oss-sec mailing list archives
Re: CVE Request: QT CRIME vulnerability
From: Kurt Seifried <kseifried () redhat com>
Date: Tue, 02 Oct 2012 22:30:30 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 On 10/02/2012 08:37 PM, Seth Arnold wrote:
Hello Steve, all, Qt has prepared a fix to the "CRIME" SSL/TLS attack by disabling compression but I cannot find a CVE. Some details can be found here http://permalink.gmane.org/gmane.comp.lib.qt.devel/6729 :... The git changes are as follows: 5.0: 5ea896fbc63593f424a7dfbb11387599c0025c74 4.8: d41dc3e101a694dec98d7bbb582d428d209e5401 4.7: 3488f1db96dbf70bb0486d3013d86252ebf433e0 For older 4.x releases, the 4.7 patch is expected to work. ...Some web links to the commits in question: http://qt.gitorious.org/qt/qt/commit/3488f1db96dbf70bb0486d3013d86252ebf433e0
http://qt.gitorious.org/qt/qt/commit/d41dc3e101a694dec98d7bbb582d428d209e5401
http://qt.gitorious.org/qt/qtbase/commit/5ea896fbc63593f424a7dfbb11387599c0025c74 Please allocate a CVE for these fixes. Thank you
I assumed this was being handled like CVE-2009-3555 (aka "el diablo"), in other words everything gets shoved under: CVE-2012-4930 The SPDY protocol 3 and earlier, as used in Mozilla Firefox, Google Chrome, and other products, can perform TLS encryption of compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack. or CVE-2012-4929 The TLS protocol 1.2 and earlier, as used in Mozilla Firefox, Google Chrome, and other products, can encrypt compressed data without properly obfuscating the length of the unencrypted data, which allows man-in-the-middle attackers to obtain plaintext HTTP headers by observing length differences during a series of guesses in which a string in an HTTP request potentially matches an unknown string in an HTTP header, aka a "CRIME" attack. Steve, can you comment? - -- Kurt Seifried Red Hat Security Response Team (SRT) PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993 -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.12 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://www.enigmail.net/ iQIcBAEBAgAGBQJQa79mAAoJEBYNRVNeJnmTFGEP/3RSEmz1gAA2sWB5CUYmdSmO /wTwNz1mShlPvfJNQrRvj57yIHlkJmE546freIdIfWSIfH6Hs55xKeyXIZKRybeU BlZQhYLkZFtdVkcK9oBBdAkZ+229Pclwd8TY/zkGT7XfCt7BCpcmA65OlM2EoNyN iOWDSBE09AJUEC10cGBr79A8jjiV7BS2TRJZYxqT7/VhsKu89Co2OW2avI5KQIMA 2nH0ImEonuH34djvREw4mViv4XofyNM4ZXPVfvw+PnBTDJQE3b1CnU2CXwQiklLt rndJskP+cHz6Kgw+goDZlmX8m7tQs2c6eiKS2qa+NdC4WFcwKxuLEVw4i/pZTe4T g3Y5e+KJV1t4Ee6jLG9CFT1SLytw+a+SRtTsia9lNHgV377JtQeZuNrjiF7Lh+8d FVNp0RezEU1aZyQl6DGjvhmOfN3S9uhuEkT4GnxEMaDSOzSxA4CCjY08IOS+9Jha wVyVx9+upE+c/kkUdoVE5UdX9uV+8/CjMkbKg9BF+OwigAK1S6oL4vEQk/QPHVGh 87g3+0ud3eIAp5NCZo8xwOXsAUOwLtg8Y7VxN/hbQ6t1VWOx0XfmA0xDqQnXk3v0 JUMAQyTfqajEtluGeyf5IF4VOQvXECTeEI7XnkvUDTZopAkSzklc1eH9BpRv3kEg 3kezxmd/U5w3OzZd1OGl =t+3H -----END PGP SIGNATURE-----
Current thread:
- CVE Request: QT CRIME vulnerability Seth Arnold (Oct 02)
- Re: CVE Request: QT CRIME vulnerability Kurt Seifried (Oct 02)
- Re: CVE Request: QT CRIME vulnerability cve-assign (Oct 08)
- Re: CVE Request: QT CRIME vulnerability Kurt Seifried (Oct 02)