Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 335734 (CVE-2010-2621) - x11-libs/qt-core: Remote DoS Vulnerability (CVE-2010-2621)
Summary: x11-libs/qt-core: Remote DoS Vulnerability (CVE-2010-2621)
Status: RESOLVED FIXED
Alias: CVE-2010-2621
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: High minor (vote)
Assignee: Gentoo Security
URL: http://qt.gitorious.com/qt/qt/commit/...
Whiteboard: B3 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2010-09-02 22:42 UTC by Tim Sammut (RETIRED)
Modified: 2012-12-16 21:43 UTC (History)
0 users

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Tim Sammut (RETIRED) gentoo-dev 2010-09-02 22:42:14 UTC
CVE-2010-2621 (http://web.nvd.nist.gov/view/vuln/detail?vulnId=CVE-2010-2621)
The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.
Comment 1 Stefan Behte (RETIRED) gentoo-dev Security 2010-09-03 21:47:24 UTC
CVE-2010-2621 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2010-2621):
  The QSslSocketBackendPrivate::transmit function in
  src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows
  remote attackers to cause a denial of service (infinite loop) via a
  malformed request.

Comment 2 Tim Sammut (RETIRED) gentoo-dev 2012-06-03 22:43:43 UTC
Looks like $URL is the commit to fix this issue.
Comment 3 Ben de Groot (RETIRED) gentoo-dev 2012-06-04 05:59:44 UTC
Since this issue is fixed in Qt >=4.7, we will simply remove the vulnerable version. @security: is a GLSA still needed then?
Comment 4 Tim Sammut (RETIRED) gentoo-dev 2012-06-10 23:33:54 UTC
(In reply to comment #3)
> Since this issue is fixed in Qt >=4.7, we will simply remove the vulnerable
> version. @security: is a GLSA still needed then?

Yeah, we may need a GLSA since the vulnerable package was stable. The GLSA yes/no decision in this case is made by the team since this only rates B3.

Is there an fixed option for sparc?
Comment 5 Ben de Groot (RETIRED) gentoo-dev 2012-06-11 05:29:02 UTC
See bug 335730#c3
Comment 6 Ben de Groot (RETIRED) gentoo-dev 2012-06-14 08:22:58 UTC
Last remaining affected version now masked pending removal.
Comment 7 Johannes Huber gentoo-dev 2012-07-09 11:48:03 UTC
Thank you all. Affected version removed from tree. Removing qt from CC, nothing to do here for us anymore.
Comment 8 Tim Sammut (RETIRED) gentoo-dev 2012-08-16 05:25:04 UTC
I think we're past this now. GLSA Vote: no.
Comment 9 Sean Amoss (RETIRED) gentoo-dev Security 2012-09-19 10:34:06 UTC
GLSA vote: yes.
Comment 10 Stefan Behte (RETIRED) gentoo-dev Security 2012-12-16 21:43:58 UTC
Too old, do not want.
It also sounds a lot like an application crash only.
Vote: NO.
Closing noglsa.