Follow @Openwall on Twitter for new release announcements and other news
[<prev] [next>] [<thread-prev] [thread-next>] [day] [month] [year] [list]
Date: Tue, 02 Oct 2012 22:30:30 -0600
From: Kurt Seifried <kseifried@...hat.com>
To: coley@...us.mitre.org, oss-security@...ts.openwall.com,
        security@...ntu.com
Subject: Re: CVE Request: QT CRIME vulnerability

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

On 10/02/2012 08:37 PM, Seth Arnold wrote:
> Hello Steve, all,
> 
> Qt has prepared a fix to the "CRIME" SSL/TLS attack by disabling 
> compression but I cannot find a CVE.
> 
> Some details can be found here 
> http://permalink.gmane.org/gmane.comp.lib.qt.devel/6729 :
>> ... The git changes are as follows: 5.0:
>> 5ea896fbc63593f424a7dfbb11387599c0025c74 4.8:
>> d41dc3e101a694dec98d7bbb582d428d209e5401 4.7:
>> 3488f1db96dbf70bb0486d3013d86252ebf433e0
>> 
>> For older 4.x releases, the 4.7 patch is expected to work. ...
> 
> Some web links to the commits in question:
> 
> http://qt.gitorious.org/qt/qt/commit/3488f1db96dbf70bb0486d3013d86252ebf433e0
>
> 
http://qt.gitorious.org/qt/qt/commit/d41dc3e101a694dec98d7bbb582d428d209e5401
> http://qt.gitorious.org/qt/qtbase/commit/5ea896fbc63593f424a7dfbb11387599c0025c74
>
> 
> 
> Please allocate a CVE for these fixes.
> 
> Thank you
> 

I assumed this was being handled like CVE-2009-3555 (aka "el diablo"),
in other words everything gets shoved under:

CVE-2012-4930 	The SPDY protocol 3 and earlier, as used in Mozilla
Firefox, Google Chrome, and other products, can perform TLS encryption
of compressed data without properly obfuscating the length of the
unencrypted data, which allows man-in-the-middle attackers to obtain
plaintext HTTP headers by observing length differences during a series
of guesses in which a string in an HTTP request potentially matches an
unknown string in an HTTP header, aka a "CRIME" attack.

or

CVE-2012-4929 	The TLS protocol 1.2 and earlier, as used in Mozilla
Firefox, Google Chrome, and other products, can encrypt compressed
data without properly obfuscating the length of the unencrypted data,
which allows man-in-the-middle attackers to obtain plaintext HTTP
headers by observing length differences during a series of guesses in
which a string in an HTTP request potentially matches an unknown
string in an HTTP header, aka a "CRIME" attack.

Steve, can you comment?

- -- 
Kurt Seifried Red Hat Security Response Team (SRT)
PGP: 0x5E267993 A90B F995 7350 148F 66BF 7554 160D 4553 5E26 7993

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.12 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://www.enigmail.net/

iQIcBAEBAgAGBQJQa79mAAoJEBYNRVNeJnmTFGEP/3RSEmz1gAA2sWB5CUYmdSmO
/wTwNz1mShlPvfJNQrRvj57yIHlkJmE546freIdIfWSIfH6Hs55xKeyXIZKRybeU
BlZQhYLkZFtdVkcK9oBBdAkZ+229Pclwd8TY/zkGT7XfCt7BCpcmA65OlM2EoNyN
iOWDSBE09AJUEC10cGBr79A8jjiV7BS2TRJZYxqT7/VhsKu89Co2OW2avI5KQIMA
2nH0ImEonuH34djvREw4mViv4XofyNM4ZXPVfvw+PnBTDJQE3b1CnU2CXwQiklLt
rndJskP+cHz6Kgw+goDZlmX8m7tQs2c6eiKS2qa+NdC4WFcwKxuLEVw4i/pZTe4T
g3Y5e+KJV1t4Ee6jLG9CFT1SLytw+a+SRtTsia9lNHgV377JtQeZuNrjiF7Lh+8d
FVNp0RezEU1aZyQl6DGjvhmOfN3S9uhuEkT4GnxEMaDSOzSxA4CCjY08IOS+9Jha
wVyVx9+upE+c/kkUdoVE5UdX9uV+8/CjMkbKg9BF+OwigAK1S6oL4vEQk/QPHVGh
87g3+0ud3eIAp5NCZo8xwOXsAUOwLtg8Y7VxN/hbQ6t1VWOx0XfmA0xDqQnXk3v0
JUMAQyTfqajEtluGeyf5IF4VOQvXECTeEI7XnkvUDTZopAkSzklc1eH9BpRv3kEg
3kezxmd/U5w3OzZd1OGl
=t+3H
-----END PGP SIGNATURE-----

Powered by blists - more mailing lists

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Confused about mailing lists and their use? Read about mailing lists on Wikipedia and check out these guidelines on proper formatting of your messages.