[Announce] Qt Project Security Advisory: QSslSocket may report incorrect errors when certificate verification fails

List for announcements regarding Qt releases and development announce at qt-project.org
Wed Jan 2 14:08:09 CET 2013


Qt Project Security Advisory
----------------------------

Title:        QSslSocket may report incorrect errors when certificate
verification fails
Risk Rating:  Low
Platforms:    All
Modules:      QtNetwork
Versions:     4.8.4 and previous
Author:       Shane Kearns
Date:         2nd January 2013

Overview
--------

If the Qt libraries are used with a different openssl version from the one
they were compiled against, then the QSslSocket::sslErrors() function will
return incorrect data.  This is most likely to be an issue when openssl is
provided by the system, but Qt is deployed with the application.

Details
-------

The Qt libraries are intended to work with multiple versions of openssl, by
loading the library dynamically at runtime and disabling features not
supported by the library version loaded.  However, due to a binary
incompatible structure layout change between openssl 0.9.8 and openssl 1.0.0
Qt will retrieve error codes from the wrong memory location during a
certificate verification callback.  Typically this results in a connection
error, but with the ssl errors list containing QSslError::NoError instead of
the correct error reason.

Impact
------

This may result in a confusing error being presented to the user which could
encourage them to ignore the ssl errors for the site.

Workaround
----------

If deploying openssl and Qt libraries, make sure the Qt libraries were
compiled against the same version of openssl being deployed.

If deploying Qt libraries alone, make sure they were compiled against the same
version of openssl that is provided by the system.

Solution
--------

This problem is solved in the forthcoming Qt 4.8.5, and the 4.7.6 and 4.6.5
patch releases. Alternatively, apply the patch below:

https://codereview.qt-project.org/#change,42461

Timeline
--------
02 December 2012 - binary incompatibility issue reported by Stephen Cheng
07 December 2012 - patch created
12 December 2012 - patch applied to codelines.
02 January 2013 - advisory released


More information about the Announce mailing list