Product

Digia Qt 4.6.0 Rc1

View All Versions

Vulnerabilities

Improper Input Validation	CVE-2009-2700 CVE-2010-2621 CVE-2010-5076
Unspecified	CVE-2014-0190 CVE-2014-0190
Improper Restriction of Operations within the Bounds of a Memory Buffer	CVE-2011-3193
Cryptographic Issues	CVE-2012-6093
Information Exposure	CVE-2012-5624

Security Grade

433

of 1000

SECURITY GRADE

Vulnerability History

Weakness Analysis

Improper Input Validation 3/8

Unspecified 2/8

Improper Restriction of Operations within the Bounds of a Memory Buffer 1/8

Cryptographic Issues 1/8

Information Exposure 1/8

CVE-2009-2700
CVE-2010-2621
CVE-2010-5076
CVE-2014-0190
CVE-2014-0190
CVE-2011-3193
CVE-2012-6093
CVE-2012-5624

Related Vulnerabilities

Vulnerability	Severity Score	Release Date	Summary
CVE-2014-0190	4.3	May 8, 2014	The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.
CVE-2009-2700	4.3	Sept. 2, 2009	src/network/ssl/qsslcertificate.cpp in Nokia Trolltech Qt 4.x does not properly handle a '\0' character in a domain name in the Subject Alternative Name field of an X.509 certificate, which allows man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority, a related issue to CVE-2009-2408.
CVE-2010-2621	5.0	July 2, 2010	The QSslSocketBackendPrivate::transmit function in src_network_ssl_qsslsocket_openssl.cpp in Qt 4.6.3 and earlier allows remote attackers to cause a denial of service (infinite loop) via a malformed request.
CVE-2010-5076	4.3	June 29, 2012	QSslSocket in Qt before 4.7.0-rc1 recognizes a wildcard IP address in the subject's Common Name field of an X.509 certificate, which might allow man-in-the-middle attackers to spoof arbitrary SSL servers via a crafted certificate issued by a legitimate Certification Authority.
CVE-2011-3193	9.3	June 15, 2012	Heap-based buffer overflow in the Lookup_MarkMarkPos function in the HarfBuzz module (harfbuzz-gpos.c), as used by Qt before 4.7.4 and Pango, allows remote attackers to cause a denial of service (crash) and possibly execute arbitrary code via a crafted font file.
CVE-2012-5624	4.3	Feb. 24, 2013	The XMLHttpRequest object in Qt before 4.8.4 enables http redirection to the file scheme, which allows man-in-the-middle attackers to force the read of arbitrary local files and possibly obtain sensitive information via a file: URL to a QML application.
CVE-2012-6093	4.3	Feb. 24, 2013	The QSslSocket::sslErrors function in Qt before 4.6.5, 4.7.x before 4.7.6, 4.8.x before 4.8.5, when using certain versions of openSSL, uses an "incompatible structure layout" that can read memory from the wrong location, which causes Qt to report an incorrect error when certificate validation fails and might cause users to make unsafe security decisions to accept a certificate.
CVE-2014-0190	4.3	May 8, 2014	The GIF decoder in QtGui in Qt before 5.3 allows remote attackers to cause a denial of service (NULL pointer dereference) via invalid width and height values in a GIF image.

Followers