[packages/qt5-qtbase] upstream fix for CVE-2023-34410; rel 2
atler
atler at pld-linux.org
Sat Jun 10 11:18:40 CEST 2023
commit 765e6d29168a684348043e763f6e1a7bfa77ece9
Author: Jan Palus <atler at pld-linux.org>
Date: Sat Jun 10 11:16:54 2023 +0200
upstream fix for CVE-2023-34410; rel 2
as advised in:
https://lists.qt-project.org/pipermail/announce/2023-June/000421.html
https://lists.qt-project.org/pipermail/announce/2023-June/000422.html
CVE-2023-34410-qtbase-5.15.diff | 54 +++++++++++++++++++++++++++++++++++++++++
qt5-qtbase.spec | 4 ++-
2 files changed, 57 insertions(+), 1 deletion(-)
---
diff --git a/qt5-qtbase.spec b/qt5-qtbase.spec
index 515e8dd..f9407b5 100644
--- a/qt5-qtbase.spec
+++ b/qt5-qtbase.spec
@@ -71,7 +71,7 @@ Summary: Qt5 - base components
Summary(pl.UTF-8): Biblioteka Qt5 - podstawowe komponenty
Name: qt5-%{orgname}
Version: 5.15.10
-Release: 1
+Release: 2
License: LGPL v3 or GPL v2 or GPL v3 or commercial
Group: X11/Libraries
Source0: https://download.qt.io/official_releases/qt/5.15/%{version}/submodules/%{orgname}-everywhere-opensource-src-%{version}.tar.xz
@@ -84,6 +84,7 @@ Patch2: egl-x11.patch
Patch3: CVE-2023-32763-qtbase-5.15.diff
Patch4: CVE-2023-32762-qtbase-5.15.diff
Patch5: CVE-2023-33285-qtbase-5.15.diff
+Patch6: CVE-2023-34410-qtbase-5.15.diff
URL: https://www.qt.io/
%{?with_directfb:BuildRequires: DirectFB-devel}
BuildRequires: EGL-devel
@@ -1182,6 +1183,7 @@ Generator plików makefile dla aplikacji Qt5.
%patch3 -p1
%patch4 -p1
%patch5 -p1
+%patch6 -p1
%{__sed} -i -e 's,usr/X11R6/,usr/,g' mkspecs/linux-g++-64/qmake.conf
diff --git a/CVE-2023-34410-qtbase-5.15.diff b/CVE-2023-34410-qtbase-5.15.diff
new file mode 100644
index 0000000..82c1a23
--- /dev/null
+++ b/CVE-2023-34410-qtbase-5.15.diff
@@ -0,0 +1,54 @@
+--- a/src/network/ssl/qsslsocket_schannel.cpp
++++ b/src/network/ssl/qsslsocket_schannel.cpp
+@@ -1880,6 +1880,28 @@ bool QSslSocketBackendPrivate::verifyCertContext(CERT_CONTEXT *certContext)
+ if (configuration.peerVerifyDepth > 0 && DWORD(configuration.peerVerifyDepth) < verifyDepth)
+ verifyDepth = DWORD(configuration.peerVerifyDepth);
+
++ const auto &caCertificates = q->sslConfiguration().caCertificates();
++
++ if (!rootCertOnDemandLoadingAllowed()
++ && !(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN)
++ && (q->peerVerifyMode() == QSslSocket::VerifyPeer
++ || (isClient && q->peerVerifyMode() == QSslSocket::AutoVerifyPeer))) {
++ // When verifying a peer Windows "helpfully" builds a chain that
++ // may include roots from the system store. But we don't want that if
++ // the user has set their own CA certificates.
++ // Since Windows claims this is not a partial chain the root is included
++ // and we have to check that it is one of our configured CAs.
++ CERT_CHAIN_ELEMENT *element = chain->rgpElement[chain->cElement - 1];
++ QSslCertificate certificate = getCertificateFromChainElement(element);
++ if (!caCertificates.contains(certificate)) {
++ auto error = QSslError(QSslError::CertificateUntrusted, certificate);
++ sslErrors += error;
++ emit q->peerVerifyError(error);
++ if (q->state() != QAbstractSocket::ConnectedState)
++ return false;
++ }
++ }
++
+ for (DWORD i = 0; i < verifyDepth; i++) {
+ CERT_CHAIN_ELEMENT *element = chain->rgpElement[i];
+ QSslCertificate certificate = getCertificateFromChainElement(element);
+
+
+--- a/src/network/ssl/qsslsocket.cpp
++++ b/src/network/ssl/qsslsocket.cpp
+@@ -2221,6 +2221,10 @@ QSslSocketPrivate::QSslSocketPrivate()
+ , flushTriggered(false)
+ {
+ QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
++ // If the global configuration doesn't allow root certificates to be loaded
++ // on demand then we have to disable it for this socket as well.
++ if (!configuration.allowRootCertOnDemandLoading)
++ allowRootCertOnDemandLoading = false;
+ }
+
+ /*!
+@@ -2470,6 +2474,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri
+ ptr->sessionProtocol = global->sessionProtocol;
+ ptr->ciphers = global->ciphers;
+ ptr->caCertificates = global->caCertificates;
++ ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;
+ ptr->protocol = global->protocol;
+ ptr->peerVerifyMode = global->peerVerifyMode;
+ ptr->peerVerifyDepth = global->peerVerifyDepth;
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/qt5-qtbase.git/commitdiff/765e6d29168a684348043e763f6e1a7bfa77ece9
More information about the pld-cvs-commit
mailing list