FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

QtNetworkAuth -- predictable seeding of PRNG in QAbstractOAuth

Affected packages
qt5-networkauth < 5.15.13_1
qt6-networkauth < 6.7.1

Details

VuXML ID f5fa174d-19de-11ef-83d8-4ccc6adda413
Discovery 2024-05-08
Entry 2024-05-24

Andy Shaw reports:

The OAuth1 implementation in QtNetworkAuth created nonces using a PRNG that was seeded with a predictable seed.

This means that an attacker that can somehow control the time of the first OAuth1 flow of the process has a high chance of predicting the nonce used in said OAuth flow.

[source]

References

CVE Name CVE-2024-36048
URL https://codereview.qt-project.org/c/qt/qtnetworkauth/+/560317
URL https://www.qt.io/blog/security-advisory-qstringconverter-0

Copyright © 2003-2005 Jacques Vidrine and contributors.
Please see the source of this document for full copyright information.

OSZAR »