Bug 630063 (CVE-2010-5076)

Summary: CVE-2010-5076 Qt: QSslSocket incorrect handling of IP wildcards in certificate Common Name
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: bressers, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard:
Fixed In Version: Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-06-20 10:09:28 UTC Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Cloudforms Team: --- Target Upstream Version:
Embargoed:
Bug Depends On: 805433    
Bug Blocks: 784298    

Description Jan Lieskovsky 2010-09-03 15:53:02 UTC 
Richard Moore and Simon Ward reported flaw in the way Qt software toolkit
handled wildcard characters in the Common Name field of a x509v3 digital
certificate. If an attacker is able to get a carefully-crafted certificate,
signed by a Certificate Authority trusted by Konqueror / Arora web browsers, 
the attacker could use the certificate during the man-in-the-middle attack 
and potentially confuse Konqueror / Arora into accepting it by mistake. 
Different vulnerability than CVE-2009-2408.

References:
 [1] http://www.westpoint.ltd.uk/advisories/wp-10-0001.txt
 [2] http://bugs.gentoo.org/show_bug.cgi?id=335730
Comment 17 Tomas Hoger 2010-09-13 08:36:18 UTC 
Upstream commit addressing this issue:
  http://qt.gitorious.org/qt/qt/commit/846f1b44eea4bb34d080d055badb40a4a13d369e

KDE code re-implements name checking code in KIO::TCPSlaveBase, following KDE commit changes that code to address wp-10-0001 as well as the issue with * wilcard matching more than one host name label (see QTBUG-4455 or bug #520435, comment #2):

  http://websvn.kde.org/?view=revision&revision=1173851 (trunk)
  http://websvn.kde.org/?view=revision&revision=1173904 (4.4)
Comment 18 Tomas Hoger 2010-09-27 09:57:24 UTC 
(In reply to comment #17)
> Upstream commit addressing this issue:
>   http://qt.gitorious.org/qt/qt/commit/846f1b44eea4bb34d080d055badb40a4a13d369e

This patch has to be applied after:
  http://qt.gitorious.org/qt/qt/commit/5f6018564668d368f75e431c4cdac88d7421cff0

which is a fix for:
  http://bugreports.qt.nokia.com/browse/QTBUG-4455 (see bug #520435, comment #2)
Comment 20 Huzaifa S. Sidhpurwala 2012-03-21 09:53:37 UTC 
This issue has been assigned CVE-2010-5076
Comment 26 errata-xmlrpc 2012-06-20 07:18:23 UTC 
This issue has been addressed in following products:

  Red Hat Enterprise Linux 6

Via RHSA-2012:0880 https://rhn.redhat.com/errata/RHSA-2012-0880.html