Advisories » MGASA-2025-0212

Updated qtbase6 & qtbase5 packages fix security vulnerability

Publication date: 22 Jul 2025
Modification date: 22 Jul 2025
Type: security
Affected Mageia releases : 9
CVE: CVE-2025-5455

Description

An issue was found in the private API function qDecodeDataUrl() in
QtCore, which is used in QTextDocument and QNetworkReply, and,
potentially, in user code. If the function was called with malformed
data, for example, an URL that contained a "charset" parameter that
lacked a value (such as "data:charset,"), and Qt was built with
assertions enabled, then it would hit an assertion, resulting in a
denial of service (abort). This impacts Qt up to 5.15.18, 6.0.0->6.5.8,
6.6.0->6.8.3 and 6.9.0.
                

References

• https://bugs.mageia.org/show_bug.cgi?id=34444
• https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/message/KQMS4MZAS4ACVLXLPAIC3JKRWOKIVJS7/
• https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2025-5455

SRPMS

9/core

• qtbase6-6.4.1-5.2.mga9
• qtbase5-5.15.7-6.2.mga9