CVE-2023-32763: QTextLayout Buffer Overflow Vulnerability in Qt SVG File Rendering

A critical vulnerability (CVE-2023-32763) has been discovered in the widely used Qt application framework, specifically in versions prior to 5.15.15, 6.x prior to 6.2.9, and 6.3.x through 6.5.x prior to 6.5.1. When processing a SVG file containing an image, a QTextLayout buffer overflow may be triggered, potentially allowing remote attackers to execute arbitrary code on the target system or cause a denial-of-service (DoS) condition.

In this post, we will delve into the details of the vulnerability, its root cause, as well as the potential impact.

Vulnerability Details

During the rendering of a SVG file with an embedded image, Qt's text rendering engine inadvertently introduces a buffer overflow vulnerability due to improper handling of text layout sizing. This issue is caused by the rendering engine failing to account for the size of the image when allocating memory for the layout buffer. As a result, a specially crafted SVG file can cause a buffer overflow, potentially leading to remote code execution (RCE) or a denial-of-service (DoS) attack.

Below is a sample exploit code snippet, a simple SVG file with an embedded image

<?xml version="1." encoding="UTF-8"?>
<svg xmlns="http://www.w3.org/200/svg"; viewBox="  100 100">
   <defs>
      <pattern id="imgPattern" x="" y="" width="100" height="100">
         <image href="data:image/png;base64,RANDOM_DATA_HERE"/>
      </pattern>
   </defs>
   <rect x="" y="" width="100" height="100" fill="url(#imgPattern)"/>
   <text font-size="25" x="10" y="30">
      <![CDATA[
          BufferOverFlow_Susceptible_Text
      ]]>
   </text>
</svg>

For more information about the vulnerability, please refer to the following resources

1. Qt Security Advisory - This advisory published by Qt details the initial discovery and affected versions.
2. NIST National Vulnerability Database (NVD) - Provides an overview, impact, and severity analysis of the vulnerability along with any known exploits.
3. GitHub Qt Issue Tracker - Offers a detailed discussion and technical analysis of the vulnerability.

Exploit Details

Remote attackers can craft a malicious SVG file that exploits this vulnerability to potentially execute arbitrary code on the target system, gain unauthorized access, or cause a denial of service (DoS).

To mitigate the risk of exploitation, users are highly recommended to upgrade their Qt installations to the following patched versions:

Conclusion

The QTextLayout buffer overflow vulnerability presents a significant security risk to users of affected Qt versions. To protect systems from attack, it is crucial to patch affected installations. Always follow best security practices when dealing with untrusted files, such as those originating from email attachments or downloaded from websites.

Timeline

Published on: 05/28/2023 23:15:00 UTC
Last modified on: 06/03/2023 03:58:00 UTC