On Fri, 11 Jul 2025 09:00:00 +0000 List for announcements regarding Qt releases and development via Announce via Development <development@qt-project.org> wrote:
> Hi, > > When passing values outside of the expected range to > QColorTransferGenericFunction it can cause a denial of service, for > example, this can happen when passing a specifically crafted ICC > profile to QColorSpace::fromICCProfile. This has been assigned the > CVE id CVE-2025-5992. Affected versions: Qt from 6.8.0 through 6.8.3, > from 6.9.0 through 6.9.1. Vulnerability Score: CVSS v4.0: 2.3 > Solution: As a workaround if you are loading ICC profiles then > ensure that you are doing so from a trusted source. Alternatively, > you can apply the appropriate patch for your Qt version: 6.9: > https://download.qt.io/official_releases/qt/6.9/CVE-2025-5992-qtbase-6.9.patch > or > https://codereview.qt-project.org/c/qt/qtbase/+/657023<https://download.qt.io/official_releases/qt/6.9/CVE-2025-5992-qtbase-6.9.patch> > 6.8: > https://download.qt.io/official_releases/qt/6.8/CVE-2025-5992-qtbase-6.8.patch > or > https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/657094<https://download.qt.io/official_releases/qt/6.8/CVE-2025-5992-qtbase-6.8.patch> > Kind regards, > > Andy > > -- > > Andy Shaw, > > Director, Customer Services - SQS > > The Qt Company > > > > > Confidential Could it be used indirectly via other Qt APIs? Is e.g. reading images via QImage from untrusted sources affected? Is there a full list of Qt APIs affected? -- Development mailing list Development@qt-project.org https://lists.qt-project.org/listinfo/development
