Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

src/murmur/Server.cpp: implement workaround for critical QSslSocket issue #4032

Conversation

davidebeatrici
Copy link
Member

Fixes #3679.


A severe bug was introduced in qt/qtbase@93a803a: q_SSL_shutdown() causes Qt to emit error() from unrelated QSslSocket(s), in addition to the correct one.

The issue causes Server::connectionClosed() to disconnect random authenticated clients.

The workaround consists in ignoring a specific OpenSSL error:

Error while reading: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init [20]

Definitely not ideal, but it fixes a critical vulnerability. Details on how to trigger it are deliberately omitted.

…ssue

A severe bug was introduced in qt/qtbase@93a803a: q_SSL_shutdown() causes Qt to emit "error()" from unrelated QSslSocket(s), in addition to the correct one.

The issue causes Server::connectionClosed() to disconnect random authenticated clients.

The workaround consists in ignoring a specific OpenSSL error:
"Error while reading: error:140E0197:SSL routines:SSL_shutdown:shutdown while in init [20]"

Definitely not ideal, but it fixes a critical vulnerability. Details on how to trigger it are deliberately omitted.
@davidebeatrici davidebeatrici merged commit 8cdcc28 into mumble-voip:master Apr 4, 2020
@bendem
Copy link
Contributor

bendem commented Apr 4, 2020

Is there plans for an emergency release with this fix?

@Krzmbrzl
Copy link
Member

Krzmbrzl commented Apr 4, 2020

Not really an emergency release, but 1.3.1 is coming up soon anyways. And this fix will be included ;)

@Speedy37
Copy link

I guess this commit fix it: qt/qtbase@8907635

@davidebeatrici
Copy link
Member Author

Yes, indeed.

@davidebeatrici davidebeatrici deleted the murmur-qsslsocket-140e0197-workaround branch September 22, 2022 05:34
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

OpenSSL error 140E0197 with Qt >= 5.12.2
4 participants