Bug 611086 (CVE-2010-2621)

Summary: CVE-2010-2621 Qt (QSslSocketBackendPrivate): DoS (infinite loop) via malformed request
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED WONTFIX QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: than, vdanen
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2015-08-22 15:13:55 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:

Description Jan Lieskovsky 2010-07-03 15:02:47 UTC 
Common Vulnerabilities and Exposures assigned an identifier CVE-2010-2621 to
the following vulnerability:

The QSslSocketBackendPrivate::transmit function in
src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows
remote attackers to cause a denial of service (infinite loop) via a
malformed request.

References:
  [1] http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2010-2621
  [2] http://aluigi.altervista.org/adv/qtsslame-adv.txt
  [3] http://aluigi.org/poc/qtsslame.zip
  [4] http://www.securityfocus.com/bid/41250
  [5] http://osvdb.org/65860
  [6] http://secunia.com/advisories/40389
  [7] http://www.vupen.com/english/advisories/2010/1657
Comment 3 Vincent Danen 2010-07-16 22:37:34 UTC 
This looks to be the fix for this issue:

http://qt.gitorious.org/qt/qt/commit/f7fe575bc5f628533aeeca3eb564af89a1a1426b

However, it was also reported that this fix causes a regression with peer certificate validation when used with openssl >= 0.9.8n:

http://bugreports.qt.nokia.com/browse/QTBUG-7200
http://sourceforge.net/mailarchive/forum.php?thread_name=4C3F8BC6.9030303%40natvig.com&forum_name=mumble-packaging

So this fix would work for us in those products that use an older openssl, but not in Fedora.  I think it would be better to wait for a better fix.

Noted via Ludwig Nussel:

http://article.gmane.org/gmane.comp.security.oss.general/3198
Comment 10 Huzaifa S. Sidhpurwala 2010-09-21 08:40:29 UTC 
This issue did not affect the versions of qt as shipped with
Red Hat Enterprise Linux 3, 4 and 5 as it does not provide
ssl socket support.
Comment 15 Vincent Danen 2015-08-22 15:13:43 UTC 
Statement:

Red Hat Product Security has rated this issue as having Low security impact. This issue is not currently planned to be addressed in future updates. For additional information, refer to the Issue Severity Classification: https://access.redhat.com/security/updates/classification/.