Bug 883415 (CVE-2012-5624) - CVE-2012-5624 Qt: QML XmlHttpRequest insecure redirection
Summary: CVE-2012-5624 Qt: QML XmlHttpRequest insecure redirection
Keywords:
Status: CLOSED ERRATA
Alias: CVE-2012-5624
Product: Security Response
Classification: Other
Component: vulnerability
Version: unspecified
Hardware: All
OS: Linux
low
low
Target Milestone: ---
Assignee: Red Hat Product Security
QA Contact:
URL:
Whiteboard:
Depends On: 883457 883467
Blocks:
TreeView+ depends on / blocked
 
Reported: 2012-12-04 14:49 UTC by Jan Lieskovsky
Modified: 2019-09-29 12:58 UTC (History)
8 users (show)

Fixed In Version: Qt 4.8.4
Doc Type: Bug Fix
Doc Text:
Clone Of:
Environment:
Last Closed: 2012-12-04 17:23:39 UTC


Attachments (Terms of Use)

Description Jan Lieskovsky 2012-12-04 14:49:48 UTC
An information disclosure flaw was found in the way XMLHttpRequest object implementation in Qt, a software toolkit for developing applications, performed management of certain HTTP responses. Previous implementation allowed redirection from HTTP protocol to file schemas. Also the redirection handling was performed automatically by QML application and could not be disabled. A remote attacker could use this flaw to cause QML application in an unauthorized way to read local file content by causing the HTTP response for the application to be a redirect to a file: URL (file scheme).

References:
[1] http://lists.qt-project.org/pipermail/announce/2012-November/000014.html

Comment 1 Jan Lieskovsky 2012-12-04 14:53:37 UTC
The following builds:
1) qt-4.8.4-1.fc16 for Fedora 16,
2) qt-4.8.4-1.fc17 for Fedora 17

have been already created to correct this issue in the versions of qt package, as shipped with Fedora release of 16 and Fedora release of 17.

Comment 2 Jan Lieskovsky 2012-12-04 15:00:03 UTC
Relevant upstream patch:
[2] https://codereview.qt-project.org/#change,40034

CVE Request:
[3] http://www.openwall.com/lists/oss-security/2012/12/04/7

Comment 3 Kevin Kofler 2012-12-04 16:18:02 UTC
qt3 cannot possibly be vulnerable to this, there is no QML in Qt 3.

Comment 4 Rex Dieter 2012-12-04 16:20:28 UTC
I submitted some bodhi updates, should i mark them fixing this bug or something specific against qt component?

Comment 5 Jan Lieskovsky 2012-12-04 16:23:15 UTC
This issue did NOT affect the versions of the qt and qt4 packages, as shipped with Red Hat Enterprise Linux 5.

--

This issue did NOT affect the versions of the qt3 and qt packages, as shipped with Red Hat Enterprise Linux 6.

--

This issue did NOT affect the versions of the qt3 package, as shipped with Fedora release of 16 and 17.

Comment 6 Jan Lieskovsky 2012-12-04 16:26:52 UTC
Created qt tracking bugs for this issue

Affects: fedora-all [bug 883457]

Comment 7 Jan Lieskovsky 2012-12-04 16:28:55 UTC
(In reply to comment #4)
> I submitted some bodhi updates, should i mark them fixing this bug or
> something specific against qt component?

Hi Rex,

  thanks for making those. Please use rather above (c#6 / RH BZ#883457) one instead of this one (RH BZ#883415 directly) for that.

Thanks, Jan.

Comment 8 Rex Dieter 2012-12-04 16:45:31 UTC
i just want to get this right, should I block *just* bug #883457 or that one *and* this bug #883415 ?  the bodhi link mentioned in #883457 includes both.

Comment 9 Jan Lieskovsky 2012-12-04 16:49:26 UTC
(In reply to comment #8)
> i just want to get this right, should I block *just* bug #883457 or that one
> *and* this bug #883415 ?  the bodhi link mentioned in #883457 includes both.

Do what's written in bug #883457#c1 (IOW include both bugs). If i am not mistaken, Bodhi should recognize the difference in them (and add comments about updates into the tracker only).

Comment 10 Jan Lieskovsky 2012-12-04 17:02:08 UTC
Statement:

Not vulnerable. This issue did not affect the versions of qt and qt4 as shipped with Red Hat Enterprise Linux 5. This issue did not affect the versions of qt3 and qt as shipped with Red Hat Enterprise Linux 6.

Comment 11 Jan Lieskovsky 2012-12-04 17:21:25 UTC
CVE identifier of CVE-2012-5624 has been assigned to this issue:
  http://www.openwall.com/lists/oss-security/2012/12/04/8

Comment 12 Fedora Update System 2012-12-11 05:54:31 UTC
qt-4.8.4-1.fc18 has been pushed to the Fedora 18 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 13 Fedora Update System 2012-12-13 06:01:29 UTC
qt-4.8.4-1.fc17 has been pushed to the Fedora 17 stable repository.  If problems still persist, please make note of it in this bug report.

Comment 14 Fedora Update System 2012-12-21 12:04:03 UTC
qt-4.8.4-1.fc16 has been pushed to the Fedora 16 stable repository.  If problems still persist, please make note of it in this bug report.


Note You need to log in before you can comment on or make changes to this bug.