CVE-2012-6093
First published: Fri Jan 04 2013(Updated: )
A security flaw was found in the way QSslSocket implementation of the Qt, a software toolkit for applications development, performed certificate verification callbacks, when Qt libraries were used with different OpenSSL version than the one, they were compiled against. In such scenario, this would result in a connection error, but with the SSL error list to contain QSslError:NoError instead of proper reason of the error. This might result in a confusing error being presented to the end users, possibly encouraging them to ignore the SSL errors for the site the connection was initiated against. References: [1] <a href="http://lists.qt-project.org/pipermail/announce/2013-January/000020.html">http://lists.qt-project.org/pipermail/announce/2013-January/000020.html</a> Relevant upstream patch: [2] <a href="https://codereview.qt-project.org/#change,42461">https://codereview.qt-project.org/#change,42461</a>
Credit: secalert@redhat.com
| Affected Software | Affected Version | How to fix |
|---|---|---|
| Qt | <=4.6.5 | |
| Qt | =4.6.0 | |
| Qt | =4.6.0-rc1 | |
| Qt | =4.6.1 | |
| Qt | =4.6.2 | |
| Qt | =4.6.3 | |
| Qt | =4.6.4 | |
| Qt | =4.7.0 | |
| Qt | =4.7.1 | |
| Qt | =4.7.2 | |
| Qt | =4.7.3 | |
| Qt | =4.7.4 | |
| Qt | =4.7.5 | |
| Qt | =4.7.6-rc | |
| Qt | =4.8.0 | |
| Qt | =4.8.1 | |
| Qt | =4.8.2 | |
| Qt | =4.8.3 | |
| Qt | =4.8.4 | |
| Ubuntu Linux | =10.04 | |
| Ubuntu Linux | =11.10 | |
| Ubuntu Linux | =12.04 | |
| Ubuntu Linux | =12.10 | |
| openSUSE | =11.4 | |
| openSUSE | =12.2 |
Never miss a vulnerability like this again
Sign up to SecAlerts for real-time vulnerability data matched to your software, aggregated from hundreds of sources.
Reference Links
- http://lists.qt-project.org/pipermail/announce/2013-January/000020.html
- https://codereview.qt-project.org/#change,42461
- http://www.openwall.com/lists/oss-security/2013/01/04/3
- https://admin.fedoraproject.org/updates/qt-4.8.4-4.fc18
- https://admin.fedoraproject.org/updates/qt-4.8.4-4.fc17
- https://admin.fedoraproject.org/updates/qt-4.8.4-4.fc16
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=891964
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=891955#c2
- https://bugzilla.redhat.com/show_bug.cgi/show_bug.cgi?id=891955#c6
- http://www.openwall.com/lists/oss-security/2013/01/04/6
- https://bugzilla.redhat.com/show_bug.cgi?id=891955
- http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697582
- http://lists.opensuse.org/opensuse-updates/2013-01/msg00086.html
- http://lists.opensuse.org/opensuse-updates/2013-01/msg00089.html
- http://lists.opensuse.org/opensuse-updates/2013-02/msg00014.html
- http://qt.gitorious.org/qt/qt/commit/3b14dc93cf0ef06f1424d7d6319a1af4505faa53%20%284.7%29
- http://qt.gitorious.org/qt/qt/commit/691e78e5061d4cbc0de212d23b06c5dffddf2098%20%284.8%29
- http://secunia.com/advisories/52217
- http://www.ubuntu.com/usn/USN-1723-1
- https://codereview.qt-project.org/#change%2C42461
Frequently Asked Questions
What is the severity of CVE-2012-6093?
The severity of CVE-2012-6093 is considered moderate due to the potential for improper certificate verification.
How do I fix CVE-2012-6093?
To fix CVE-2012-6093, upgrade your Qt libraries to a version that is compatible with the OpenSSL version they were compiled against.
Which software is affected by CVE-2012-6093?
CVE-2012-6093 affects various versions of the Qt framework up to and including 4.8.4 and certain distributions of Ubuntu and openSUSE.
What happens if I don't address CVE-2012-6093?
Failure to address CVE-2012-6093 could lead to security vulnerabilities allowing attackers to perform man-in-the-middle attacks.
Is CVE-2012-6093 linked to specific OpenSSL versions?
Yes, CVE-2012-6093 is associated with issues arising when Qt is used with OpenSSL versions different from what Qt was compiled against.
- agent/type
- agent/first-publish-date
- agent/weakness
- agent/references
- agent/severity
- agent/author
- agent/description
- agent/softwarecombine
- collector/mitre-cve
- source/MITRE
- collector/redhat-bugzilla
- source/Red Hat
- alias/CVE-2012-6093
- agent/last-modified-date
- agent/event
- agent/trending
- agent/source
- agent/tags
- collector/nvd-index
- agent/software-canonical-lookup-request
- vendor/qt
- canonical/qt
- version/qt/4.6.5
- version/qt/4.6.0
- version/qt/4.6.0-rc1
- version/qt/4.6.1
- version/qt/4.6.2
- version/qt/4.6.3
- version/qt/4.6.4
- version/qt/4.7.0
- version/qt/4.7.1
- version/qt/4.7.2
- version/qt/4.7.3
- version/qt/4.7.4
- version/qt/4.7.5
- version/qt/4.7.6-rc
- version/qt/4.8.0
- version/qt/4.8.1
- version/qt/4.8.2
- version/qt/4.8.3
- version/qt/4.8.4
- vendor/canonical
- canonical/ubuntu linux
- version/ubuntu linux/10.04
- version/ubuntu linux/11.10
- version/ubuntu linux/12.04
- version/ubuntu linux/12.10
- vendor/opensuse
- canonical/opensuse
- version/opensuse/11.4
- version/opensuse/12.2