Uploaded image for project: 'Qt'
  1. Qt
  2. QTBUG-77408

Mitigate CVE-2019-1552 vulnerability in Qt

    XMLWordPrintable

Details

    • Task
    • Resolution: Won't Do
    • P1: Critical
    • None
    • 5.12.4, 5.13.0
    • Network: SSL
    • None
    • Windows

    Description

      Customers might ship their Qt application with OpenSSL binaries that load configurations and extension DLLs from an insecure location:

      https://www.openssl.org/news/secadv/20190730.txt

      In order to protect Qt applications against such an attack vector, we should employ the following mechanism: If Qt loads a side-loaded set of OpenSSL libraries (that is, found next to the Qt DLLs), we override the OPENSSL_CONF environment variable to point to

      QDir(QLibraryInfo::location(QLibraryInfo::Prefix)).absoluteFilePath(QT_CONFIGURE_SETTINGS_PATH)

      This needs to be done before Qt's OpenSSL module executes the OPENSSL_add_all_algorithms_conf API call.

      Attachments

        No reviews matched the request. Check your Options in the drop-down menu of this sections header.

        Activity

          People

            manordheim Mårten Nordheim
            vhilshei Volker Hilsheimer
            Votes:
            0 Vote for this issue
            Watchers:
            2 Start watching this issue

            Dates

              Created:
              Updated:
              Resolved:

              Gerrit Reviews

                There are no open Gerrit changes