Bug#530532: libqt4-network: Locally installed root CAs not read

To: Debian Bug Tracking System <submit@bugs.debian.org>
Subject: Bug#530532: libqt4-network: Locally installed root CAs not read
From: François Guerraz <kubrick@fgv6.net>
Date: Mon, 25 May 2009 16:03:36 +0200
Message-id: <[🔎] 4A1AA538.4020807@fgv6.net>
Reply-to: François Guerraz <kubrick@fgv6.net>, 530532@bugs.debian.org

Package: libqt4-network
Version: 4.4.3-1
Severity: grave
Justification: user security hole
Tags: patch security

Applications using QT SSL Layer fail to verify SSL encrypted connexion
because system-wide installed certificates authorities are not read (can
be verified with strace)

For example, mumble cannot verify that a server it connects to has a
good certificate even if the root CA is locally installed (but mumble
won't work if there is intermediate certificate but this is a
mumble-server bug that will be fixed in 1.2).

Here is my patch to fix the problem :

diff -Naur qt4-x11-4.4.3/src/network/ssl/qsslsocket_openssl.cpp
qt4-x11-4.4.3-sslfix/src/network/ssl/qsslsocket_openssl.cpp
--- qt4-x11-4.4.3/src/network/ssl/qsslsocket_openssl.cpp       
2008-09-27 10:58:47.000000000 +0200
+++ qt4-x11-4.4.3-sslfix/src/network/ssl/qsslsocket_openssl.cpp
2009-05-25 15:16:39.000000000 +0200
@@ -466,7 +466,7 @@
 
 QList<QSslCertificate> QSslSocketPrivate::systemCaCertificates()
 {
-#ifdef QQ_OS_UNIX
+#ifdef Q_OS_UNIX
     // Check known locations for the system's default bundle.  ### On
Windows,
     // we should use CAPI to find the bundle, and not rely on default unix
     // locations.
@@ -479,13 +479,16 @@
 #endif
                                        0};
     const char **it = standardLocations;
+    QList<QSslCertificate> certs;
     QStringList nameFilter;
     nameFilter << QLatin1String("*.pem") << QLatin1String("*.crt");
     while (*it) {
-        if (QDirIterator(QLatin1String(*it), nameFilter).hasNext())
-            return certificatesFromPath(QLatin1String(*it));
+       QDirIterator certfilesIt(QLatin1String(*it), nameFilter);
+        while (certfilesIt.hasNext())
+            certs += QSslCertificate::fromPath(certfilesIt.next());
         ++it;
     }
+    return certs;
 #endif
 
     // Qt provides a default bundle when we cannot detect the system's
default


The problem has been reported to QT but I don't know if it has been
fixed and how... I consider it as a grave problem because a user can't
verify the identity of a server
he connects to.

-- System Information:
Debian Release: 5.0.1
  APT prefers stable
  APT policy: (990, 'stable')
Architecture: i386 (i686)

Kernel: Linux 2.6.29.4 (SMP w/2 CPU cores)
Locale: LANG=fr_FR.UTF-8, LC_CTYPE=fr_FR.UTF-8 (charmap=UTF-8)
Shell: /bin/sh linked to /bin/bash

Versions of packages libqt4-network depends on:
ii  libc6                  2.7-18            GNU C Library: Shared libraries
ii  libgcc1                1:4.3.2-1.1       GCC support library
ii  libqtcore4             4.4.3-1           Qt 4 core module
ii  libstdc++6             4.3.2-1.1         The GNU Standard C++ Library v3
ii  zlib1g                 1:1.2.3.3.dfsg-12 compression library - runtime

libqt4-network recommends no packages.

libqt4-network suggests no packages.

-- no debconf information

Reply to:

Prev by Date: Bug#526257: libqtgui4: major gfx mem corruption
Next by Date: Bug#530538: webcam cannot be sent or requested
Previous by thread: Bug#530522: kdelibs-bin has circular Depends on kdelibs5
Next by thread: Bug#530532: Acknowledgement (libqt4-network: Locally installed root CAs not read)
Index(es):
- Date
- Thread