Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 445956 (CVE-2012-5624) - <x11-libs/qt-declarative-4.8.4: QML XmlHttpRequest insecure redirection (CVE-2012-5624)
Summary: <x11-libs/qt-declarative-4.8.4: QML XmlHttpRequest insecure redirection (CVE-...
Status: RESOLVED FIXED
Alias: CVE-2012-5624
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal minor (vote)
Assignee: Gentoo Security
URL: http://www.openwall.com/lists/oss-sec...
Whiteboard: B4 [noglsa]
Keywords:
Depends on:
Blocks:
 
Reported: 2012-12-04 17:41 UTC by Agostino Sarubbo
Modified: 2013-03-04 22:09 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments
qt-4.8.4-stablelist-v1.txt (qt-4.8.4-stablelist-v1.txt,1.29 KB, text/plain)
2012-12-12 13:01 UTC, Michael Palimaka (kensington)
no flags Details

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2012-12-04 17:41:25 UTC
From $URL :

  Qt upstream has released 4.8.4 version correcting one security
issue:

An information disclosure flaw was found in the way XMLHttpRequest
object implementation in Qt, a software toolkit for developing
applications, performed management of certain HTTP responses.
Previous implementation allowed redirection from HTTP protocol
to file schemas. Also the redirection handling was performed
automatically by QML application and could not be disabled.
A remote attacker could use this flaw to cause QML application
in an unauthorized way to read local file content by causing
the HTTP response for the application to be a redirect to
a file: URL (file scheme).

References:
[1] http://lists.qt-project.org/pipermail/announce/2012-November/000014.html
[2] https://bugzilla.redhat.com/show_bug.cgi?id=883415

Relevant upstream patch:
[3] https://codereview.qt-project.org/#change,40034
Comment 1 Michael Palimaka (kensington) gentoo-dev 2012-12-05 09:41:25 UTC
4.8.4 is now unmasked and in the tree.
Comment 2 Michael Palimaka (kensington) gentoo-dev 2012-12-12 13:01:17 UTC
Created attachment 332138 [details]
qt-4.8.4-stablelist-v1.txt

Stabilisation list based on current tree. Minor archs are welcome to drop stable/keywords on unneeded packages to reduce workload.
Comment 3 Michael Palimaka (kensington) gentoo-dev 2012-12-21 13:56:10 UTC
Qt team, any objection to adding archs? If not, I will go ahead shortly.
Comment 4 Davide Pesavento gentoo-dev 2012-12-22 00:01:41 UTC
(In reply to comment #3)
> Qt team, any objection to adding archs? If not, I will go ahead shortly.

Yes, there appears to be a regression (bug 447368), which I think affects only a very small number of users though.
Comment 5 Davide Pesavento gentoo-dev 2012-12-22 04:10:26 UTC
(In reply to comment #4)
> (In reply to comment #3)
> > Qt team, any objection to adding archs? If not, I will go ahead shortly.
> 
> Yes, there appears to be a regression (bug 447368), which I think affects
> only a very small number of users though.

I've just committed a fix to cvs, so go ahead please :)
Comment 6 Michael Palimaka (kensington) gentoo-dev 2012-12-22 14:35:15 UTC
(In reply to comment #5)
> I've just committed a fix to cvs, so go ahead please :)

Thanks Davide!

Archs, please test and stabilise qt-4.8.4, as per the attached list.

Minor archs, please consider dropping stable/keyword on unneeded modules to reduce workload.
Comment 7 Jeroen Roovers (RETIRED) gentoo-dev 2012-12-24 16:50:14 UTC
Stable for HPPA.
Comment 8 Agostino Sarubbo gentoo-dev 2012-12-25 09:26:58 UTC
amd64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2012-12-25 09:33:28 UTC
ia64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2012-12-25 09:42:01 UTC
ppc stable
Comment 11 Agostino Sarubbo gentoo-dev 2012-12-25 09:49:46 UTC
ppc64 stable
Comment 12 Agostino Sarubbo gentoo-dev 2012-12-25 09:58:20 UTC
x86 stable
Comment 13 Agostino Sarubbo gentoo-dev 2012-12-25 14:58:54 UTC
arm stable
Comment 14 Agostino Sarubbo gentoo-dev 2012-12-26 17:22:31 UTC
sparc stable
Comment 15 Agostino Sarubbo gentoo-dev 2012-12-29 08:49:32 UTC
alpha stable
Comment 16 Sean Amoss (RETIRED) gentoo-dev Security 2012-12-29 13:30:50 UTC
GLSA vote: no.
Comment 17 Michael Palimaka (kensington) gentoo-dev 2012-12-29 13:53:15 UTC
Old/vulnerable versions have been removed.
Comment 18 Tim Sammut (RETIRED) gentoo-dev 2013-01-02 18:39:03 UTC
GLSA Vote: no too. Closing noglsa.
Comment 19 GLSAMaker/CVETool Bot gentoo-dev 2013-03-04 22:09:08 UTC
CVE-2012-5624 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5624):
  The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the
  file scheme, which allows man-in-the-middle attackers to force the read of
  arbitrary local files and possibly obtain sensitive information via a file:
  URL to a QML application.