Vulnerability Details : CVE-2012-6093
The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an "incompatible structure layout" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.
Products affected by CVE-2012-6093
- cpe:2.3:o:canonical:ubuntu_linux:12.04:-:lts:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:12.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:11.10:*:*:*:*:*:*:*
- cpe:2.3:o:canonical:ubuntu_linux:10.04:-:lts:*:*:*:*:*
- cpe:2.3:a:qt:qt:*:rc:*:*:*:*:*:*
- cpe:2.3:a:qt:qt:4.6.4:*:*:*:*:*:*:*
- cpe:2.3:a:qt:qt:4.6.3:*:*:*:*:*:*:*
- cpe:2.3:a:qt:qt:4.6.2:*:*:*:*:*:*:*
- cpe:2.3:a:qt:qt:4.6.1:*:*:*:*:*:*:*
- cpe:2.3:a:qt:qt:4.6.0:*:*:*:*:*:*:*
- cpe:2.3:a:qt:qt:4.6.0:rc1:*:*:*:*:*:*
- cpe:2.3:a:qt:qt:4.7.1:*:*:*:*:*:*:*
- cpe:2.3:a:qt:qt:4.7.0:*:*:*:*:*:*:*
- cpe:2.3:a:qt:qt:4.7.6:rc:*:*:*:*:*:*
- cpe:2.3:a:qt:qt:4.7.5:*:*:*:*:*:*:*
- cpe:2.3:a:qt:qt:4.7.4:*:*:*:*:*:*:*
- cpe:2.3:a:qt:qt:4.7.3:*:*:*:*:*:*:*
- cpe:2.3:a:qt:qt:4.7.2:*:*:*:*:*:*:*
- cpe:2.3:a:qt:qt:4.8.3:*:*:*:*:*:*:*
- cpe:2.3:a:qt:qt:4.8.2:*:*:*:*:*:*:*
- cpe:2.3:a:qt:qt:4.8.1:*:*:*:*:*:*:*
- cpe:2.3:a:qt:qt:4.8.0:*:*:*:*:*:*:*
- cpe:2.3:a:qt:qt:4.8.4:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:11.4:*:*:*:*:*:*:*
- cpe:2.3:o:opensuse:opensuse:12.2:*:*:*:*:*:*:*
Exploit prediction scoring system (EPSS) score for CVE-2012-6093
1.10%
Probability of exploitation activity in the next 30 days
EPSS Score History
~ 76 %
Percentile, the proportion of vulnerabilities that are scored at or less
CVSS scores for CVE-2012-6093
| Base Score | Base Severity | CVSS Vector | Exploitability Score | Impact Score | Score Source | First Seen |
|---|---|---|---|---|---|---|
|
4.3
|
MEDIUM | AV:N/AC:M/Au:N/C:P/I:N/A:N |
8.6
|
2.9
|
NIST |
CWE ids for CVE-2012-6093
-
Assigned by: nvd@nist.gov (Primary)
References for CVE-2012-6093
-
https://bugzilla.redhat.com/show_bug.cgi?id=891955
891955 – (CVE-2012-6093) CVE-2012-6093 qt: QSslSocket might report inappropriate errors when certificate verification fails
-
http://qt.gitorious.org/qt/qt/commit/3b14dc93cf0ef06f1424d7d6319a1af4505faa53%20%284.7%29
-
http://lists.opensuse.org/opensuse-updates/2013-01/msg00086.html
openSUSE-SU-2013:0204-1: moderate: update for libqt4
-
http://lists.opensuse.org/opensuse-updates/2013-02/msg00014.html
openSUSE-SU-2013:0256-1: moderate: libqt4: various SSL / certificate rel
-
http://qt.gitorious.org/qt/qt/commit/691e78e5061d4cbc0de212d23b06c5dffddf2098%20%284.8%29
-
http://www.openwall.com/lists/oss-security/2013/01/04/6
oss-security - Re: CVE Request -- qt: QSslSocket might report inappropriate errors when certificate verification fails
-
http://bugs.debian.org/cgi-bin/bugreport.cgi?bug=697582
#697582 - qt4-x11: CVE-2012-6093 - Debian Bug report logs
-
http://www.ubuntu.com/usn/USN-1723-1
USN-1723-1: Qt vulnerabilities | Ubuntu security notices
-
https://codereview.qt-project.org/#change%2C42461
-
http://lists.qt-project.org/pipermail/announce/2013-January/000020.html
[Announce] Qt Project Security Advisory: QSslSocket may report incorrect errors when certificate verification failsVendor Advisory
-
http://lists.opensuse.org/opensuse-updates/2013-01/msg00089.html
openSUSE-SU-2013:0211-1: moderate: update for libqt4
Jump to