Eskil Abrahamsen Blomfeldt

Security advisory about Qt for Android

Published Wednesday November 22nd, 2017
3 Comments on Security advisory about Qt for Android
Posted in Android, Announcements, Dev Loop, Security

Two vulnerabilities have been identified in Qt for Android which could be used by a malicious application to hijack an existing Qt for Android application on the same device. The vulnerabilities in question were found by Satoru Nagaoka from Cyber Defense Institute, Inc., and have been assigned the following vulnerability IDs: JVN#27342829 and JVN#67389262.

These vulnerabilities have subsequently been fixed in Qt 5.9 as well as the Qt 5.6 branch of Qt. Qt 5.9.3, which was released today, contains all required patches.

For users of Qt 5.7 or Qt 5.8, we have prepared patch sets which can be applied to the source tree in order to fix these issues. They can be downloaded from Qt Account or by accessing these links: 5.6.3, 5.7.1 and 5.8.0. The patches are organized in qtbase/ and qttools/ subfolders for the code repositories where changes are needed.

Thanks to Bogdan Vatra from KDAB for supplying the necessary patches on short notice.

(updated 2017-12-11: added links to JVN database entries and corrected reporter name.)

Do you like this? Share it
Share on LinkedInGoogle+Share on FacebookTweet about this on Twitter

Posted in Android, Announcements, Dev Loop, Security


Gunnar Roth says:

The requested URL /official_releases/qt/5.8/5.8.0/android-patches-5.6-2017_11_16.tar.gz was not found on this server.

Eskil Abrahamsen Blomfeldt Eskil Abrahamsen Blomfeldt says:

The typo in the URL should now be fixed

Matthias Degenkolb says:

Qt 5.8 link is not working.

Also could you provide a link to some CERT incl. standardized severity rating of the vulnerability?

Commenting closed.

Get started today with Qt Download now