6.5.diff
Qt 6.2: https://download.qt.io/official_releases/qt/6.2/CVE-2023-33285-qtbase-6.2.diff
Qt 5.15: https://download.qt.io/official_releases/qt/5.15/CVE-2023-33285-qtbase-5.15.diff