Bug 7998 - qt4 new security issues CVE-2012-4929, CVE-2012-5624, and CVE-2012-6093
: qt4 new security issues CVE-2012-4929, CVE-2012-5624, and CVE-2012-6093
Status: RESOLVED FIXED
Product: Mageia
Classification: Unclassified
Component: Security
: 2
: i586 Linux
: Normal Severity: normal
: ---
Assigned To: QA Team
:
: http://lwn.net/Vulnerabilities/522195/
: has_procedure mga2-64-ok mga-32-ok
: validated_update
:
:
  Show dependency treegraph
 
Reported: 2012-11-06 19:13 CET by David Walser
Modified: 2013-02-16 20:26 CET (History)
6 users (show)

See Also:
Source RPM: qt4
CVE:
Status comment:


Attachments

Description David Walser 2012-11-06 19:13:14 CET
OpenSuSE has issued an advisory on October 31:
http://lists.opensuse.org/opensuse-updates/2012-10/msg00096.html

It sounds like the same issue as this one, which Fedora issued an advisory for on October 2:
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089815.html

which references upstream here:
http://qt.digia.com/Release-Notes/security-issue-september-2012/

from http://lwn.net/Vulnerabilities/519844/

It is unclear which versions are affected.
Comment 1 David Walser 2012-11-30 20:14:24 CET
Ubuntu has issued an advisory for this on November 8:
http://www.ubuntu.com/usn/usn-1628-1/
Comment 2 David Walser 2012-12-13 19:01:58 CET
Fedora has issued an advisory on December 5:
http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094633.html

This fixes a new upstream security issue, fixed in 4.8.4:
http://lists.qt-project.org/pipermail/announce/2012-November/000014.html
Comment 3 David Walser 2012-12-20 17:26:01 CET
The CVE for the security issue in Comment 2 is CVE-2012-5624.

LWN reference:
http://lwn.net/Vulnerabilities/529993/
Comment 4 David Walser 2013-01-03 15:13:37 CET
We now have qt4 4.8.4 in Cauldron, hopefully CVE-2012-4929 isn't an issue there.

Mageia 1 is EOL.
Comment 5 Oden Eriksson 2013-01-03 19:28:53 CET
Fix in r338296 (mga2, updates_testing, qt4-4.8.3-1.2.mga2).
Comment 6 David Walser 2013-01-03 19:56:16 CET
Oden, you missed CVE-2012-5624.
Comment 7 Oden Eriksson 2013-01-03 23:02:26 CET
Bumped it to qt4-4.8.4-1.mga2
Comment 8 David Walser 2013-01-04 00:09:51 CET
Thanks Oden!  Assigning to QA.

Advisory:
========================

Updated qt4 packages fix security vulnerabilities:

A security vulnerability has been discovered in the SSL/TLS protocol, which
affects connections using compression.  The protocol, as used by Qt before
4.8.4, can encrypt compressed data without properly obfuscating the length of
the unencrypted data, which allows man-in-the-middle attackers to obtain
plaintext HTTP headers by observing length differences during a series of
guesses in which a string in an HTTP request potentially matches an unknown
string in an HTTP header, aka a "CRIME" attack (CVE-2012-4929).

The XMLHttpRequest object in Qt is intended to offer similar behaviour to that
in web browsers, though it intentionally does not enforce the same-orign
policy.  It has been determined that the implementation in Qt will allow
redirection from http to file schemes which may allow an attacker performing a
man-in-the-middle attack to cause QML applications to leak sensitive
information (CVE-2012-5624).

This update provides Qt4 4.8.4, which disables SSL/TLS compression by default
to mitigate CVE-2012-4929 and makes the rules for redirects a bit stricter to
mitigate CVE-2012-5624.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4929
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5624
http://qt.digia.com/Release-Notes/security-issue-september-2012/
http://lists.qt-project.org/pipermail/announce/2012-November/000014.html
http://qt.digia.com/Release-Notes/Release-Notes-Qt-484/
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089815.html
http://lists.opensuse.org/opensuse-updates/2012-10/msg00096.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094633.html
========================

Updated packages in core/updates_testing:
========================
qt4-common-4.8.4-1.mga2
libqtxml4-4.8.4-1.mga2
libqtscripttools4-4.8.4-1.mga2
libqtxmlpatterns4-4.8.4-1.mga2
libqtsql4-4.8.4-1.mga2
libqtnetwork4-4.8.4-1.mga2
libqtscript4-4.8.4-1.mga2
libqtgui4-4.8.4-1.mga2
libqtsvg4-4.8.4-1.mga2
libqttest4-4.8.4-1.mga2
libqthelp4-4.8.4-1.mga2
libqtclucene4-4.8.4-1.mga2
libqtcore4-4.8.4-1.mga2
libqt3support4-4.8.4-1.mga2
libqtopengl4-4.8.4-1.mga2
libqtdesigner4-4.8.4-1.mga2
libqtdbus4-4.8.4-1.mga2
libqtmultimedia4-4.8.4-1.mga2
qt4-qtdbus-4.8.4-1.mga2
libqtdeclarative4-4.8.4-1.mga2
qt4-qmlviewer-4.8.4-1.mga2
libqt4-devel-4.8.4-1.mga2
qt4-devel-private-4.8.4-1.mga2
qt4-xmlpatterns-4.8.4-1.mga2
qt4-qtconfig-4.8.4-1.mga2
qt4-doc-4.8.4-1.mga2
qt4-demos-4.8.4-1.mga2
qt4-examples-4.8.4-1.mga2
qt4-linguist-4.8.4-1.mga2
qt4-assistant-4.8.4-1.mga2
qt4-database-plugin-mysql-4.8.4-1.mga2
qt4-database-plugin-sqlite-4.8.4-1.mga2
qt4-database-plugin-tds-4.8.4-1.mga2
qt4-database-plugin-pgsql-4.8.4-1.mga2
qt4-graphicssystems-plugin-4.8.4-1.mga2
qt4-accessibility-plugin-4.8.4-1.mga2
qt4-designer-4.8.4-1.mga2
qt4-designer-plugin-webkit-4.8.4-1.mga2
qt4-designer-plugin-qt3support-4.8.4-1.mga2
qt4-qvfb-4.8.4-1.mga2
qt4-qdoc3-4.8.4-1.mga2

from qt4-4.8.4-1.mga2.src.rpm
Comment 9 David Walser 2013-01-04 21:15:31 CET
Now there's CVE-2012-6093:
http://lists.qt-project.org/pipermail/announce/2013-January/000020.html
Comment 10 David Walser 2013-01-14 23:30:35 CET
Fedora references the issue we just fixed in our rootcerts update candidate as affecting Qt.  Will ours be OK when we update rootcerts, or is this something that needs to be fixed directly in Qt itself?

http://lists.qt-project.org/pipermail/announce/2013-January/000021.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-January/096444.html

BTW Fedora also fixed CVE-2012-6093 in that update.
Comment 11 David Walser 2013-01-14 23:39:42 CET
LWN reference for CVE-2012-6093:
http://lwn.net/Vulnerabilities/532545/
Comment 12 Oden Eriksson 2013-01-15 21:03:39 CET
(In reply to comment #10)
> Fedora references the issue we just fixed in our rootcerts update candidate as
> affecting Qt.  Will ours be OK when we update rootcerts, or is this something
> that needs to be fixed directly in Qt itself?

Yes and No, kde (kdelibs4) uses the system bundle (/etc/pki/tls/certs/ca-bundle.crt) but redhat may have blacklisted the certs in qt as well (hardcoded).

Hmm, yes they did after looking at those links.
Comment 13 David Walser 2013-02-07 19:40:34 CET
I added patches in Mageia 2 and Cauldron SVN:

qt-everywhere-opensource-src-4.8.4-QTBUG-28343.patch (fix CVE-2012-6093)
qt-4.8-CVE-2013-0254.patch (fix a new issue [1])
qt-everywhere-opensource-src-4.8.4-QTBUG-28937.patch (blacklist turktrust)
qt-everywhere-opensource-src-4.8.4-QTBUG-24654.patch (more blacklisting)

[1] - http://lists.qt-project.org/pipermail/announce/2013-February/000023.html
      http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0254

If these look good to you, please push to the build system (unless you just want to wait for 4.8.5 which probably contains all of these fixes).
Comment 14 David Walser 2013-02-12 17:34:28 CET
Pushed in Cauldron by Funda.
Comment 15 David Walser 2013-02-12 18:16:59 CET
mgarepo submit is not working at the moment, but here's additional notes for the advisory once this is pushed in mga2.

-----

Two intermediate CA certificates were mis-issued by the TURKTRUST
certificate authority. If a remote attacker were able to perform a
man-in-the-middle attack, this flaw could be exploited to view sensitive
information (CVE-2013-0743).

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0743
http://lists.qt-project.org/pipermail/announce/2013-January/000021.html
http://www.ubuntu.com/usn/USN-1687-1/

A security flaw was found in the way QSslSocket implementation of the Qt, a
software toolkit for applications development, performed certificate
verification callbacks, when Qt libraries were used with different OpenSSL
version than the one, they were compiled against. In such scenario, this
would result in a connection error, but with the SSL error list to contain
QSslError:NoError instead of proper reason of the error. This might result
in a confusing error being presented to the end users, possibly encouraging
them to ignore the SSL errors for the site the connection was initiated
against (CVE-2012-6093).

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6093
http://lists.qt-project.org/pipermail/announce/2013-January/000020.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-January/096444.html

The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6,
and other versions including 4.4.0 uses weak permissions (world-readable and
world-writable) for shared memory segments, which allows local users to read
sensitive information or modify critical program data, as demonstrated by
reading a pixmap being sent to an X server (CVE-2013-0254).

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0254
http://lists.qt-project.org/pipermail/announce/2013-February/000023.html

Patches from upstream have been included to fix CVE-2013-0254 by forcing all
System V shared memory segments to be created with user-only permissions,
fix CVE-2012-6093 by using the correct public API in openssl, and fix
CVE-2013-0743 by blacklisting the invalid certificates.
Comment 16 David Walser 2013-02-12 19:25:01 CET
Patched package uploaded for Mageia 2.

Advisory:
========================

Updated qt4 packages fix security vulnerabilities:

A security vulnerability has been discovered in the SSL/TLS protocol, which
affects connections using compression.  The protocol, as used by Qt before
4.8.4, can encrypt compressed data without properly obfuscating the length of
the unencrypted data, which allows man-in-the-middle attackers to obtain
plaintext HTTP headers by observing length differences during a series of
guesses in which a string in an HTTP request potentially matches an unknown
string in an HTTP header, aka a "CRIME" attack (CVE-2012-4929).

The XMLHttpRequest object in Qt is intended to offer similar behaviour to that
in web browsers, though it intentionally does not enforce the same-orign
policy.  It has been determined that the implementation in Qt will allow
redirection from http to file schemes which may allow an attacker performing a
man-in-the-middle attack to cause QML applications to leak sensitive
information (CVE-2012-5624).

A security flaw was found in the way QSslSocket implementation of the Qt, a
software toolkit for applications development, performed certificate
verification callbacks, when Qt libraries were used with different OpenSSL
version than the one, they were compiled against. In such scenario, this
would result in a connection error, but with the SSL error list to contain
QSslError:NoError instead of proper reason of the error. This might result
in a confusing error being presented to the end users, possibly encouraging
them to ignore the SSL errors for the site the connection was initiated
against (CVE-2012-6093).

Two intermediate CA certificates were mis-issued by the TURKTRUST
certificate authority. If a remote attacker were able to perform a
man-in-the-middle attack, this flaw could be exploited to view sensitive
information (CVE-2013-0743).

The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6,
and other versions including 4.4.0 uses weak permissions (world-readable and
world-writable) for shared memory segments, which allows local users to read
sensitive information or modify critical program data, as demonstrated by
reading a pixmap being sent to an X server (CVE-2013-0254).

This update provides Qt4 4.8.4, which disables SSL/TLS compression by default
to mitigate CVE-2012-4929 and makes the rules for redirects a bit stricter to
mitigate CVE-2012-5624.

Patches from upstream have been included to fix CVE-2013-0254 by forcing all
System V shared memory segments to be created with user-only permissions,
fix CVE-2012-6093 by using the correct public API in openssl, and fix
CVE-2013-0743 by blacklisting the invalid certificates.

References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4929
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5624
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6093
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0254
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0743
http://qt.digia.com/Release-Notes/security-issue-september-2012/
http://lists.qt-project.org/pipermail/announce/2012-November/000014.html
http://qt.digia.com/Release-Notes/Release-Notes-Qt-484/
http://lists.qt-project.org/pipermail/announce/2013-January/000020.html
http://lists.qt-project.org/pipermail/announce/2013-January/000021.html
http://lists.qt-project.org/pipermail/announce/2013-February/000023.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089815.html
http://lists.opensuse.org/opensuse-updates/2012-10/msg00096.html
http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094633.html
http://lists.fedoraproject.org/pipermail/package-announce/2013-January/096444.html
http://www.ubuntu.com/usn/USN-1687-1/
========================

Updated packages in core/updates_testing:
========================
qt4-common-4.8.4-1.1.mga2
libqtxml4-4.8.4-1.1.mga2
libqtscripttools4-4.8.4-1.1.mga2
libqtxmlpatterns4-4.8.4-1.1.mga2
libqtsql4-4.8.4-1.1.mga2
libqtnetwork4-4.8.4-1.1.mga2
libqtscript4-4.8.4-1.1.mga2
libqtgui4-4.8.4-1.1.mga2
libqtsvg4-4.8.4-1.1.mga2
libqttest4-4.8.4-1.1.mga2
libqthelp4-4.8.4-1.1.mga2
libqtclucene4-4.8.4-1.1.mga2
libqtcore4-4.8.4-1.1.mga2
libqt3support4-4.8.4-1.1.mga2
libqtopengl4-4.8.4-1.1.mga2
libqtdesigner4-4.8.4-1.1.mga2
libqtdbus4-4.8.4-1.1.mga2
libqtmultimedia4-4.8.4-1.1.mga2
qt4-qtdbus-4.8.4-1.1.mga2
libqtdeclarative4-4.8.4-1.1.mga2
qt4-qmlviewer-4.8.4-1.1.mga2
libqt4-devel-4.8.4-1.1.mga2
qt4-devel-private-4.8.4-1.1.mga2
qt4-xmlpatterns-4.8.4-1.1.mga2
qt4-qtconfig-4.8.4-1.1.mga2
qt4-doc-4.8.4-1.1.mga2
qt4-demos-4.8.4-1.1.mga2
qt4-examples-4.8.4-1.1.mga2
qt4-linguist-4.8.4-1.1.mga2
qt4-assistant-4.8.4-1.1.mga2
qt4-database-plugin-mysql-4.8.4-1.1.mga2
qt4-database-plugin-sqlite-4.8.4-1.1.mga2
qt4-database-plugin-tds-4.8.4-1.1.mga2
qt4-database-plugin-pgsql-4.8.4-1.1.mga2
qt4-graphicssystems-plugin-4.8.4-1.1.mga2
qt4-accessibility-plugin-4.8.4-1.1.mga2
qt4-designer-4.8.4-1.1.mga2
qt4-designer-plugin-webkit-4.8.4-1.1.mga2
qt4-designer-plugin-qt3support-4.8.4-1.1.mga2
qt4-qvfb-4.8.4-1.1.mga2
qt4-qdoc3-4.8.4-1.1.mga2

from qt4-4.8.4-1.1.mga2.src.rpm
Comment 17 David Walser 2013-02-13 20:46:36 CET
Fedora has issued an advisory on February 8:
http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098698.html

This fixes CVE-2013-0254, which is now on LWN at:
http://lwn.net/Vulnerabilities/537754/
Comment 18 claire robinson 2013-02-14 10:32:39 CET
CVE-2013-0743 seems to have been withdrawn as a CVE David.
Comment 19 claire robinson 2013-02-14 10:36:36 CET
No PoC's that I can see so as with kdelibs, just checking for regressions in kde applications.
Comment 20 claire robinson 2013-02-14 10:40:01 CET
For qt4-designer also checking the webkit plugin is present, see https://bugs.mageia.org/show_bug.cgi?id=6656#c14
Comment 21 Carolyn Rowse 2013-02-14 11:51:24 CET
Claire, are you testing x86_64?  If so, I can check some apps for regressions in i586?

Carolyn
Comment 22 claire robinson 2013-02-15 11:24:35 CET
Testing complete mga2 64

Checked qt4-designer, dragged a QtWebView to the main window. qt-linguist starts ok, amarok, gwenview, quassel, konqueror, okular and general kde use.

No regressions noticed.
Comment 23 Carolyn Rowse 2013-02-15 16:08:44 CET
Testing some apps for regressions in i586.

Carolyn
Comment 24 Carolyn Rowse 2013-02-15 17:17:50 CET
No regressions noticed with Konversation, KWrite, KTimer, KCalc, Konsole, Gwenview, Okular

QT Designer - created a window with a button, text label, graphicsview and LCD number, viewed generated code in KWrite.  Seems OK as far as I can tell.

Carolyn
Comment 25 Carolyn Rowse 2013-02-15 17:22:09 CET
Update validated.

See comment 16 for advisory and SRPM.

Could sysadmin please push from core/updates_testing to core/updates.

Thank you.

Carolyn
Comment 26 Thomas Backlund 2013-02-16 20:26:16 CET
Update pushed:
https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0053

Note You need to log in before you can comment on or make changes to this bug.