Sections

Security announcement – Windows DLL preloading

A vulnerability has been found in Qt 4.7.0 and 4.6.3, created by the Windows DLL preloading issue. This could cause certain DLLs to be loaded by Qt from the current working directory. This issue does not affect Linux, Mac OS X, or any other Qt platforms.

To avoid possible exposure to this vulnerability, a patch should be downloaded and applied. Patches for all 4.6 versions and 4.7.0 are available for download below.

The patches can be used with Qt under the license(s) that originally accompanied the Qt release to which the patch is being applied.

The upcoming Qt version 4.7.1 already contains this patch.

Patches

cve-2010-3124-patch-4.5.3.diff

cve-2010-3124-patch-4.6.0.diff

cve-2010-3124-patch-4.6.1.diff

cve-2010-3124-patch-4.6.2.diff

cve-2010-3124-patch-4.6.3.diff

cve-2010-3124-patch-4.7.0.diff

Alternative course of action

Loading DLLs from the current directory can also be prevented as described by Microsoft Support at

http://support.microsoft.com/kb/2264107

Document Actions

Navigation

The Qt Blog: New Qt SDK features updated Qt Creator, Qt 4.8 for desktop and new Qt mobility APIs Feb 01, 2012; Qt Day in Florence, Italy – live and kicking Jan 27, 2012; Qt Contributors Day, wikis and the contribution process Jan 25, 2012; Qt-powered: Open source desktop publishing with Scribus Jan 19, 2012; Qt for PhoneGap Jan 11, 2012; More…

Official Nokia site