Thiago Macieira of Trolltech wrote: Qt 4 has a potential vulnerability in QSslSocket, which might cause a the certificate verification in SSL connections not to be performed. As a consequence, code using QSslSocket might be mislead into thinking the certificate was verified correctly when it actually failed in one or more criterea To solve the issue, apply the following patch that is attached. The next maintenance release of Qt 4 will have the patch included. Versions affected: 4.3.0, 4.3.1 and 4.3.2
Created attachment 137760 [details, diff] qsslsocket-fix.patch Upstream propsed patch
We're handling this confidential as I am not aware of a coordinated release date yet. Caleb, please do not commit the patch yet. If you want to, you can prepare an ebuild and attach it to this bug. However, since this issue is of a low impact, my advise would be to go normal stabling process via arch teams once this is public.
The patch looks pretty harmless, so I won't bother with attaching an ebuild. I'll just wait for the announcement or release notification, and throw it into portage at that time.
"Qt 4.3.3, due out today, is not affected by this issue. It affects only 4.3.0, 4.3.1 and 4.3.2." So we can bump the ebuild in the tree before disclosure.
I got my commercial Qt today, but I'm not sure if we want to do that with the open source one when it's out in a few hours. Namely, we don't know what else was "fixed" in 4.2.2 -> 4.2.3. I vote to just revbump 4.2.2 with the patch. In fact, if you want we can bump it in portage with the patch before the disclosure and not make public mention of the reason for the patch until disclosure. Thoughts?
QT 4.3.3 contains this fix and probably some other patches. Feel free to include this patch into 4.3.2 and we'll handle prestabling in this bug.
qt-4.3.2-r1 has been committed with this patch.
Adding arch security liaisons (plus opfer and armin76) and Chris for releng. Please test and mark stable x11-libs/qt-4.3.2-r1. Target keywords : "alpha amd64 hppa ia64 mips ppc ppc64 sparc x86"
On x86 I get this, but it goes on fine. rm -f *~ core *.core g++ -c -pipe -O2 -Wall -W -I../../../mkspecs/linux-g++ -I. -I. -o ptrsizetest.o ptrsizetest.cpp ptrsizetest.cpp: In function ‘int main(int, char**)’: ptrsizetest.cpp:18: error: ‘PointerSize’ is not a member of ‘QPointerSizeTest<4>’ make: *** [ptrsizetest.o] Error 1 Pointer size: 4
That warning is fine, I believe. It's just part of their system checks. The output probably should be supressed.
Why not 4.3.3?
If you want to stablize 4.3.3, then by all means go for it. But it has a lot more "bug fixes" than just this particular issue, and since it's been in portage for only a day now I wasn't comfortable with requesting it for stabilization.
x86 stable for 4.3.2-r1
alpha/ia64/sparc stable for 4.3.2-r1
ppc64 stable (qt-4.3.2-r1)
ppc stable
Stable for HPPA.
amd64 stable, last arch. This is ready for GLSA decision. I tend to vote yes.
taco, please merge this into a new qt emul.
Bumped the emul ebuild with new Qt, not yet stable though.
app-emulation/emul-linux-x86-qtlibs-20071210 stable on amd64
public via $URL I vote NO on this bug.
no too, closing.
