From $URL : Qt upstream has released 4.8.4 version correcting one security issue: An information disclosure flaw was found in the way XMLHttpRequest object implementation in Qt, a software toolkit for developing applications, performed management of certain HTTP responses. Previous implementation allowed redirection from HTTP protocol to file schemas. Also the redirection handling was performed automatically by QML application and could not be disabled. A remote attacker could use this flaw to cause QML application in an unauthorized way to read local file content by causing the HTTP response for the application to be a redirect to a file: URL (file scheme). References: [1] http://lists.qt-project.org/pipermail/announce/2012-November/000014.html [2] https://bugzilla.redhat.com/show_bug.cgi?id=883415 Relevant upstream patch: [3] https://codereview.qt-project.org/#change,40034
4.8.4 is now unmasked and in the tree.
Created attachment 332138 [details] qt-4.8.4-stablelist-v1.txt Stabilisation list based on current tree. Minor archs are welcome to drop stable/keywords on unneeded packages to reduce workload.
Qt team, any objection to adding archs? If not, I will go ahead shortly.
(In reply to comment #3) > Qt team, any objection to adding archs? If not, I will go ahead shortly. Yes, there appears to be a regression (bug 447368), which I think affects only a very small number of users though.
(In reply to comment #4) > (In reply to comment #3) > > Qt team, any objection to adding archs? If not, I will go ahead shortly. > > Yes, there appears to be a regression (bug 447368), which I think affects > only a very small number of users though. I've just committed a fix to cvs, so go ahead please :)
(In reply to comment #5) > I've just committed a fix to cvs, so go ahead please :) Thanks Davide! Archs, please test and stabilise qt-4.8.4, as per the attached list. Minor archs, please consider dropping stable/keyword on unneeded modules to reduce workload.
Stable for HPPA.
amd64 stable
ia64 stable
ppc stable
ppc64 stable
x86 stable
arm stable
sparc stable
alpha stable
GLSA vote: no.
Old/vulnerable versions have been removed.
GLSA Vote: no too. Closing noglsa.
CVE-2012-5624 (http://nvd.nist.gov/nvd.cfm?cvename=CVE-2012-5624): The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.
