[packages/qt5-qtbase] upstream fix for CVE-2023-32762; rel 3

Tue May 23 17:35:56 CEST 2023

commit bf22aa0a101e9b6fe1af405845cc15d0aa48b006
Author: Jan Palus <atler at pld-linux.org>
Date:   Tue May 23 17:34:12 2023 +0200

    upstream fix for CVE-2023-32762; rel 3
    
    as advised in:
    https://lists.qt-project.org/pipermail/announce/2023-May/000414.html

 CVE-2023-32762-qtbase-5.15.diff | 13 +++++++++++++
 qt5-qtbase.spec                 |  4 +++-
 2 files changed, 16 insertions(+), 1 deletion(-)
---

diff --git a/qt5-qtbase.spec b/qt5-qtbase.spec
index c35d728..be7b7df 100644
--- a/qt5-qtbase.spec
+++ b/qt5-qtbase.spec
@@ -71,7 +71,7 @@ Summary:	Qt5 - base components
 Summary(pl.UTF-8):	Biblioteka Qt5 - podstawowe komponenty
 Name:		qt5-%{orgname}
 Version:	5.15.9
-Release:	2
+Release:	3
 License:	LGPL v3 or GPL v2 or GPL v3 or commercial
 Group:		X11/Libraries
 Source0:	https://download.qt.io/official_releases/qt/5.15/%{version}/submodules/%{orgname}-everywhere-opensource-src-%{version}.tar.xz
@@ -82,6 +82,7 @@ Patch0:		%{name}-system_cacerts.patch
 Patch1:		parallel-install.patch
 Patch2:		egl-x11.patch
 Patch3:		CVE-2023-32763-qtbase-5.15.diff
+Patch4:		CVE-2023-32762-qtbase-5.15.diff
 URL:		https://www.qt.io/
 %{?with_directfb:BuildRequires:	DirectFB-devel}
 BuildRequires:	EGL-devel
@@ -1178,6 +1179,7 @@ Generator plików makefile dla aplikacji Qt5.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 
 %{__sed} -i -e 's,usr/X11R6/,usr/,g' mkspecs/linux-g++-64/qmake.conf
 
diff --git a/CVE-2023-32762-qtbase-5.15.diff b/CVE-2023-32762-qtbase-5.15.diff
new file mode 100644
index 0000000..f0bc00f
--- /dev/null
+++ b/CVE-2023-32762-qtbase-5.15.diff
@@ -0,0 +1,13 @@
+--- a/src/network/access/qhsts.cpp
++++ b/src/network/access/qhsts.cpp
+@@ -364,8 +364,8 @@ quoted-pair    = "\" CHAR
+ bool QHstsHeaderParser::parse(const QList<QPair<QByteArray, QByteArray>> &headers)
+ {
+     for (const auto &h : headers) {
+-        // We use '==' since header name was already 'trimmed' for us:
+-        if (h.first == "Strict-Transport-Security") {
++        // We compare directly because header name was already 'trimmed' for us:
++        if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) {
+             header = h.second;
+             // RFC6797, 8.1:
+             //
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/qt5-qtbase.git/commitdiff/bf22aa0a101e9b6fe1af405845cc15d0aa48b006

