CVE-2007-4137
published 2007-09-18CVE-2007-4137: Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a…
PriorityP430high7.5CVSS 2.0
AVNACLAuNCPIPAP
EPSS
2.34%
81.5th percentile
Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.
Affected
23 ranges
| Vendor | Product | Version range | Fixed in |
|---|---|---|---|
| trolltech | qt | — | — |
| trolltech | qt | — | — |
| trolltech | qt | — | — |
| trolltech | qt | — | — |
| trolltech | qt | — | — |
| trolltech | qt | — | — |
| trolltech | qt | — | — |
| trolltech | qt | — | — |
| trolltech | qt | — | — |
| trolltech | qt | — | — |
| trolltech | qt | — | — |
| trolltech | qt | — | — |
| trolltech | qt | — | — |
| trolltech | qt | — | — |
| trolltech | qt | — | — |
| trolltech | qt | — | — |
| trolltech | qt | — | — |
| trolltech | qt | — | — |
| trolltech | qt | — | — |
| trolltech | qt | — | — |
| trolltech | qt | — | — |
| trolltech | qt | — | — |
| trolltech | qt | — | — |
CVSS provenance
nvdv2.07.5HIGHAV:N/AC:L/Au:N/C:P/I:P/A:P
vendor_redhat7.5HIGH
Stop checking back — get the weekly exploitation signal.
Every Monday: what got weaponized or added to CISA KEV in the last seven days — each CVE cross-linked to its PoC, Nuclei template, and detection rule. Free, one email a week, unsubscribe in one click.
GHSA
GHSA-4hrv-qfhv-9vh5: Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via
ghsa_unreviewed·2022-05-03
CVE-2007-4137 [HIGH] CWE-119 GHSA-4hrv-qfhv-9vh5: Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via
Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.
Ubuntu
Qt vulnerability
vendor_ubuntu·2007-09-18
CVE-2007-4137 Qt vulnerability
Title: Qt vulnerability
Summary: Qt vulnerability
Dirk Mueller discovered that UTF8 strings could be made to cause a small
buffer overflow. A remote attacker could exploit this by sending specially
crafted strings to applications that use the Qt3 library for UTF8 processing,
potentially leading to arbitrary code execution with user privileges, or a
denial of service.
Instructions: After a standard system upgrade you need to restart your session to
effect the necessary changes.
Red Hat
QT off by one buffer overflow
vendor_redhat·2007-09-03·CVSS 7.5
CVE-2007-4137 [HIGH] CWE-193 QT off by one buffer overflow
QT off by one buffer overflow
Off-by-one error in the QUtf8Decoder::toUnicode function in Trolltech Qt 3 allows context-dependent attackers to cause a denial of service (crash) via a crafted Unicode string that triggers a heap-based buffer overflow. NOTE: Qt 4 has the same error in the QUtf8Codec::convertToUnicode function, but it is not exploitable.
No detection rules found.
No public exploits indexed.
Bugzilla
CVE-2007-4137 QT off by one buffer overflow [FC6]
bugzilla·2007-09-17·CVSS 7.5
CVE-2007-4137 [HIGH] CVE-2007-4137 QT off by one buffer overflow [FC6]
CVE-2007-4137 QT off by one buffer overflow [FC6]
FC6 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
it's fixed in fc6-update
Bugzilla
CVE-2007-4137 QT off by one buffer overflow [F7]
bugzilla·2007-09-17·CVSS 7.5
CVE-2007-4137 [HIGH] CVE-2007-4137 QT off by one buffer overflow [F7]
CVE-2007-4137 QT off by one buffer overflow [F7]
F7 tracking bug: see blocks bug list for full details of the security issue(s).
[bug automatically created by: add-tracking-bugs]
Discussion:
it's fixed in fedora-7 update.
---
qt-3.3.8-7.fc7 has been pushed to the Fedora 7 stable repository. If problems still persist, please make note of it in this bug report.
Bugzilla
CVE-2007-4137 QT off by one buffer overflow
bugzilla·2007-08-30·CVSS 7.5
CVE-2007-4137 [HIGH] CVE-2007-4137 QT off by one buffer overflow
CVE-2007-4137 QT off by one buffer overflow
Dirk Mueller reported an off by one buffer overflow flaw in the way QT parses
certain unicode strings.
To quote Dirk:
I`ve found a off-by-one buffer overflow in QUtf8Decoder::toUnicode().
It is not exploitable with Qt 4.x or above because there is an
additional QChar(0) being allocated in QString, however it is still a
bug there, as the array returned by utf16() etc is no longer
terminated properly.
Discussion:
Created attachment 181821
Proposed patch for QT3
---
Created attachment 181841
Proposed patch for QT4
---
public, removing embargo
http://trolltech.com/company/newsroom/announcements/press.2007-09-03.7564032119
---
This issue was addressed in:
Red Hat Enterprise Linux:
http://rhn.redhat.com/errata/RHSA-2007-0883.html
Fedora:
h
ftp://patches.sgi.com/support/free/security/advisories/20070901-01-P.aschttp://bugs.gentoo.org/show_bug.cgi?id=192472http://dist.trolltech.com/developer/download/175791_3.diffhttp://dist.trolltech.com/developer/download/175791_4.diffhttp://fedoranews.org/updates/FEDORA-2007-221.shtmlhttp://fedoranews.org/updates/FEDORA-2007-703.shtmlhttp://osvdb.org/39384http://secunia.com/advisories/26778http://secunia.com/advisories/26782http://secunia.com/advisories/26804http://secunia.com/advisories/26811http://secunia.com/advisories/26857http://secunia.com/advisories/26868http://secunia.com/advisories/26882http://secunia.com/advisories/26987http://secunia.com/advisories/27053http://secunia.com/advisories/27275http://secunia.com/advisories/27382http://secunia.com/advisories/27996http://secunia.com/advisories/28021http://security.gentoo.org/glsa/glsa-200710-28.xmlhttp://security.gentoo.org/glsa/glsa-200712-08.xmlhttp://securitytracker.com/id?1018688http://support.avaya.com/elmodocs2/security/ASA-2007-424.htmhttp://trolltech.com/company/newsroom/announcements/press.2007-09-03.7564032119http://www.debian.org/security/2007/dsa-1426http://www.mandriva.com/security/advisories?name=MDKSA-2007:183http://www.novell.com/linux/security/advisories/2007_19_sr.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0883.htmlhttp://www.securityfocus.com/archive/1/481498/100/0/threadedhttp://www.securityfocus.com/bid/25657http://www.ubuntu.com/usn/usn-513-1http://www.vupen.com/english/advisories/2007/3144https://bugzilla.redhat.com/show_bug.cgi?id=269001https://issues.rpath.com/browse/RPL-1751https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11159ftp://patches.sgi.com/support/free/security/advisories/20070901-01-P.aschttp://bugs.gentoo.org/show_bug.cgi?id=192472http://dist.trolltech.com/developer/download/175791_3.diffhttp://dist.trolltech.com/developer/download/175791_4.diffhttp://fedoranews.org/updates/FEDORA-2007-221.shtmlhttp://fedoranews.org/updates/FEDORA-2007-703.shtmlhttp://osvdb.org/39384http://secunia.com/advisories/26778http://secunia.com/advisories/26782http://secunia.com/advisories/26804http://secunia.com/advisories/26811http://secunia.com/advisories/26857http://secunia.com/advisories/26868http://secunia.com/advisories/26882http://secunia.com/advisories/26987http://secunia.com/advisories/27053http://secunia.com/advisories/27275http://secunia.com/advisories/27382http://secunia.com/advisories/27996http://secunia.com/advisories/28021http://security.gentoo.org/glsa/glsa-200710-28.xmlhttp://security.gentoo.org/glsa/glsa-200712-08.xmlhttp://securitytracker.com/id?1018688http://support.avaya.com/elmodocs2/security/ASA-2007-424.htmhttp://trolltech.com/company/newsroom/announcements/press.2007-09-03.7564032119http://www.debian.org/security/2007/dsa-1426http://www.mandriva.com/security/advisories?name=MDKSA-2007:183http://www.novell.com/linux/security/advisories/2007_19_sr.htmlhttp://www.redhat.com/support/errata/RHSA-2007-0883.htmlhttp://www.securityfocus.com/archive/1/481498/100/0/threadedhttp://www.securityfocus.com/bid/25657http://www.ubuntu.com/usn/usn-513-1http://www.vupen.com/english/advisories/2007/3144https://bugzilla.redhat.com/show_bug.cgi?id=269001https://issues.rpath.com/browse/RPL-1751https://oval.cisecurity.org/repository/search/definition/oval%3Aorg.mitre.oval%3Adef%3A11159
2007-09-18
Published