An information disclosure flaw was found in the way XMLHttpRequest object implementation in Qt, a software toolkit for developing applications, performed management of certain HTTP responses. Previous implementation allowed redirection from HTTP protocol to file schemas. Also the redirection handling was performed automatically by QML application and could not be disabled. A remote attacker could use this flaw to cause QML application in an unauthorized way to read local file content by causing the HTTP response for the application to be a redirect to a file: URL (file scheme). References: [1] http://lists.qt-project.org/pipermail/announce/2012-November/000014.html
The following builds: 1) qt-4.8.4-1.fc16 for Fedora 16, 2) qt-4.8.4-1.fc17 for Fedora 17 have been already created to correct this issue in the versions of qt package, as shipped with Fedora release of 16 and Fedora release of 17.
Relevant upstream patch: [2] https://codereview.qt-project.org/#change,40034 CVE Request: [3] http://www.openwall.com/lists/oss-security/2012/12/04/7
qt3 cannot possibly be vulnerable to this, there is no QML in Qt 3.
I submitted some bodhi updates, should i mark them fixing this bug or something specific against qt component?
This issue did NOT affect the versions of the qt and qt4 packages, as shipped with Red Hat Enterprise Linux 5. -- This issue did NOT affect the versions of the qt3 and qt packages, as shipped with Red Hat Enterprise Linux 6. -- This issue did NOT affect the versions of the qt3 package, as shipped with Fedora release of 16 and 17.
Created qt tracking bugs for this issue Affects: fedora-all [bug 883457]
(In reply to comment #4) > I submitted some bodhi updates, should i mark them fixing this bug or > something specific against qt component? Hi Rex, thanks for making those. Please use rather above (c#6 / RH BZ#883457) one instead of this one (RH BZ#883415 directly) for that. Thanks, Jan.
i just want to get this right, should I block *just* bug #883457 or that one *and* this bug #883415 ? the bodhi link mentioned in #883457 includes both.
(In reply to comment #8) > i just want to get this right, should I block *just* bug #883457 or that one > *and* this bug #883415 ? the bodhi link mentioned in #883457 includes both. Do what's written in bug #883457#c1 (IOW include both bugs). If i am not mistaken, Bodhi should recognize the difference in them (and add comments about updates into the tracker only).
Statement: Not vulnerable. This issue did not affect the versions of qt and qt4 as shipped with Red Hat Enterprise Linux 5. This issue did not affect the versions of qt3 and qt as shipped with Red Hat Enterprise Linux 6.
CVE identifier of CVE-2012-5624 has been assigned to this issue: http://www.openwall.com/lists/oss-security/2012/12/04/8
qt-4.8.4-1.fc18 has been pushed to the Fedora 18 stable repository. If problems still persist, please make note of it in this bug report.
qt-4.8.4-1.fc17 has been pushed to the Fedora 17 stable repository. If problems still persist, please make note of it in this bug report.
qt-4.8.4-1.fc16 has been pushed to the Fedora 16 stable repository. If problems still persist, please make note of it in this bug report.