Vigil@nce - Qt: denial of service via QXmlSimpleReader
January 2014 by Vigil@nce
This bulletin was written by Vigil@nce : http://vigilance.fr/offer
SYNTHESIS OF THE VULNERABILITY
An attacker can transmit malicious XML data to a Qt application
using QXmlSimpleReader, in order to force it to allocate large
memory resources.
Impacted products: Unix (platform)
Severity: 2/4
Creation date: 19/12/2013
DESCRIPTION OF THE VULNERABILITY
The QXmlSimpleReader library processes XML data.
An XML entity (such as "&abc;") is used to define an alias of a
text string.
However, if the same large entity is called several thousand times
in an XML document, the library consumes numerous resources to
store the XML tree.
An attacker can therefore transmit malicious XML data to a Qt
application using QXmlSimpleReader, in order to force it to
allocate large memory resources.
ACCESS TO THE COMPLETE VIGIL@NCE BULLETIN
http://vigilance.fr/vulnerability/Qt-denial-of-service-via-QXmlSimpleReader-13963