Home page logo
/

oss-sec logo oss-sec mailing list archives

Re: CVE Request: QT CRIME vulnerability
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 02 Oct 2012 22:30:30 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/02/2012 08:37 PM, Seth Arnold wrote:
Hello Steve, all,

Qt has prepared a fix to the "CRIME" SSL/TLS attack by disabling 
compression but I cannot find a CVE.

Some details can be found here 
http://permalink.gmane.org/gmane.comp.lib.qt.devel/6729 :
... The git changes are as follows: 5.0:
5ea896fbc63593f424a7dfbb11387599c0025c74 4.8:
d41dc3e101a694dec98d7bbb582d428d209e5401 4.7:
3488f1db96dbf70bb0486d3013d86252ebf433e0

For older 4.x releases, the 4.7 patch is expected to work. ...

Some web links to the commits in question:

http://qt.gitorious.org/qt/qt/commit/3488f1db96dbf70bb0486d3013d86252ebf433e0


http://qt.gitorious.org/qt/qt/commit/d41dc3e101a694dec98d7bbb582d428d209e5401
http://qt.gitorious.org/qt/qtbase/commit/5ea896fbc63593f424a7dfbb11387599c0025c74



Please allocate a CVE for these fixes.

Thank you


I assumed this was being handled like CVE-2009-3555 (aka "el diablo"),
in other words everything gets shoved under:

CVE-2012-4930   The SPDY protocol 3 and earlier, as used in Mozilla
Firefox, Google Chrome, and other products, can perform TLS encryption
of compressed data without properly obfuscating the length of the
unencrypted data, which allows man-in-the-middle attackers to obtain
plaintext HTTP headers by observing length differences during a series
of guesses in which a string in an HTTP request potentially matches an
unknown string in an HTTP header, aka a "CRIME" attack.

or

CVE-2012-4929   The TLS protocol 1.2 and earlier, as used in Mozilla
Firefox, Google Chrome, and other products, can encrypt compressed
data without properly obfuscating the length of the unencrypted data,
which allows man-in-the-middle attackers to obtain plaintext HTTP
headers by observing length differences during a series of guesses in
which a string in an HTTP request potentially matches an unknown
string in an HTTP header, aka a "CRIME" attack.

Steve, can you comment?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQa79mAAoJEBYNRVNeJnmTFGEP/3RSEmz1gAA2sWB5CUYmdSmO
/wTwNz1mShlPvfJNQrRvj57yIHlkJmE546freIdIfWSIfH6Hs55xKeyXIZKRybeU
BlZQhYLkZFtdVkcK9oBBdAkZ+229Pclwd8TY/zkGT7XfCt7BCpcmA65OlM2EoNyN
iOWDSBE09AJUEC10cGBr79A8jjiV7BS2TRJZYxqT7/VhsKu89Co2OW2avI5KQIMA
2nH0ImEonuH34djvREw4mViv4XofyNM4ZXPVfvw+PnBTDJQE3b1CnU2CXwQiklLt
rndJskP+cHz6Kgw+goDZlmX8m7tQs2c6eiKS2qa+NdC4WFcwKxuLEVw4i/pZTe4T
g3Y5e+KJV1t4Ee6jLG9CFT1SLytw+a+SRtTsia9lNHgV377JtQeZuNrjiF7Lh+8d
FVNp0RezEU1aZyQl6DGjvhmOfN3S9uhuEkT4GnxEMaDSOzSxA4CCjY08IOS+9Jha
wVyVx9+upE+c/kkUdoVE5UdX9uV+8/CjMkbKg9BF+OwigAK1S6oL4vEQk/QPHVGh
87g3+0ud3eIAp5NCZo8xwOXsAUOwLtg8Y7VxN/hbQ6t1VWOx0XfmA0xDqQnXk3v0
JUMAQyTfqajEtluGeyf5IF4VOQvXECTeEI7XnkvUDTZopAkSzklc1eH9BpRv3kEg
3kezxmd/U5w3OzZd1OGl
=t+3H
-----END PGP SIGNATURE-----


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault