Openwall GNU/*/Linux - a small security-enhanced Linux distro for servers
[<prev] [next>] [thread-next>] [day] [month] [year] [list]
Date: Tue, 4 Dec 2012 09:58:26 -0500 (EST)
From: Jan Lieskovsky <>
Cc: "Steven M. Christey" <>,
        "Richard J. Moore" <>
Subject: CVE Request -- Qt (x < 4.8.4): QML XmlHttpRequest insecure

Hello Kurt, Steve, vendors,

  Qt upstream has released 4.8.4 version correcting one security

An information disclosure flaw was found in the way XMLHttpRequest
object implementation in Qt, a software toolkit for developing
applications, performed management of certain HTTP responses.
Previous implementation allowed redirection from HTTP protocol
to file schemas. Also the redirection handling was performed
automatically by QML application and could not be disabled.
A remote attacker could use this flaw to cause QML application
in an unauthorized way to read local file content by causing
the HTTP response for the application to be a redirect to
a file: URL (file scheme).


Relevant upstream patch:

Could you allocate a CVE id for this?

Thank you && Regards, Jan.
Jan iankko Lieskovsky / Red Hat Security Response Team

Powered by blists - more mailing lists

Your e-mail address:

Please check out the Open Source Software Security Wiki, which is counterpart to this mailing list.

Powered by Openwall GNU/*/Linux - Powered by OpenVZ