Bug 15559

Summary: qt-creator does not verify SSH host key when using built-in SSH client
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: doktor5000, sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/637577/
Whiteboard: has_procedure mga4-64-ok advisory
Source RPM: qt-creator-3.3.0-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-03-23 18:59:37 CET 
Fedora has issued an advisory on March 10:
https://lists.fedoraproject.org/pipermail/package-announce/2015-March/152471.html

Fedora added this patch to 3.3.2:
http://pkgs.fedoraproject.org/cgit/qt-creator.git/plain/qt-creator_62a83f911365eab71e7260484517ef6c739d5192.patch?h=f21&id=527b3bba9cf7a4d4948f51a6e012c702888678f6

which should help for Mageia 5.

Fedora added this patch for 3.2.2:
http://pkgs.fedoraproject.org/cgit/qt-creator.git/plain/qt-creator_62a83f911365eab71e7260484517ef6c739d5192.patch?h=f20

which might help for Mageia 4, which has 3.0.0.

Reproducible: 

Steps to Reproduce:
David Walser 2015-03-23 18:59:44 CET

Whiteboard: (none) => MGA5TOO, MGA4TOO

Florian Hubold 2015-03-26 19:48:02 CET

CC: (none) => doktor5000

Comment 1 David Walser 2015-03-30 18:41:50 CEST 
Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated qt-creator packages fix security vulnerability:

Qt Creator does not verify SSH host keys when using the built-in SSH client.

References:
https://lists.fedoraproject.org/pipermail/package-announce/2015-March/152471.html
========================

Updated packages in core/updates_testing:
========================
qt-creator-3.0.0-1.5.mga4
qt-creator-doc-3.0.0-1.5.mga4

from qt-creator-3.0.0-1.5.mga4.src.rpm

Version: Cauldron => 4
Assignee: mageia => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 2 claire robinson 2015-04-07 18:37:58 CEST 
Testing complete mga4 64

The ssh seems only to be used when connecting devices. It's possible in the options.

Tools > Options > Devices tab > Add > Generic Linux Device > Start Wizard

Select Host Key authentication rather than Password, if you have it configured on the host.

Testing the ssh is able connect but I don't want to alter ssh host keys so won't be directly testing the vulnerability.

The device connection test is successful.

Whiteboard: (none) => has_procedure mga4-64-ok

Comment 3 claire robinson 2015-04-08 17:29:02 CEST 
validating. advisory uploaded.

Keywords: (none) => validated_update
Whiteboard: has_procedure mga4-64-ok => has_procedure mga4-64-ok advisory
CC: (none) => sysadmin-bugs

Comment 4 Mageia Robot 2015-04-10 00:45:01 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0137.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED