Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 283810 - <x11-libs/qt-core-4.5.3: Potential Vulnerability in QSslCertificate (CVE-2009-2700)
Summary: <x11-libs/qt-core-4.5.3: Potential Vulnerability in QSslCertificate (CVE-2009...
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
Whiteboard: B3 [noglsa]
Depends on: 290922
  Show dependency tree
Reported: 2009-09-06 07:02 UTC by Franz Trischberger
Modified: 2012-03-06 00:58 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Upstream patch reformatted (qt-cve-2009-2700-patch-4.4.x-4.5.x.diff,601 bytes, patch)
2009-09-06 19:44 UTC, Jouni Kosonen
no flags Details | Diff
Diff to ebuild for the above patch (qt-core-4.5.2.ebuild.diff,269 bytes, patch)
2009-09-06 19:46 UTC, Jouni Kosonen
no flags Details | Diff

Note You need to log in before you can comment on or make changes to this bug.
Description Franz Trischberger 2009-09-06 07:02:02 UTC
Nokia released patches to eliminate the vulnerability.
More info and the patches here:

Reproducible: Always
Comment 1 Alex Legler (RETIRED) archtester gentoo-dev Security 2009-09-06 09:43:46 UTC
CVE-2009-2700 (
  src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does
  not properly handle a '\0' character in a domain name in the Subject
  Alternative Name field of an X.509 certificate, which allows
  man-in-the-middle attackers to spoof arbitrary SSL servers via a
  crafted certificate issued by a legitimate Certification Authority, a
  related issue to CVE-2009-2408.

Comment 2 Tobias Heinlein (RETIRED) gentoo-dev 2009-09-06 09:56:14 UTC
Franz, thanks for the report.

Qt team, please advise/patch.
Comment 3 Jouni Kosonen 2009-09-06 19:44:04 UTC
Created attachment 203308 [details, diff]
Upstream patch reformatted

Patch from
in diff -Naur format
Comment 4 Jouni Kosonen 2009-09-06 19:46:28 UTC
Created attachment 203309 [details, diff]
Diff to ebuild for the above patch
Comment 5 Tobias Heinlein (RETIRED) gentoo-dev 2009-10-26 22:53:34 UTC
ping, any news here?
Comment 6 Ben de Groot (RETIRED) gentoo-dev 2009-10-28 20:21:08 UTC
Sorry about the delay. I was on devaway in September, and apparently nobody from the Qt team noticed this one. In the meantime Qt 4.5.3 has been released, which has the patch already applied. So we should proceed with stabling 4.5.3 ASAP.
Comment 7 Ben de Groot (RETIRED) gentoo-dev 2009-11-11 13:34:16 UTC
@security: Qt 4.5.3, which includes the patch, has now been stabilized by all arches, so you can proceed.
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2011-12-09 00:19:01 UTC
GLSA Vote: no.
Comment 9 Stefan Behte (RETIRED) gentoo-dev Security 2012-03-06 00:58:18 UTC
This is ancient! 
Vote: no.
Closing noglsa.