From: "Andreas Sturmlechner" <asturm@gentoo.org>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/gentoo:master commit in: dev-qt/qtnetwork/files/, dev-qt/qtnetwork/
Date: Tue, 23 May 2023 21:19:47 +0000 (UTC) [thread overview]
Message-ID: <1684876763.ba6c4d6df5c342444c0ae7c9f640a91a2c8caced.asturm@gentoo> (raw)
commit: ba6c4d6df5c342444c0ae7c9f640a91a2c8caced
Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
AuthorDate: Tue May 23 21:17:08 2023 +0000
Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org>
CommitDate: Tue May 23 21:19:23 2023 +0000
URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ba6c4d6d
dev-qt/qtnetwork: Fix CVE-2023-32762
See also: https://www.qt.io/blog/security-advisory-qt-network
Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org>
.../files/qtnetwork-5.15.9-CVE-2023-32762.patch | 39 +++++++++++
dev-qt/qtnetwork/qtnetwork-5.15.9-r2.ebuild | 79 ++++++++++++++++++++++
2 files changed, 118 insertions(+)
diff --git a/dev-qt/qtnetwork/files/qtnetwork-5.15.9-CVE-2023-32762.patch b/dev-qt/qtnetwork/files/qtnetwork-5.15.9-CVE-2023-32762.patch
new file mode 100644
index 000000000000..7509414bd317
--- /dev/null
+++ b/dev-qt/qtnetwork/files/qtnetwork-5.15.9-CVE-2023-32762.patch
@@ -0,0 +1,39 @@
+From a196623892558623e467f20b67edb78794252a09 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= <marten.nordheim@qt.io>
+Date: Fri, 5 May 2023 11:07:26 +0200
+Subject: [PATCH] Hsts: match header names case insensitively (CVE-2023-32762)
+
+Header field names are always considered to be case-insensitive.
+
+Pick-to: 6.5 6.5.1 6.2 5.15
+Fixes: QTBUG-113392
+Change-Id: Ifb4def4bb7f2ac070416cdc76581a769f1e52b43
+Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
+Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
+Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
+(cherry picked from commit 1b736a815be0222f4b24289cf17575fc15707305)
+
+* asturmlechner 2023-05-23: Upstream backport to 5.15 taken from
+ https://www.qt.io/blog/security-advisory-qt-network
+---
+ src/network/access/qhsts.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/network/access/qhsts.cpp b/src/network/access/qhsts.cpp
+index 0cef0ad3dc..be7ef7ff58 100644
+--- a/src/network/access/qhsts.cpp
++++ b/src/network/access/qhsts.cpp
+@@ -364,8 +364,8 @@ quoted-pair = "\" CHAR
+ bool QHstsHeaderParser::parse(const QList<QPair<QByteArray, QByteArray>> &headers)
+ {
+ for (const auto &h : headers) {
+- // We use '==' since header name was already 'trimmed' for us:
+- if (h.first == "Strict-Transport-Security") {
++ // We compare directly because header name was already 'trimmed' for us:
++ if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) {
+ header = h.second;
+ // RFC6797, 8.1:
+ //
+--
+2.40.1
+
diff --git a/dev-qt/qtnetwork/qtnetwork-5.15.9-r2.ebuild b/dev-qt/qtnetwork/qtnetwork-5.15.9-r2.ebuild
new file mode 100644
index 000000000000..e3f87517c129
--- /dev/null
+++ b/dev-qt/qtnetwork/qtnetwork-5.15.9-r2.ebuild
@@ -0,0 +1,79 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+if [[ ${PV} != *9999* ]]; then
+ QT5_KDEPATCHSET_REV=1
+ KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~loong ~ppc ~ppc64 ~riscv ~sparc ~x86"
+fi
+
+QT5_MODULE="qtbase"
+inherit qt5-build
+
+DESCRIPTION="Network abstraction library for the Qt5 framework"
+
+IUSE="connman gssapi libproxy networkmanager sctp +ssl"
+
+DEPEND="
+ =dev-qt/qtcore-${QT5_PV}*:5=
+ sys-libs/zlib:=
+ connman? ( =dev-qt/qtdbus-${QT5_PV}* )
+ gssapi? ( virtual/krb5 )
+ libproxy? ( net-libs/libproxy )
+ networkmanager? ( =dev-qt/qtdbus-${QT5_PV}* )
+ sctp? ( kernel_linux? ( net-misc/lksctp-tools ) )
+ ssl? ( >=dev-libs/openssl-1.1.1:0= )
+"
+RDEPEND="${DEPEND}
+ connman? ( net-misc/connman )
+ networkmanager? ( net-misc/networkmanager )
+"
+
+PATCHES=(
+ "${FILESDIR}/${P}-QDnsLookup-dont-overflow-the-buffer.patch"
+ "${FILESDIR}/${P}-CVE-2023-32762.patch"
+)
+
+QT5_TARGET_SUBDIRS=(
+ src/network
+ src/plugins/bearer/generic
+)
+
+QT5_GENTOO_CONFIG=(
+ libproxy:libproxy:
+ ssl::SSL
+ ssl::OPENSSL
+ ssl:openssl-linked:LINKED_OPENSSL
+)
+
+QT5_GENTOO_PRIVATE_CONFIG=(
+ :network
+)
+
+pkg_setup() {
+ use connman && QT5_TARGET_SUBDIRS+=(src/plugins/bearer/connman)
+ use networkmanager && QT5_TARGET_SUBDIRS+=(src/plugins/bearer/networkmanager)
+}
+
+src_configure() {
+ local myconf=(
+ $(usev connman -dbus-linked)
+ $(qt_use gssapi feature-gssapi)
+ $(qt_use libproxy)
+ $(usev networkmanager -dbus-linked)
+ $(qt_use sctp)
+ $(usev ssl -openssl-linked)
+ )
+ qt5-build_src_configure
+}
+
+src_install() {
+ qt5-build_src_install
+
+ # workaround for bug 652650
+ if use ssl; then
+ sed -e "/^#define QT_LINKED_OPENSSL/s/$/ true/" \
+ -i "${D}${QT5_HEADERDIR}"/Gentoo/${PN}-qconfig.h || die
+ fi
+}
next reply other threads:[~2023-05-23 21:19 UTC|newest]
Thread overview: 6+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-05-23 21:19 Andreas Sturmlechner [this message]
-- strict thread matches above, loose matches on Subject: below --
2024-07-16 21:41 [gentoo-commits] repo/gentoo:master commit in: dev-qt/qtnetwork/files/, dev-qt/qtnetwork/ Andreas Sturmlechner
2023-08-16 16:31 Andreas Sturmlechner
2023-06-10 9:34 Andreas Sturmlechner
2021-05-01 18:07 Sam James
2021-01-02 1:23 Andreas Sturmlechner
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1684876763.ba6c4d6df5c342444c0ae7c9f640a91a2c8caced.asturm@gentoo \
--to=asturm@gentoo.org \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox