201296 2007-12-04 23:31 0000 x11-libs/qt-4.3* < 4.3.2-r1 emul-linux-x86-qtlibs < 20071210 QSslSocket missing SSL certificate verification (CVE-2007-5965) 2007-12-30 19:35:31 0000 1 1 1 Unclassified Gentoo Security Vulnerabilities unspecified All Linux RESOLVED FIXED http://trolltech.com/company/newsroom/announcements/press.2007-12-21.2182567220 A4 [noglsa] P2 minor --- 1 rbu@gentoo.org security@gentoo.org armin76@gentoo.org beandog@gentoo.org caleb@gentoo.org corsair@gentoo.org dertobi123@gentoo.org fauli@gentoo.org ferdy@gentoo.org jer@gentoo.org kingtaco@gentoo.org tsunam@gentoo.org welp@gentoo.org wolf31o2@gentoo.org rbu@gentoo.org 2007-12-04 23:31:34 0000 Thiago Macieira of Trolltech wrote: Qt 4 has a potential vulnerability in QSslSocket, which might cause a the certificate verification in SSL connections not to be performed. As a consequence, code using QSslSocket might be mislead into thinking the certificate was verified correctly when it actually failed in one or more criterea To solve the issue, apply the following patch that is attached. The next maintenance release of Qt 4 will have the patch included. Versions affected: 4.3.0, 4.3.1 and 4.3.2 rbu@gentoo.org 2007-12-04 23:33:08 0000 Created an attachment (id=137760) qsslsocket-fix.patch Upstream propsed patch rbu@gentoo.org 2007-12-04 23:35:43 0000 We're handling this confidential as I am not aware of a coordinated release date yet. Caleb, please do not commit the patch yet. If you want to, you can prepare an ebuild and attach it to this bug. However, since this issue is of a low impact, my advise would be to go normal stabling process via arch teams once this is public. caleb@gentoo.org 2007-12-05 12:53:30 0000 The patch looks pretty harmless, so I won't bother with attaching an ebuild. I'll just wait for the announcement or release notification, and throw it into portage at that time. rbu@gentoo.org 2007-12-05 17:09:38 0000 "Qt 4.3.3, due out today, is not affected by this issue. It affects only 4.3.0, 4.3.1 and 4.3.2." So we can bump the ebuild in the tree before disclosure. caleb@gentoo.org 2007-12-05 17:20:50 0000 I got my commercial Qt today, but I'm not sure if we want to do that with the open source one when it's out in a few hours. Namely, we don't know what else was "fixed" in 4.2.2 -> 4.2.3. I vote to just revbump 4.2.2 with the patch. In fact, if you want we can bump it in portage with the patch before the disclosure and not make public mention of the reason for the patch until disclosure. Thoughts? rbu@gentoo.org 2007-12-05 19:30:02 0000 QT 4.3.3 contains this fix and probably some other patches. Feel free to include this patch into 4.3.2 and we'll handle prestabling in this bug. caleb@gentoo.org 2007-12-05 23:52:47 0000 qt-4.3.2-r1 has been committed with this patch. rbu@gentoo.org 2007-12-06 00:09:26 0000 Adding arch security liaisons (plus opfer and armin76) and Chris for releng. Please test and mark stable x11-libs/qt-4.3.2-r1. Target keywords : "alpha amd64 hppa ia64 mips ppc ppc64 sparc x86" fauli@gentoo.org 2007-12-06 07:49:53 0000 On x86 I get this, but it goes on fine. rm -f *~ core *.core g++ -c -pipe -O2 -Wall -W -I../../../mkspecs/linux-g++ -I. -I. -o ptrsizetest.o ptrsizetest.cpp ptrsizetest.cpp: In function ‘int main(int, char**)’: ptrsizetest.cpp:18: error: ‘PointerSize’ is not a member of ‘QPointerSizeTest<4>’ make: *** [ptrsizetest.o] Error 1 Pointer size: 4 caleb@gentoo.org 2007-12-06 11:23:14 0000 That warning is fine, I believe. It's just part of their system checks. The output probably should be supressed. armin76@gentoo.org 2007-12-06 12:18:24 0000 Why not 4.3.3? caleb@gentoo.org 2007-12-06 12:45:23 0000 If you want to stablize 4.3.3, then by all means go for it. But it has a lot more "bug fixes" than just this particular issue, and since it's been in portage for only a day now I wasn't comfortable with requesting it for stabilization. fauli@gentoo.org 2007-12-06 16:04:21 0000 x86 stable for 4.3.2-r1 armin76@gentoo.org 2007-12-06 16:46:04 0000 alpha/ia64/sparc stable for 4.3.2-r1 corsair@gentoo.org 2007-12-07 13:59:33 0000 ppc64 stable (qt-4.3.2-r1) dertobi123@gentoo.org 2007-12-07 14:01:05 0000 ppc stable jer@gentoo.org 2007-12-07 16:15:06 0000 Stable for HPPA. rbu@gentoo.org 2007-12-10 13:16:53 0000 amd64 stable, last arch. This is ready for GLSA decision. I tend to vote yes. rbu@gentoo.org 2007-12-10 16:23:01 0000 taco, please merge this into a new qt emul. welp@gentoo.org 2007-12-11 00:28:43 0000 Bumped the emul ebuild with new Qt, not yet stable though. welp@gentoo.org 2007-12-11 22:01:13 0000 app-emulation/emul-linux-x86-qtlibs-20071210 stable on amd64 rbu@gentoo.org 2007-12-30 19:21:11 0000 public via $URL I vote NO on this bug. py@gentoo.org 2007-12-30 19:35:31 0000 no too, closing. 137760 2007-12-04 23:33 0000 qsslsocket-fix.patch qsslsocket-fix.patch text/plain ZGlmZiBzcmMvbmV0d29yay9xc3Nsc29ja2V0X29wZW5zc2wuY3BwIHNyYy9uZXR3b3JrL3Fzc2xz b2NrZXRfb3BlbnNzbC5jcHAKLS0tIHNyYy9uZXR3b3JrL3Fzc2xzb2NrZXRfb3BlbnNzbC5jcHAK KysrIHNyYy9uZXR3b3JrL3Fzc2xzb2NrZXRfb3BlbnNzbC5jcHAKQEAgLTE4OCw4ICsxODgsOCBA QCBzdHJ1Y3QgUVNzbEVycm9yTGlzdAogUV9HTE9CQUxfU1RBVElDKFFTc2xFcnJvckxpc3QsIF9x X3NzbEVycm9yTGlzdCkKIHN0YXRpYyBpbnQgcV9YNTA5Q2FsbGJhY2soaW50IG9rLCBYNTA5X1NU T1JFX0NUWCAqY3R4KQogewotICAgIFFfVU5VU0VEKG9rKTsKLSAgICBfcV9zc2xFcnJvckxpc3Qo KS0+ZXJyb3JzIDw8IGN0eC0+ZXJyb3I7CisgICAgaWYgKCFvaykKKyAgICAgICAgX3Ffc3NsRXJy b3JMaXN0KCktPmVycm9ycyA8PCBjdHgtPmVycm9yOwogICAgIHJldHVybiBjdHgtPmVycm9yOwog fQogCkBAIC0yOTcsNiArMjk3LDcgQEAgYm9vbCBRU3NsU29ja2V0QmFja2VuZFByaXZhdGU6Omlu aXRTc2xDb250ZXh0KCkKIAogICAgIC8vIENsZWFyIHRoZSBzZXNzaW9uLgogICAgIHFfU1NMX2Ns ZWFyKHNzbCk7CisgICAgZXJyb3JMaXN0LmNsZWFyKCk7CiAKICAgICAvLyBJbml0aWFsaXplIG1l bW9yeSBCSU9zIGZvciBlbmNyeXB0aW9uIGFuZCBkZWNyeXB0aW9uLgogICAgIHJlYWRCaW8gPSBx X0JJT19uZXcocV9CSU9fc19tZW0oKSk7CkBAIC01NzAsNyArNTcxLDcgQEAgYm9vbCBRU3NsU29j a2V0QmFja2VuZFByaXZhdGU6OnRlc3RDb25uZWN0aW9uKCkKICAgICBfcV9zc2xFcnJvckxpc3Qo KS0+bXV0ZXgubG9jaygpOwogICAgIF9xX3NzbEVycm9yTGlzdCgpLT5lcnJvcnMuY2xlYXIoKTsK ICAgICBpbnQgcmVzdWx0ID0gKG1vZGUgPT0gUVNzbFNvY2tldDo6U3NsQ2xpZW50TW9kZSkgPyBx X1NTTF9jb25uZWN0KHNzbCkgOiBxX1NTTF9hY2NlcHQoc3NsKTsKLSAgICBRTGlzdDxpbnQ+IGVy cm9yTGlzdCA9IF9xX3NzbEVycm9yTGlzdCgpLT5lcnJvcnM7CisgICAgZXJyb3JMaXN0IDw8IF9x X3NzbEVycm9yTGlzdCgpLT5lcnJvcnM7CiAgICAgX3Ffc3NsRXJyb3JMaXN0KCktPm11dGV4LnVu bG9jaygpOwogCiAgICAgLy8gQ2hlY2sgaWYgd2UncmUgZW5jcnlwdGVkIG9yIG5vdC4KZGlmZiBz cmMvbmV0d29yay9xc3Nsc29ja2V0X29wZW5zc2xfcC5oIHNyYy9uZXR3b3JrL3Fzc2xzb2NrZXRf b3BlbnNzbF9wLmgKaW5kZXggYmU1N2I4Ny4uMDBiOWI0NSAxMDA2NDQKLS0tIHNyYy9uZXR3b3Jr L3Fzc2xzb2NrZXRfb3BlbnNzbF9wLmgKKysrIHNyYy9uZXR3b3JrL3Fzc2xzb2NrZXRfb3BlbnNz bF9wLmgKQEAgLTc3LDYgKzc3LDcgQEAgcHVibGljOgogICAgIFNTTF9TRVNTSU9OICpzZXNzaW9u OwogICAgIFg1MDlfU1RPUkUgKmNlcnRpZmljYXRlU3RvcmU7CiAgICAgWDUwOV9TVE9SRV9DVFgg KmNlcnRpZmljYXRlU3RvcmVDdHg7CisgICAgUUxpc3Q8aW50PiBlcnJvckxpc3Q7CiAKICAgICAv LyBQbGF0Zm9ybSBzcGVjaWZpYyBmdW5jdGlvbnMKICAgICB2b2lkIHN0YXJ0Q2xpZW50RW5jcnlw dGlvbigpOwo=