Bug 201296 - x11-libs/qt-4.3* < 4.3.2-r1 emul-linux-x86-qtlibs < 20071210 QSslSocket missing SSL certificate verification (CVE-2007-5965)
|
Bug#:
201296
|
Product: Gentoo Security
|
Version: unspecified
|
Platform: All
|
|
OS/Version: Linux
|
Status: RESOLVED
|
Severity: minor
|
Priority: P2
|
|
Resolution: FIXED
|
Assigned To: security@gentoo.org
|
Reported By: rbu@gentoo.org
|
|
Component: Vulnerabilities
|
|
|
URL:
http://trolltech.com/company/newsroom/announcements/press.2007-12-21.2182567220
|
|
Summary: x11-libs/qt-4.3* < 4.3.2-r1 emul-linux-x86-qtlibs < 20071210 QSslSocket missing SSL certificate verification (CVE-2007-5965)
|
|
Keywords:
|
|
Status Whiteboard: A4 [noglsa]
|
|
Opened: 2007-12-04 23:31 0000
|
Thiago Macieira of Trolltech wrote:
Qt 4 has a potential vulnerability in QSslSocket, which might cause a the
certificate verification in SSL connections not to be performed. As a
consequence, code using QSslSocket might be mislead into thinking the
certificate was verified correctly when it actually failed in one or more
criterea
To solve the issue, apply the following patch that is attached.
The next maintenance release of Qt 4 will have the patch included.
Versions affected: 4.3.0, 4.3.1 and 4.3.2
We're handling this confidential as I am not aware of a coordinated release
date yet. Caleb, please do not commit the patch yet. If you want to, you can
prepare an ebuild and attach it to this bug.
However, since this issue is of a low impact, my advise would be to go normal
stabling process via arch teams once this is public.
The patch looks pretty harmless, so I won't bother with attaching an ebuild.
I'll just wait for the announcement or release notification, and throw it into
portage at that time.
"Qt 4.3.3, due out today, is not affected by this issue. It affects
only 4.3.0, 4.3.1 and 4.3.2."
So we can bump the ebuild in the tree before disclosure.
I got my commercial Qt today, but I'm not sure if we want to do that with the
open source one when it's out in a few hours. Namely, we don't know what else
was "fixed" in 4.2.2 -> 4.2.3. I vote to just revbump 4.2.2 with the patch.
In fact, if you want we can bump it in portage with the patch before the
disclosure and not make public mention of the reason for the patch until
disclosure. Thoughts?
QT 4.3.3 contains this fix and probably some other patches. Feel free to
include this patch into 4.3.2 and we'll handle prestabling in this bug.
qt-4.3.2-r1 has been committed with this patch.
Adding arch security liaisons (plus opfer and armin76) and Chris for releng.
Please test and mark stable x11-libs/qt-4.3.2-r1.
Target keywords : "alpha amd64 hppa ia64 mips ppc ppc64 sparc x86"
On x86 I get this, but it goes on fine.
rm -f *~ core *.core
g++ -c -pipe -O2 -Wall -W -I../../../mkspecs/linux-g++ -I. -I. -o
ptrsizetest.o ptrsizetest.cpp
ptrsizetest.cpp: In function ‘int main(int, char**)’:
ptrsizetest.cpp:18: error: ‘PointerSize’ is not a member of
‘QPointerSizeTest<4>’
make: *** [ptrsizetest.o] Error 1
Pointer size: 4
That warning is fine, I believe. It's just part of their system checks. The
output probably should be supressed.
If you want to stablize 4.3.3, then by all means go for it. But it has a lot
more "bug fixes" than just this particular issue, and since it's been in
portage for only a day now I wasn't comfortable with requesting it for
stabilization.
alpha/ia64/sparc stable for 4.3.2-r1
ppc64 stable (qt-4.3.2-r1)
amd64 stable, last arch.
This is ready for GLSA decision. I tend to vote yes.
taco, please merge this into a new qt emul.
Bumped the emul ebuild with new Qt, not yet stable though.
app-emulation/emul-linux-x86-qtlibs-20071210 stable on amd64
public via $URL
I vote NO on this bug.
