Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 382171 - <dev-qt/qtcore-4.7.2-r2 Fraudulent DigiNotar certificates
Summary: <dev-qt/qtcore-4.7.2-r2 Fraudulent DigiNotar certificates
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://labs.qt.nokia.com/2011/09/07/w...
Whiteboard: B4 [glsa]
Keywords:
Depends on: 382253
Blocks:
  Show dependency tree
 
Reported: 2011-09-07 19:08 UTC by Markos Chandras (RETIRED)
Modified: 2013-11-22 11:10 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Markos Chandras (RETIRED) gentoo-dev 2011-09-07 19:08:47 UTC
Hi, Nokia released two diffs[1][2] for blacklisting all the DigiNotar certificates. Please either apply it to 4.7.3 or bump to 4.7.4, apply the patch and mark it stable ASAP. Thanks

[1]http://qt.nokia.com/files/qt-patches/blacklist-diginotar-certs.diff/at_download/file

[2]http://qt.nokia.com/files/qt-patches/blacklist-diginotar-and-comodo-certs.diff/at_download/file
Comment 1 Alex Alexander (RETIRED) gentoo-dev 2011-09-08 08:16:22 UTC
I've revbumped the current stable and testing qt-core ebuilds, adding the patch.

The patch will be present in Qt 4.7.4 as well, but since I'd rather not fast stabilize a new Qt version on day one, I've revbumped qt-core-4.7.2-r1 to -r2. Please fast-stabilize that for our stable users.

ebuilds containing the patch atm:

x11-libs/qt-core-4.7.2-r2
x11-libs/qt-core-4.7.3-r1
Comment 2 Markos Chandras (RETIRED) gentoo-dev 2011-09-08 08:26:42 UTC
Arches, please test and stabilize 

=x11-libs/qt-core-4.7.2-r2. It contains the said fix for DigiNotar certificates
Comment 3 Agostino Sarubbo gentoo-dev 2011-09-08 10:15:05 UTC
David, please do not touch the syntax of security bugs.
Comment 4 Markos Chandras (RETIRED) gentoo-dev 2011-09-08 11:37:44 UTC
(In reply to comment #1)

I think you made a mistake. The patch for 4.7.{2,3} is not the same with the one for 4.7.4. Look at the $URL and my first comment. There are two patch files
Comment 5 Markos Chandras (RETIRED) gentoo-dev 2011-09-08 11:46:40 UTC
(In reply to comment #4)
Sorry scratch that. I didn't notice bug #382253
Comment 6 Agostino Sarubbo gentoo-dev 2011-09-08 12:09:29 UTC
Thanks Alex for rapid fix.

amd64 ok
Comment 7 Jeff (JD) Horelick (RETIRED) gentoo-dev 2011-09-08 19:43:07 UTC
Archtested on x86: Everything fine
Comment 8 Ian Delaney (RETIRED) gentoo-dev 2011-09-10 11:54:58 UTC
amd64:

ok
Comment 9 Myckel Habets 2011-09-11 07:22:19 UTC
(In reply to comment #7)
> Archtested on x86: Everything fine

+1
Comment 10 Markus Meier gentoo-dev 2011-09-11 21:23:06 UTC
x86 stable, thanks JD
Comment 11 Markus Meier gentoo-dev 2011-09-12 21:05:27 UTC
arm stable
Comment 12 Markos Chandras (RETIRED) gentoo-dev 2011-09-13 09:11:47 UTC
amd64 done. Thanks Agostino and Ian
Comment 13 Kacper Kowalik (Xarthisius) (RETIRED) gentoo-dev 2011-09-27 18:02:11 UTC
ppc/ppc64 stable, last arch done
Comment 14 Tim Sammut (RETIRED) gentoo-dev 2011-09-27 19:24:08 UTC
Thanks, folks. GLSA vote: yes (although I am admittedly on the fence given the situation...)
Comment 15 Stefan Behte (RETIRED) gentoo-dev Security 2011-10-08 21:05:27 UTC
Vote: yes. Added to pending GLSA.
Comment 16 Ben de Groot (RETIRED) gentoo-dev 2012-06-14 08:22:42 UTC
Last remaining affected version now masked pending removal.
Comment 17 Johannes Huber (RETIRED) gentoo-dev 2012-07-09 11:47:34 UTC
Thank you all. Affected version removed from tree. Removing qt from CC, nothing to do here for us anymore.
Comment 18 GLSAMaker/CVETool Bot gentoo-dev 2013-11-22 11:10:24 UTC
This issue was resolved and addressed in
 GLSA 201311-14 at http://security.gentoo.org/glsa/glsa-201311-14.xml
by GLSA coordinator Sergey Popov (pinkbyte).