Details
-
Task
-
Resolution: Won't Do
-
P1: Critical
-
None
-
5.12.4, 5.13.0
-
None
Description
Customers might ship their Qt application with OpenSSL binaries that load configurations and extension DLLs from an insecure location:
https://www.openssl.org/news/secadv/20190730.txt
In order to protect Qt applications against such an attack vector, we should employ the following mechanism: If Qt loads a side-loaded set of OpenSSL libraries (that is, found next to the Qt DLLs), we override the OPENSSL_CONF environment variable to point to
QDir(QLibraryInfo::location(QLibraryInfo::Prefix)).absoluteFilePath(QT_CONFIGURE_SETTINGS_PATH)
This needs to be done before Qt's OpenSSL module executes the OPENSSL_add_all_algorithms_conf API call.