CVE-2012-6093

Severity

43%

Complexity

86%

Confidentiality

48%

The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an "incompatible structure layout" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.

CVSS 2.0 Base Score 4.3. CVSS Attack Vector: network. CVSS Attack Complexity: medium. CVSS Vector: (AV:N/AC:M/Au:N/C:P/I:N/A:N).

Overview

First reported 11 years ago

2013-02-24 19:55:00

Last updated 6 years ago

2018-10-30 16:27:00

Affected Software

Digia Qt 4.6.0

4.6.0

Digia Qt 4.6.0 release candidate 1

4.6.0

Digia Qt 4.6.1

4.6.1

Digia Qt 4.6.2

4.6.2

Digia Qt 4.6.3

4.6.3

Digia Qt 4.6.4

4.6.4

Digia Qt 4.7.0

4.7.0

Digia Qt 4.7.1

4.7.1

Digia Qt 4.7.2

4.7.2

Digia Qt 4.7.3

4.7.3

Digia Qt 4.7.4

4.7.4

Digia Qt 4.7.5

4.7.5

Digia Qt 4.7.6 Release Candidate

4.7.6

Digia Qt 4.8.0

4.8.0

Digia Qt 4.8.1

4.8.1

Digia Qt 4.8.2

4.8.2

Digia Qt 4.8.3

4.8.3

Digia Qt 4.8.4

4.8.4

Canonical Ubuntu Linux 10.04 LTS

10.04

Canonical Ubuntu Linux 11.10

11.10

Canonical Ubuntu Linux 12.04 LTS (Long-Term Support)

12.04

Canonical Ubuntu Linux 12.10

12.10

OpenSUSE 11.4

11.4

OpenSUSE 12.2

12.2

References

http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697582

openSUSE-SU-2013:0204

openSUSE-SU-2013:0211

openSUSE-SU-2013:0256

[Announce] 20130102 Qt Project Security Advisory: QSslSocket may report incorrect errors when certificate verification fails

Vendor Advisory

http://qt.gitorious.org/qt/qt/commit/3b14dc93cf0ef06f1424d7d6319a1af4505faa53%20%284.7%29

http://qt.gitorious.org/qt/qt/commit/691e78e5061d4cbc0de212d23b06c5dffddf2098%20%284.8%29

52217