Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 335730 - x11-libs/qt: Wildcard Cerficate Validation Weakness
Summary: x11-libs/qt: Wildcard Cerficate Validation Weakness
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://bugreports.qt.nokia.com/browse...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-09-02 22:30 UTC by Tim Sammut (RETIRED)
Modified: 2012-09-19 10:27 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-09-02 22:30:12 UTC
From $url:

QSslSocket applies the * in the wildcard verification to the entire hostname, meaning it can match more than one domain label. At the limit, in case of a bad configuration or malicious system, a certificate with CN=* would serve as a universal certificate.

Qt should apply the wildcard to a single DNS domain label only.

Originally disclosed at:

http://www.westpoint.ltd.uk/advisories/wp-10-0001.txt
Comment 1 Ben de Groot (RETIRED) gentoo-dev 2012-06-08 04:34:20 UTC
The upstream bug report says it is fixed in version 4.7.0
Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-06-10 23:35:35 UTC
Thanks muchly. Is there a fix option for sparc?
Comment 3 Ben de Groot (RETIRED) gentoo-dev 2012-06-11 05:25:20 UTC
We are removing the vulnerable version (I'm planning to mask it tomorrow). So unless sparc and alpha will keyword newer Qt versions, they will lose keywords on Qt and revdeps. I have informed them of this, but so far no response.
Comment 4 Ben de Groot (RETIRED) gentoo-dev 2012-06-14 08:23:08 UTC
Last remaining affected version now masked pending removal.
Comment 5 Johannes Huber gentoo-dev 2012-07-09 11:45:14 UTC
Thank you all. Affected version removed from tree. Removing qt from CC, nothing to do here for us anymore.
Comment 6 Tim Sammut (RETIRED) gentoo-dev 2012-08-16 05:25:19 UTC
It looks like we're past this now. GLSA Vote: no.
Comment 7 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-19 10:27:58 UTC
GLSA vote: no.

Closing noglsa.