Nokia released patches to eliminate the vulnerability. More info and the patches here: http://qt.nokia.com/about/news/qt-patches-released-addressing-potential-security-flaw Reproducible: Always
CVE-2009-2700 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2009-2700): src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
Franz, thanks for the report. Qt team, please advise/patch.
Created attachment 203308 [details, diff] Upstream patch reformatted Patch from http://qt.nokia.com/files/qt-patches/cve-2009-2700-patch-4.4.x-4.5.x.diff in diff -Naur format
Created attachment 203309 [details, diff] Diff to ebuild for the above patch
ping, any news here?
Sorry about the delay. I was on devaway in September, and apparently nobody from the Qt team noticed this one. In the meantime Qt 4.5.3 has been released, which has the patch already applied. So we should proceed with stabling 4.5.3 ASAP.
@security: Qt 4.5.3, which includes the patch, has now been stabilized by all arches, so you can proceed.
GLSA Vote: no.
This is ancient! Vote: no. Closing noglsa.
