Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 201296

Summary: x11-libs/qt-4.3* < 4.3.2-r1 emul-linux-x86-qtlibs < 20071210 QSslSocket missing SSL certificate verification (CVE-2007-5965)
Product: Gentoo Security Reporter: Robert Buchholz (RETIRED) <rbu>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED FIXED    
Severity: minor CC: armin76, beandog, caleb, corsair, dertobi123, fauli, ferdy, jer, kingtaco, tsunam, welp, wolf31o2
Priority: High    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: http://trolltech.com/company/newsroom/announcements/press.2007-12-21.2182567220
Whiteboard: A4 [noglsa]
Package list:
Runtime testing required: ---
Attachments:
Description Flags
qsslsocket-fix.patch none

Description Robert Buchholz (RETIRED) gentoo-dev 2007-12-04 23:31:34 UTC 
Thiago Macieira of Trolltech wrote:
  Qt 4 has a potential vulnerability in QSslSocket, which might cause a the 
  certificate verification in SSL connections not to be performed. As a 
  consequence, code using QSslSocket might be mislead into thinking the 
  certificate was verified correctly when it actually failed in one or more 
  criterea

  To solve the issue, apply the following patch that is attached.

  The next maintenance release of Qt 4 will have the patch included.

  Versions affected: 4.3.0, 4.3.1 and 4.3.2
Comment 1 Robert Buchholz (RETIRED) gentoo-dev 2007-12-04 23:33:08 UTC 
Created attachment 137760 [details, diff]
qsslsocket-fix.patch

Upstream propsed patch
Comment 2 Robert Buchholz (RETIRED) gentoo-dev 2007-12-04 23:35:43 UTC 
We're handling this confidential as I am not aware of a coordinated release date yet. Caleb, please do not commit the patch yet. If you want to, you can prepare an ebuild and attach it to this bug.

However, since this issue is of a low impact, my advise would be to go normal stabling process via arch teams once this is public.
Comment 3 Caleb Tennis (RETIRED) gentoo-dev 2007-12-05 12:53:30 UTC 
The patch looks pretty harmless, so I won't bother with attaching an ebuild.  I'll just wait for the announcement or release notification, and throw it into portage at that time.
Comment 4 Robert Buchholz (RETIRED) gentoo-dev 2007-12-05 17:09:38 UTC 
"Qt 4.3.3, due out today, is not affected by this issue. It affects 
only 4.3.0, 4.3.1 and 4.3.2."

So we can bump the ebuild in the tree before disclosure.
Comment 5 Caleb Tennis (RETIRED) gentoo-dev 2007-12-05 17:20:50 UTC 
I got my commercial Qt today, but I'm not sure if we want to do that with the open source one when it's out in a few hours.  Namely, we don't know what else was "fixed" in 4.2.2 -> 4.2.3.  I vote to just revbump 4.2.2 with the patch.  In fact, if you want we can bump it in portage with the patch before the disclosure and not make public mention of the reason for the patch until disclosure.  Thoughts?
Comment 6 Robert Buchholz (RETIRED) gentoo-dev 2007-12-05 19:30:02 UTC 
QT 4.3.3 contains this fix and probably some other patches. Feel free to include this patch into 4.3.2 and we'll handle prestabling in this bug.
Comment 7 Caleb Tennis (RETIRED) gentoo-dev 2007-12-05 23:52:47 UTC 
qt-4.3.2-r1 has been committed with this patch.
Comment 8 Robert Buchholz (RETIRED) gentoo-dev 2007-12-06 00:09:26 UTC 
Adding arch security liaisons (plus opfer and armin76) and Chris for releng.

Please test and mark stable x11-libs/qt-4.3.2-r1.
Target keywords : "alpha amd64 hppa ia64 mips ppc ppc64 sparc x86"
Comment 9 Christian Faulhammer (RETIRED) gentoo-dev 2007-12-06 07:49:53 UTC 
On x86 I get this, but it goes on fine.

rm -f *~ core *.core
g++ -c -pipe -O2 -Wall -W  -I../../../mkspecs/linux-g++ -I. -I. -o ptrsizetest.o ptrsizetest.cpp
ptrsizetest.cpp: In function ‘int main(int, char**)’:
ptrsizetest.cpp:18: error: ‘PointerSize’ is not a member of ‘QPointerSizeTest<4>’
make: *** [ptrsizetest.o] Error 1
Pointer size: 4
Comment 10 Caleb Tennis (RETIRED) gentoo-dev 2007-12-06 11:23:14 UTC 
That warning is fine, I believe.  It's just part of their system checks.  The output probably should be supressed.
Comment 11 Raúl Porcel (RETIRED) gentoo-dev 2007-12-06 12:18:24 UTC 
Why not 4.3.3?
Comment 12 Caleb Tennis (RETIRED) gentoo-dev 2007-12-06 12:45:23 UTC 
If you want to stablize 4.3.3, then by all means go for it.  But it has a lot more "bug fixes" than just this particular issue, and since it's been in portage for only a day now I wasn't comfortable with requesting it for stabilization.
Comment 13 Christian Faulhammer (RETIRED) gentoo-dev 2007-12-06 16:04:21 UTC 
x86 stable for 4.3.2-r1
Comment 14 Raúl Porcel (RETIRED) gentoo-dev 2007-12-06 16:46:04 UTC 
alpha/ia64/sparc stable for 4.3.2-r1
Comment 15 Markus Rothe (RETIRED) gentoo-dev 2007-12-07 13:59:33 UTC 
ppc64 stable (qt-4.3.2-r1)
Comment 16 Tobias Scherbaum (RETIRED) gentoo-dev 2007-12-07 14:01:05 UTC 
ppc stable
Comment 17 Jeroen Roovers (RETIRED) gentoo-dev 2007-12-07 16:15:06 UTC 
Stable for HPPA.
Comment 18 Robert Buchholz (RETIRED) gentoo-dev 2007-12-10 13:16:53 UTC 
amd64 stable, last arch.

This is ready for GLSA decision. I tend to vote yes.
Comment 19 Robert Buchholz (RETIRED) gentoo-dev 2007-12-10 16:23:01 UTC 
taco, please merge this into a new qt emul.
Comment 20 Peter Weller (RETIRED) gentoo-dev 2007-12-11 00:28:43 UTC 
Bumped the emul ebuild with new Qt, not yet stable though.
Comment 21 Peter Weller (RETIRED) gentoo-dev 2007-12-11 22:01:13 UTC 
app-emulation/emul-linux-x86-qtlibs-20071210 stable on amd64
Comment 22 Robert Buchholz (RETIRED) gentoo-dev 2007-12-30 19:21:11 UTC 
public via $URL

I vote NO on this bug.
Comment 23 Pierre-Yves Rofes (RETIRED) gentoo-dev 2007-12-30 19:35:31 UTC 
no too, closing.