Content |
Owners
The Qt Company is an information technology company headquartered in Norway.
The company operates in the field of development ON for developers.
History
2024: A critical vulnerability has been discovered in a popular library that is used in Russian operating systems
The Qt library developers from The Qt Company have published[1] warning] about a serious vulnerability in the implementation of the HTTP2 protocol, which allows, among other things, to execute extraneous code. According to the CVSS classification, the vulnerability was assigned a level of 9.8 out of 10, that is, "critical" with the ability to remotely execute code. The developer has released fixes and recommends updating to versions 5.15.17, 6.2.11, 6.5.4 or 6.6.2, since all earlier versions of the library are vulnerable.
The vulnerability with the CVE-2023-51714 number is associated with an integer overflow in the packed header processing code (HPack) and manifests itself when receiving packets with 4 GB of total data in an HTTP header or after receiving one header more than 2 GB. Typically, HTTP headers are not very large, since they contain only short commands, but attackers can specially compose large headers to cause an integer counter overflow and write data outside the allocated memory buffer. This allows you to execute extraneous code. So far, no exploits have been noticed for the vulnerability.
The Qt library is used in various Linux distributions as part of KDE. It implements basic components for the graphical shell and other elements of the operating system. In addition, tools for rapid application development have been developed for the library, which are used by developers of domestic mobile operating systems, such as ROSA Mobile and Aurora. However, it is still quite difficult to determine how much all of the listed distributions and operating systems are susceptible to this vulnerability - you need to wait for messages and fixes from specific developers.
Since there are no exploits for the vulnerability yet, the danger of use is minimal. It is recommended to configure access from corporate mobile devices running ROSA Mobile, Aurora and other mobile devices running Linux with KDE installed through the corporate network with blocking large HTTP headers. In addition, it is worth controlling messages from developers of domestic operating systems about the release of updates to eliminate this vulnerability. As soon as such updates are developed, it is worth installing them as quickly as possible.
2014: Building a Company
On September 16, 2014, Digia Plc announced the creation of a subsidiary of The Qt Company to further develop the Qt framework on its own.
A new site has been launched www.qt.io. Its goal is to combine the information flows of the commercial direction of the company and the open community of the Qt Project, which existed in parallel.
Notes
- ↑ [https://www.qt.io/blog/security-advisory-potential-integer-overflow-in-qts-http2-implementation a Security advisory: Potential Integer Overflow in Qt's HTTP2 implementation