Summary: | <x11-libs/qt-declarative-4.8.4: QML XmlHttpRequest insecure redirection (CVE-2012-5624) | ||||||
---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Agostino Sarubbo <ago> | ||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||
Status: | RESOLVED FIXED | ||||||
Severity: | minor | CC: | qt | ||||
Priority: | Normal | ||||||
Version: | unspecified | ||||||
Hardware: | All | ||||||
OS: | Linux | ||||||
URL: | http://www.openwall.com/lists/oss-security/2012/12/04/7 | ||||||
Whiteboard: | B4 [noglsa] | ||||||
Package list: | Runtime testing required: | --- | |||||
Attachments: |
|
Description
Agostino Sarubbo
2012-12-04 17:41:25 UTC
4.8.4 is now unmasked and in the tree. Created attachment 332138 [details]
qt-4.8.4-stablelist-v1.txt
Stabilisation list based on current tree. Minor archs are welcome to drop stable/keywords on unneeded packages to reduce workload.
Qt team, any objection to adding archs? If not, I will go ahead shortly. (In reply to comment #3) > Qt team, any objection to adding archs? If not, I will go ahead shortly. Yes, there appears to be a regression (bug 447368), which I think affects only a very small number of users though. (In reply to comment #4) > (In reply to comment #3) > > Qt team, any objection to adding archs? If not, I will go ahead shortly. > > Yes, there appears to be a regression (bug 447368), which I think affects > only a very small number of users though. I've just committed a fix to cvs, so go ahead please :) (In reply to comment #5) > I've just committed a fix to cvs, so go ahead please :) Thanks Davide! Archs, please test and stabilise qt-4.8.4, as per the attached list. Minor archs, please consider dropping stable/keyword on unneeded modules to reduce workload. Stable for HPPA. amd64 stable ia64 stable ppc stable ppc64 stable x86 stable arm stable sparc stable alpha stable GLSA vote: no. Old/vulnerable versions have been removed. GLSA Vote: no too. Closing noglsa. CVE-2012-5624 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5624): The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application. |