Qt Project Security Advisory ---------------------------- Title: QSslSocket may report incorrect errors when certificate verification fails Risk Rating: Low Platforms: All Modules: QtNetwork Versions: 4.8.4 and previous Author: Shane Kearns Date: 2nd January 2013
Overview -------- If the Qt libraries are used with a different openssl version from the one they were compiled against, then the QSslSocket::sslErrors() function will return incorrect data. This is most likely to be an issue when openssl is provided by the system, but Qt is deployed with the application. Details ------- The Qt libraries are intended to work with multiple versions of openssl, by loading the library dynamically at runtime and disabling features not supported by the library version loaded. However, due to a binary incompatible structure layout change between openssl 0.9.8 and openssl 1.0.0 Qt will retrieve error codes from the wrong memory location during a certificate verification callback. Typically this results in a connection error, but with the ssl errors list containing QSslError::NoError instead of the correct error reason. Impact ------ This may result in a confusing error being presented to the user which could encourage them to ignore the ssl errors for the site. Workaround ---------- If deploying openssl and Qt libraries, make sure the Qt libraries were compiled against the same version of openssl being deployed. If deploying Qt libraries alone, make sure they were compiled against the same version of openssl that is provided by the system. Solution -------- This problem is solved in the forthcoming Qt 4.8.5, and the 4.7.6 and 4.6.5 patch releases. Alternatively, apply the patch below: https://codereview.qt-project.org/#change,42461 Timeline -------- 02 December 2012 - binary incompatibility issue reported by Stephen Cheng 07 December 2012 - patch created 12 December 2012 - patch applied to codelines. 02 January 2013 - advisory released _______________________________________________ Announce mailing list [email protected] http://lists.qt-project.org/mailman/listinfo/announce _______________________________________________ Development mailing list [email protected] http://lists.qt-project.org/mailman/listinfo/development
