From mboxrd@z Thu Jan  1 00:00:00 1970
Return-Path: <gentoo-commits+bounces-1521119-garchives=archives.gentoo.org@lists.gentoo.org>
Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (2048 bits))
	(No client certificate requested)
	by finch.gentoo.org (Postfix) with ESMTPS id D2D0615806E
	for <garchives@archives.gentoo.org>; Wed, 24 May 2023 18:06:16 +0000 (UTC)
Received: from pigeon.gentoo.org (localhost [127.0.0.1])
	by pigeon.gentoo.org (Postfix) with SMTP id 09D88E078A;
	Wed, 24 May 2023 18:06:16 +0000 (UTC)
Received: from smtp.gentoo.org (woodpecker.gentoo.org [140.211.166.183])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits))
	(No client certificate requested)
	by pigeon.gentoo.org (Postfix) with ESMTPS id E27F3E078A
	for <gentoo-commits@lists.gentoo.org>; Wed, 24 May 2023 18:06:15 +0000 (UTC)
Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(No client certificate requested)
	by smtp.gentoo.org (Postfix) with ESMTPS id E029E33BE18
	for <gentoo-commits@lists.gentoo.org>; Wed, 24 May 2023 18:06:14 +0000 (UTC)
Received: from localhost.localdomain (localhost [IPv6:::1])
	by oystercatcher.gentoo.org (Postfix) with ESMTP id 43FE7A77
	for <gentoo-commits@lists.gentoo.org>; Wed, 24 May 2023 18:06:13 +0000 (UTC)
From: "orbea" <orbea@riseup.net>
To: gentoo-commits@lists.gentoo.org
Content-Transfer-Encoding: 8bit
Content-type: text/plain; charset=UTF-8
Reply-To: gentoo-dev@lists.gentoo.org, "orbea" <orbea@riseup.net>
Message-ID: <1684949923.6e0c7e3a9d7ecbb28cfd62c7fef56f9a4aea5fd1.orbea@gentoo>
Subject: [gentoo-commits] repo/proj/libressl:master commit in: dev-qt/qtnetwork/, dev-qt/qtnetwork/files/
X-VCS-Repository: repo/proj/libressl
X-VCS-Files: dev-qt/qtnetwork/files/qtnetwork-5.15.9-CVE-2023-32762.patch dev-qt/qtnetwork/qtnetwork-5.15.9-r1.ebuild dev-qt/qtnetwork/qtnetwork-5.15.9-r2.ebuild
X-VCS-Directories: dev-qt/qtnetwork/files/ dev-qt/qtnetwork/
X-VCS-Committer: orbea
X-VCS-Committer-Name: orbea
X-VCS-Revision: 6e0c7e3a9d7ecbb28cfd62c7fef56f9a4aea5fd1
X-VCS-Branch: master
Date: Wed, 24 May 2023 18:06:13 +0000 (UTC)
Precedence: bulk
List-Post: <mailto:gentoo-commits@lists.gentoo.org>
List-Help: <mailto:gentoo-commits+help@lists.gentoo.org>
List-Unsubscribe: <mailto:gentoo-commits+unsubscribe@lists.gentoo.org>
List-Subscribe: <mailto:gentoo-commits+subscribe@lists.gentoo.org>
List-Id: Gentoo Linux mail <gentoo-commits.gentoo.org>
X-BeenThere: gentoo-commits@lists.gentoo.org
X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply
X-Archives-Salt: 8a368f14-2a11-451e-9c81-f5d039432104
X-Archives-Hash: e44ae070507f54be304b56ea122c5752

commit:     6e0c7e3a9d7ecbb28cfd62c7fef56f9a4aea5fd1
Author:     orbea <orbea <AT> riseup <DOT> net>
AuthorDate: Wed May 24 17:38:43 2023 +0000
Commit:     orbea <orbea <AT> riseup <DOT> net>
CommitDate: Wed May 24 17:38:43 2023 +0000
URL:        https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=6e0c7e3a

dev-qt/qtnetwork: add 5.15.9-r2

Signed-off-by: orbea <orbea <AT> riseup.net>

 .../files/qtnetwork-5.15.9-CVE-2023-32762.patch    | 39 ++++++++++++++++++++++
 ...5.15.9-r1.ebuild => qtnetwork-5.15.9-r2.ebuild} |  3 +-
 2 files changed, 41 insertions(+), 1 deletion(-)

diff --git a/dev-qt/qtnetwork/files/qtnetwork-5.15.9-CVE-2023-32762.patch b/dev-qt/qtnetwork/files/qtnetwork-5.15.9-CVE-2023-32762.patch
new file mode 100644
index 0000000..7509414
--- /dev/null
+++ b/dev-qt/qtnetwork/files/qtnetwork-5.15.9-CVE-2023-32762.patch
@@ -0,0 +1,39 @@
+From a196623892558623e467f20b67edb78794252a09 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= <marten.nordheim@qt.io>
+Date: Fri, 5 May 2023 11:07:26 +0200
+Subject: [PATCH] Hsts: match header names case insensitively (CVE-2023-32762)
+
+Header field names are always considered to be case-insensitive.
+
+Pick-to: 6.5 6.5.1 6.2 5.15
+Fixes: QTBUG-113392
+Change-Id: Ifb4def4bb7f2ac070416cdc76581a769f1e52b43
+Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
+Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
+Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
+(cherry picked from commit 1b736a815be0222f4b24289cf17575fc15707305)
+
+* asturmlechner 2023-05-23: Upstream backport to 5.15 taken from
+  https://www.qt.io/blog/security-advisory-qt-network
+---
+ src/network/access/qhsts.cpp | 4 ++--
+ 1 file changed, 2 insertions(+), 2 deletions(-)
+
+diff --git a/src/network/access/qhsts.cpp b/src/network/access/qhsts.cpp
+index 0cef0ad3dc..be7ef7ff58 100644
+--- a/src/network/access/qhsts.cpp
++++ b/src/network/access/qhsts.cpp
+@@ -364,8 +364,8 @@ quoted-pair    = "\" CHAR
+ bool QHstsHeaderParser::parse(const QList<QPair<QByteArray, QByteArray>> &headers)
+ {
+     for (const auto &h : headers) {
+-        // We use '==' since header name was already 'trimmed' for us:
+-        if (h.first == "Strict-Transport-Security") {
++        // We compare directly because header name was already 'trimmed' for us:
++        if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) {
+             header = h.second;
+             // RFC6797, 8.1:
+             //
+-- 
+2.40.1
+

diff --git a/dev-qt/qtnetwork/qtnetwork-5.15.9-r1.ebuild b/dev-qt/qtnetwork/qtnetwork-5.15.9-r2.ebuild
similarity index 94%
rename from dev-qt/qtnetwork/qtnetwork-5.15.9-r1.ebuild
rename to dev-qt/qtnetwork/qtnetwork-5.15.9-r2.ebuild
index 3e96f6c..45eeceb 100644
--- a/dev-qt/qtnetwork/qtnetwork-5.15.9-r1.ebuild
+++ b/dev-qt/qtnetwork/qtnetwork-5.15.9-r2.ebuild
@@ -31,8 +31,9 @@ RDEPEND="${DEPEND}
 "
 
 PATCHES=(
-	"${FILESDIR}"/${PN}-5.15.7-libressl.patch # Bug 562050, not upstreamable
+	"${FILESDIR}/${PN}-5.15.7-libressl.patch" #562050
 	"${FILESDIR}/${P}-QDnsLookup-dont-overflow-the-buffer.patch"
+	"${FILESDIR}/${P}-CVE-2023-32762.patch"
 )
 
 QT5_TARGET_SUBDIRS=(