[packages/qt6] upstream fix for CVE-2023-34410; rel 3

Sat Jun 10 18:52:37 CEST 2023

commit 45fd6acb4122dadd4058a0cf8e27cff35d8e929f
Author: Jan Palus <atler at pld-linux.org>
Date:   Sat Jun 10 18:42:29 2023 +0200

    upstream fix for CVE-2023-34410; rel 3
    
    as advised in:
    https://lists.qt-project.org/pipermail/announce/2023-June/000421.html
    https://lists.qt-project.org/pipermail/announce/2023-June/000422.html

 CVE-2023-34410-qtbase-6.5.diff | 52 ++++++++++++++++++++++++++++++++++++++++++
 qt6.spec                       |  6 ++++-
 2 files changed, 57 insertions(+), 1 deletion(-)
---

diff --git a/qt6.spec b/qt6.spec
index 4123d39..8b618b0 100644
--- a/qt6.spec
+++ b/qt6.spec
@@ -107,7 +107,7 @@ Summary:	Qt6 Library
 Summary(pl.UTF-8):	Biblioteka Qt6
 Name:		qt6
 Version:	6.5.1
-Release:	2
+Release:	3
 License:	LGPL v3 or GPL v2 or GPL v3 or commercial
 Group:		X11/Libraries
 Source0:	https://download.qt.io/official_releases/qt/6.5/%{version}/single/qt-everywhere-src-%{version}.tar.xz
@@ -119,6 +119,7 @@ Patch3:		no-implicit-sse2.patch
 Patch4:		x32.patch
 Patch5:		qtwebengine-cmake-build-type.patch
 Patch6:		QTBUG-113579.patch
+Patch7:		CVE-2023-34410-qtbase-6.5.diff
 URL:		https://www.qt.io/
 %{?with_directfb:BuildRequires:	DirectFB-devel}
 BuildRequires:	EGL-devel
@@ -3578,6 +3579,9 @@ narzędzia.
 cd qtwebengine
 %patch6 -p1
 cd ..
+cd qtbase
+%patch7 -p1
+cd ..
 
 %{__sed} -i -e 's,usr/X11R6/,usr/,g' qtbase/mkspecs/linux-g++-64/qmake.conf
 
diff --git a/CVE-2023-34410-qtbase-6.5.diff b/CVE-2023-34410-qtbase-6.5.diff
new file mode 100644
index 0000000..0c72c91
--- /dev/null
+++ b/CVE-2023-34410-qtbase-6.5.diff
@@ -0,0 +1,52 @@
+--- a/src/plugins/tls/schannel/qtls_schannel.cpp
++++ b/src/plugins/tls/schannel/qtls_schannel.cpp
+@@ -2106,6 +2106,27 @@ bool TlsCryptographSchannel::verifyCertContext(CERT_CONTEXT *certContext)
+         verifyDepth = DWORD(q->peerVerifyDepth());
+
+     const auto &caCertificates = q->sslConfiguration().caCertificates();
++
++    if (!rootCertOnDemandLoadingAllowed()
++            && !(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN)
++            && (q->peerVerifyMode() == QSslSocket::VerifyPeer
++                    || (isClient && q->peerVerifyMode() == QSslSocket::AutoVerifyPeer))) {
++        // When verifying a peer Windows "helpfully" builds a chain that
++        // may include roots from the system store. But we don't want that if
++        // the user has set their own CA certificates.
++        // Since Windows claims this is not a partial chain the root is included
++        // and we have to check that it is one of our configured CAs.
++        CERT_CHAIN_ELEMENT *element = chain->rgpElement[chain->cElement - 1];
++        QSslCertificate certificate = getCertificateFromChainElement(element);
++        if (!caCertificates.contains(certificate)) {
++            auto error = QSslError(QSslError::CertificateUntrusted, certificate);
++            sslErrors += error;
++            emit q->peerVerifyError(error);
++            if (q->state() != QAbstractSocket::ConnectedState)
++                return false;
++        }
++    }
++
+     QList<QSslCertificate> peerCertificateChain;
+     for (DWORD i = 0; i < verifyDepth; i++) {
+         CERT_CHAIN_ELEMENT *element = chain->rgpElement[i];
+
+--- a/src/network/ssl/qsslsocket.cpp
++++ b/src/network/ssl/qsslsocket.cpp
+@@ -1973,6 +1973,10 @@ QSslSocketPrivate::QSslSocketPrivate()
+     , flushTriggered(false)
+ {
+     QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
++    // If the global configuration doesn't allow root certificates to be loaded
++    // on demand then we have to disable it for this socket as well.
++    if (!configuration.allowRootCertOnDemandLoading)
++        allowRootCertOnDemandLoading = false;
+
+     const auto *tlsBackend = tlsBackendInUse();
+     if (!tlsBackend) {
+@@ -2281,6 +2285,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri
+     ptr->sessionProtocol = global->sessionProtocol;
+     ptr->ciphers = global->ciphers;
+     ptr->caCertificates = global->caCertificates;
++    ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;
+     ptr->protocol = global->protocol;
+     ptr->peerVerifyMode = global->peerVerifyMode;
+     ptr->peerVerifyDepth = global->peerVerifyDepth;
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/qt6.git/commitdiff/45fd6acb4122dadd4058a0cf8e27cff35d8e929f

