Qt 5.12.2 through 5.14.2, as used in unofficial builds of Mumble 1.3.0 and other products, mishandles OpenSSL's error queue, which can cause a denial of service to QSslSocket users. Because errors leak in unrelated TLS sessions, an unrelated session may be disconnected when any handshake fails. (Mumble 1.3.1 is not affected, regardless of the Qt version.) Upstream Bug: https://bugreports.qt.io/browse/QTBUG-83450 References: https://github.com/mumble-voip/mumble/issues/3679 https://github.com/mumble-voip/mumble/pull/4032
Created mumble tracking bugs for this issue: Affects: fedora-all [bug 1849735]
Created qt5 tracking bugs for this issue: Affects: fedora-all [bug 1849737]
Technical Summary: qt5-qtbase calls q_SSL_shutdown() in QSslSocketBackendPrivate::destroySslContext() from src/network/ssl/qsslsocket_openssl.cpp without checking that it is not in the middle of an SSL handshake. Calling q_SSL_shutdown() during a handshake creates an OpenSSL error that is not handled by Qt5, and closes connections, even in other QsslSockets. > Error while reading: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init [20] The patch introduces a function q_SSL_in_init() to ensure there is no active handshake and checks for any SSL errors before calling q_SSL_shutdown(). This flaw could lead to a denial of service in both the connection that called q_SSL_shutdown() and any other open connections with other clients. In order for an application to be vulnerable, it would need to utilize the SSL/TLS functionality of qt5-qtcore 5.12.2 through 5.14.2 Upstream patch: https://codereview.qt-project.org/c/qt/qtbase/+/297149
Mitigation: Mitigation for this issue is either not available or the currently available options do not meet the Red Hat Product Security criteria comprising ease of use and deployment, applicability to widespread installation base or stability.
This bug is now closed. Further updates for individual products will be reflected on the CVE page(s): https://access.redhat.com/security/cve/cve-2020-13962
This issue has been addressed in the following products: Red Hat Enterprise Linux 8 Via RHSA-2020:4690 https://access.redhat.com/errata/RHSA-2020:4690