Bug 883415 (CVE-2012-5624)

Summary: CVE-2012-5624 Qt: QML XmlHttpRequest insecure redirection
Product: [Other] Security Response Reporter: Jan Lieskovsky <jlieskov>
Component: vulnerabilityAssignee: Red Hat Product Security <security-response-team>
Status: CLOSED ERRATA QA Contact:
Severity: low Docs Contact:
Priority: low    
Version: unspecifiedCC: itamar, jreznik, kevin, ltinkl, rdieter, rnovacek, smparrish, than
Target Milestone: ---Keywords: Security
Target Release: ---   
Hardware: All   
OS: Linux   
Whiteboard: impact=low,public=20121130,reported=20121204,source=redhat,cvss2=4.3/AV:N/AC:M/Au:N/C:P/I:N/A:N,rhel-5/qt=notaffected,rhel-5/qt4=notaffected,rhel-6/qt=notaffected,rhel-6/qt3=notaffected,fedora-all/qt=affected,fedora-all/qt3=notaffected
Fixed In Version: Qt 4.8.4 Doc Type: Bug Fix
Doc Text:
Story Points: ---
Clone Of: Environment:
Last Closed: 2012-12-04 12:23:39 EST Type: ---
Regression: --- Mount Type: ---
Documentation: --- CRM:
Verified Versions: Category: ---
oVirt Team: --- RHEL 7.3 requirements from Atomic Host:
Bug Depends On: 883457, 883467    
Bug Blocks:    

Description Jan Lieskovsky 2012-12-04 09:49:48 EST
An information disclosure flaw was found in the way XMLHttpRequest object implementation in Qt, a software toolkit for developing applications, performed management of certain HTTP responses. Previous implementation allowed redirection from HTTP protocol to file schemas. Also the redirection handling was performed automatically by QML application and could not be disabled. A remote attacker could use this flaw to cause QML application in an unauthorized way to read local file content by causing the HTTP response for the application to be a redirect to a file: URL (file scheme).

References:
[1] http://lists.qt-project.org/pipermail/announce/2012-November/000014.html
Comment 1 Jan Lieskovsky 2012-12-04 09:53:37 EST
The following builds:
1) qt-4.8.4-1.fc16 for Fedora 16,
2) qt-4.8.4-1.fc17 for Fedora 17

have been already created to correct this issue in the versions of qt package, as shipped with Fedora release of 16 and Fedora release of 17.
Comment 2 Jan Lieskovsky 2012-12-04 10:00:03 EST
Relevant upstream patch:
[2] https://codereview.qt-project.org/#change,40034

CVE Request:
[3] http://www.openwall.com/lists/oss-security/2012/12/04/7
Comment 3 Kevin Kofler 2012-12-04 11:18:02 EST
qt3 cannot possibly be vulnerable to this, there is no QML in Qt 3.
Comment 4 Rex Dieter 2012-12-04 11:20:28 EST
I submitted some bodhi updates, should i mark them fixing this bug or something specific against qt component?
Comment 5 Jan Lieskovsky 2012-12-04 11:23:15 EST
This issue did NOT affect the versions of the qt and qt4 packages, as shipped with Red Hat Enterprise Linux 5.

--

This issue did NOT affect the versions of the qt3 and qt packages, as shipped with Red Hat Enterprise Linux 6.

--

This issue did NOT affect the versions of the qt3 package, as shipped with Fedora release of 16 and 17.
Comment 6 Jan Lieskovsky 2012-12-04 11:26:52 EST
Created qt tracking bugs for this issue

Affects: fedora-all [bug 883457]
Comment 7 Jan Lieskovsky 2012-12-04 11:28:55 EST
(In reply to comment #4)
> I submitted some bodhi updates, should i mark them fixing this bug or
> something specific against qt component?

Hi Rex,

  thanks for making those. Please use rather above (c#6 / RH BZ#883457) one instead of this one (RH BZ#883415 directly) for that.

Thanks, Jan.
Comment 8 Rex Dieter 2012-12-04 11:45:31 EST
i just want to get this right, should I block *just* bug #883457 or that one *and* this bug #883415 ?  the bodhi link mentioned in #883457 includes both.
Comment 9 Jan Lieskovsky 2012-12-04 11:49:26 EST
(In reply to comment #8)
> i just want to get this right, should I block *just* bug #883457 or that one
> *and* this bug #883415 ?  the bodhi link mentioned in #883457 includes both.

Do what's written in bug #883457#c1 (IOW include both bugs). If i am not mistaken, Bodhi should recognize the difference in them (and add comments about updates into the tracker only).
Comment 10 Jan Lieskovsky 2012-12-04 12:02:08 EST
Statement:

Not vulnerable. This issue did not affect the versions of qt and qt4 as shipped with Red Hat Enterprise Linux 5. This issue did not affect the versions of qt3 and qt as shipped with Red Hat Enterprise Linux 6.
Comment 11 Jan Lieskovsky 2012-12-04 12:21:25 EST
CVE identifier of CVE-2012-5624 has been assigned to this issue:
  http://www.openwall.com/lists/oss-security/2012/12/04/8
Comment 12 Fedora Update System 2012-12-11 00:54:31 EST
qt-4.8.4-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 13 Fedora Update System 2012-12-13 01:01:29 EST
qt-4.8.4-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.
Comment 14 Fedora Update System 2012-12-21 07:04:03 EST
qt-4.8.4-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.