A moderately critical vulnerability was discovered in the QUtf8Decoder of Trolltech's Qt Framework.
The Trolltech developers have now released patch to remove the "QUtf8Decoder" security bug in Qt3 and Qt4. Attackers were able to exploit the vulnerability via a specially crafted Unicode string. Processing the string would cause applications to crash due to an off by one heap overflow and thus execute injected malicious code. According to Trolltech there is no way of exploiting the bug in Qt4.
The error is what's known as an "Off-By-One Error", which is typically caused by a logical error on the part of the programmer leading to control structures being parsed once too often, or not frequently enough. The error can cause a program to crash.
Patches for the vulnerability which is listed under CVE number CVE-2007-4137, are available from the manufacturer's website for Qt3 and Qt4. Distributions are now starting to offer updated program packages, Red Hat for example.
Get 3 Issues + 3 DVDs for the price of a single issue!
Let Linux Magazine's hands-on, technical articles guide you in your daily Linux use. Check out bonus DVDs like Ubuntu, SUSE, or Fedora and save the download.
Only available for a limited time. Don't miss out!
Comments