Nokia released patches to eliminate the vulnerability.
More info and the patches here:
src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does
not properly handle a '\0' character in a domain name in the Subject
Alternative Name field of an X.509 certificate, which allows
man-in-the-middle attackers to spoof arbitrary SSL servers via a
crafted certificate issued by a legitimate Certification Authority, a
related issue to CVE-2009-2408.
Franz, thanks for the report.
Qt team, please advise/patch.
Created attachment 203308 [details, diff]
Upstream patch reformatted
in diff -Naur format
Created attachment 203309 [details, diff]
Diff to ebuild for the above patch
ping, any news here?
Sorry about the delay. I was on devaway in September, and apparently nobody from the Qt team noticed this one. In the meantime Qt 4.5.3 has been released, which has the patch already applied. So we should proceed with stabling 4.5.3 ASAP.
@security: Qt 4.5.3, which includes the patch, has now been stabilized by all arches, so you can proceed.
GLSA Vote: no.
This is ancient!