CVE-2012-5624: Infoleak
First published: Tue Dec 04 2012(Updated: )
An information disclosure flaw was found in the way XMLHttpRequest object implementation in Qt, a software toolkit for developing applications, performed management of certain HTTP responses. Previous implementation allowed redirection from HTTP protocol to file schemas. Also the redirection handling was performed automatically by QML application and could not be disabled. A remote attacker could use this flaw to cause QML application in an unauthorized way to read local file content by causing the HTTP response for the application to be a redirect to a file: URL (file scheme). References: [1] <a href="http://lists.qt-project.org/pipermail/announce/2012-November/000014.html">http://lists.qt-project.org/pipermail/announce/2012-November/000014.html</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| redhat/Qt | <4.8.4 | 4.8.4 |
| Qt | <=4.8.3 | |
| Qt | =1.41 | |
| Qt | =1.42 | |
| Qt | =1.43 | |
| Qt | =1.44 | |
| Qt | =1.45 | |
| Qt | =2.0.0 | |
| Qt | =2.0.1 | |
| Qt | =2.0.2 | |
| Qt | =3.3.0 | |
| Qt | =3.3.1 | |
| Qt | =3.3.2 | |
| Qt | =3.3.3 | |
| Qt | =3.3.4 | |
| Qt | =3.3.5 | |
| Qt | =3.3.6 | |
| Qt | =4.0.0 | |
| Qt | =4.0.1 | |
| Qt | =4.1.0 | |
| Qt | =4.1.1 | |
| Qt | =4.1.2 | |
| Qt | =4.1.3 | |
| Qt | =4.1.4 | |
| Qt | =4.1.5 | |
| Qt | =4.2.0 | |
| Qt | =4.2.1 | |
| Qt | =4.2.3 | |
| Qt | =4.3.0 | |
| Qt | =4.3.1 | |
| Qt | =4.3.2 | |
| Qt | =4.3.3 | |
| Qt | =4.3.4 | |
| Qt | =4.3.5 | |
| Qt | =4.4.0 | |
| Qt | =4.4.1 | |
| Qt | =4.4.2 | |
| Qt | =4.4.3 | |
| Qt | =4.5.0 | |
| Qt | =4.5.1 | |
| Qt | =4.5.2 | |
| Qt | =4.5.3 | |
| Qt | =4.6.0 | |
| Qt | =4.6.0-rc1 | |
| Qt | =4.6.1 | |
| Qt | =4.6.2 | |
| Qt | =4.6.3 | |
| Qt | =4.6.4 | |
| Qt | =4.6.5 | |
| Qt | =4.6.5-rc | |
| Qt | =4.7.0 | |
| Qt | =4.7.1 | |
| Qt | =4.7.2 | |
| Qt | =4.7.3 | |
| Qt | =4.7.4 | |
| Qt | =4.7.5 | |
| Qt | =4.7.6 | |
| Qt | =4.7.6-rc | |
| Qt | =4.8.0 | |
| Qt | =4.8.1 | |
| Qt | =4.8.2 | |
| Ubuntu Linux | =10.04 | |
| Ubuntu Linux | =11.10 | |
| Ubuntu Linux | =12.04 | |
| Ubuntu Linux | =12.10 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.opensuse.org/opensuse-updates/2013-01/msg00034.html
- http://lists.opensuse.org/opensuse-updates/2013-01/msg00045.html
- http://lists.opensuse.org/opensuse-updates/2013-01/msg00048.html
- http://lists.qt-project.org/pipermail/announce/2012-November/000014.html
- http://qt.gitorious.org/qt/qt/commit/96311def2466dd44de64d77a1c815b22fbf68f71
- http://secunia.com/advisories/52217
- http://www.openwall.com/lists/oss-security/2012/12/04/8
- http://www.ubuntu.com/usn/USN-1723-1
- https://bugzilla.redhat.com/show_bug.cgi?id=883415
- https://codereview.qt-project.org/#change,40034
- https://codereview.qt-project.org/#change%2C40034
- http://www.openwall.com/lists/oss-security/2012/12/04/7
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=883457
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=883415#c4
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=883415
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=883415#c8
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=883457#c1
- https://access.redhat.com/security/cve/CVE-2012-5624
- agent/type
- agent/first-publish-date
- agent/softwarecombine
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2012-5624
- agent/software-canonical-lookup
- agent/weakness
- agent/severity
- agent/references
- agent/author
- agent/description
- collector/mitre-cve
- source/MITRE
- agent/last-modified-date
- agent/event
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- package-manager/redhat
- vendor/digia
- canonical/qt
- version/qt/4.8.3
- vendor/qt
- version/qt/1.41
- version/qt/1.42
- version/qt/1.43
- version/qt/1.44
- version/qt/1.45
- version/qt/2.0.0
- version/qt/2.0.1
- version/qt/2.0.2
- version/qt/3.3.0
- version/qt/3.3.1
- version/qt/3.3.2
- version/qt/3.3.3
- version/qt/3.3.4
- version/qt/3.3.5
- version/qt/3.3.6
- version/qt/4.0.0
- version/qt/4.0.1
- version/qt/4.1.0
- version/qt/4.1.1
- version/qt/4.1.2
- version/qt/4.1.3
- version/qt/4.1.4
- version/qt/4.1.5
- version/qt/4.2.0
- version/qt/4.2.1
- version/qt/4.2.3
- version/qt/4.3.0
- version/qt/4.3.1
- version/qt/4.3.2
- version/qt/4.3.3
- version/qt/4.3.4
- version/qt/4.3.5
- version/qt/4.4.0
- version/qt/4.4.1
- version/qt/4.4.2
- version/qt/4.4.3
- version/qt/4.5.0
- version/qt/4.5.1
- version/qt/4.5.2
- version/qt/4.5.3
- version/qt/4.6.0
- version/qt/4.6.0-rc1
- version/qt/4.6.1
- version/qt/4.6.2
- version/qt/4.6.3
- version/qt/4.6.4
- version/qt/4.6.5
- version/qt/4.6.5-rc
- version/qt/4.7.0
- version/qt/4.7.1
- version/qt/4.7.2
- version/qt/4.7.3
- version/qt/4.7.4
- version/qt/4.7.5
- version/qt/4.7.6
- version/qt/4.7.6-rc
- version/qt/4.8.0
- version/qt/4.8.1
- version/qt/4.8.2
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/10.04
- version/ubuntu linux/11.10
- version/ubuntu linux/12.04
- version/ubuntu linux/12.10