The Vigil@nce team watches public vulnerabilities impacting your computers, and then offers security solutions, a database and tools to fix them.

Computer vulnerabilities of Psi

computer vulnerability alert 11046

Psi IM: certificate spoofing via QLabel

Synthesis of the vulnerability

An attacker can use an X.509 certificate with a malicious Common Name, in order to deceive the victim who uses Psi.
Impacted products: Fedora, Psi.
Severity: 1/4.
Consequences: disguisement.
Provenance: document.
Creation date: 10/10/2011.
Identifiers: BID-50927, FEDORA-2011-16476, FEDORA-2011-16488, NDSA20111003, VIGILANCE-VUL-11046.

Description of the vulnerability

The Qt graphic library uses QLabel objects, in order to display a text area.

The text format is defined in the enum Qt::TextFormat :
 - Qt::PlainText : raw text
 - Qt::RichText : complex text (table, frame, list, etc.)
 - Qt::AutoText : autodetection of PlainText or RichText
By default, QLabel uses the Qt::AutoText format, so it analyzes the content to detect how to display it.

The Psi software uses a QLabel to display the Common Name of an X.509 certificate. However, the AutoText default format is used (instead of PlainText). If the Common Name contains a table as RichText, its second line is then displayed above the field.

An attacker can therefore use an X.509 certificate with a malicious Common Name, in order to deceive the victim who uses Psi.

This vulnerability has the same origin than VIGILANCE-VUL-11028.
Full Vigil@nce bulletin... (Free trial)
Our database contains other pages. You can request a free trial to read them.

Display information about Psi: