Fedora Account System
Red Hat Associate
Red Hat Customer
Richard Moore and Simon Ward reported flaw in the way Qt software toolkit handled wildcard characters in the Common Name field of a x509v3 digital certificate. If an attacker is able to get a carefully-crafted certificate, signed by a Certificate Authority trusted by Konqueror / Arora web browsers, the attacker could use the certificate during the man-in-the-middle attack and potentially confuse Konqueror / Arora into accepting it by mistake. Different vulnerability than CVE-2009-2408. References: [1] http://www.westpoint.ltd.uk/advisories/wp-10-0001.txt [2] http://bugs.gentoo.org/show_bug.cgi?id=335730
Upstream commit addressing this issue: http://qt.gitorious.org/qt/qt/commit/846f1b44eea4bb34d080d055badb40a4a13d369e KDE code re-implements name checking code in KIO::TCPSlaveBase, following KDE commit changes that code to address wp-10-0001 as well as the issue with * wilcard matching more than one host name label (see QTBUG-4455 or bug #520435, comment #2): http://websvn.kde.org/?view=revision&revision=1173851 (trunk) http://websvn.kde.org/?view=revision&revision=1173904 (4.4)
(In reply to comment #17) > Upstream commit addressing this issue: > http://qt.gitorious.org/qt/qt/commit/846f1b44eea4bb34d080d055badb40a4a13d369e This patch has to be applied after: http://qt.gitorious.org/qt/qt/commit/5f6018564668d368f75e431c4cdac88d7421cff0 which is a fix for: http://bugreports.qt.nokia.com/browse/QTBUG-4455 (see bug #520435, comment #2)
This issue has been assigned CVE-2010-5076
This issue has been addressed in following products: Red Hat Enterprise Linux 6 Via RHSA-2012:0880 https://rhn.redhat.com/errata/RHSA-2012-0880.html