Package: libqt4-network Version: 4.4.3-1 Severity: grave Justification: user security hole Tags: patch security
Applications using QT SSL Layer fail to verify SSL encrypted connexion because system-wide installed certificates authorities are not read (can be verified with strace) For example, mumble cannot verify that a server it connects to has a good certificate even if the root CA is locally installed (but mumble won't work if there is intermediate certificate but this is a mumble-server bug that will be fixed in 1.2). Here is my patch to fix the problem : diff -Naur qt4-x11-4.4.3/src/network/ssl/qsslsocket_openssl.cpp qt4-x11-4.4.3-sslfix/src/network/ssl/qsslsocket_openssl.cpp --- qt4-x11-4.4.3/src/network/ssl/qsslsocket_openssl.cpp 2008-09-27 10:58:47.000000000 +0200 +++ qt4-x11-4.4.3-sslfix/src/network/ssl/qsslsocket_openssl.cpp 2009-05-25 15:16:39.000000000 +0200 @@ -466,7 +466,7 @@ QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates() { -#ifdef QQ_OS_UNIX +#ifdef Q_OS_UNIX // Check known locations for the system's default bundle. ### On Windows, // we should use CAPI to find the bundle, and not rely on default unix // locations. @@ -479,13 +479,16 @@ #endif 0}; const char **it = standardLocations; + QList<QSslCertificate> certs; QStringList nameFilter; nameFilter << QLatin1String("*.pem") << QLatin1String("*.crt"); while (*it) { - if (QDirIterator(QLatin1String(*it), nameFilter).hasNext()) - return certificatesFromPath(QLatin1String(*it)); + QDirIterator certfilesIt(QLatin1String(*it), nameFilter); + while (certfilesIt.hasNext()) + certs += QSslCertificate::fromPath(certfilesIt.next()); ++it; } + return certs; #endif // Qt provides a default bundle when we cannot detect the system's default The problem has been reported to QT but I don't know if it has been fixed and how... I consider it as a grave problem because a user can't verify the identity of a server he connects to. -- System Information: Debian Release: 5.0.1 APT prefers stable APT policy: (990, 'stable') Architecture: i386 (i686) Kernel: Linux 2.6.29.4 (SMP w/2 CPU cores) Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8) Shell: /bin/sh linked to /bin/bash Versions of packages libqt4-network depends on: ii libc6 2.7-18 GNU C Library: Shared libraries ii libgcc1 1:4.3.2-1.1 GCC support library ii libqtcore4 4.4.3-1 Qt 4 core module ii libstdc++6 4.3.2-1.1 The GNU Standard C++ Library v3 ii zlib1g 1:1.2.3.3.dfsg-12 compression library - runtime libqt4-network recommends no packages. libqt4-network suggests no packages. -- no debconf information -- To UNSUBSCRIBE, email to debian-qt-kde-requ...@lists.debian.org with a subject of "unsubscribe". Trouble? Contact listmas...@lists.debian.org