From: "orbea" <orbea@riseup.net>
To: gentoo-commits@lists.gentoo.org
Subject: [gentoo-commits] repo/proj/libressl:master commit in: dev-qt/qtnetwork/files/, dev-qt/qtnetwork/
Date: Tue, 13 Jun 2023 03:45:28 +0000 (UTC) [thread overview]
Message-ID: <1686627721.bfa63407717e18916b47899d9380f569479b45e4.orbea@gentoo> (raw)
commit: bfa63407717e18916b47899d9380f569479b45e4
Author: orbea <orbea <AT> riseup <DOT> net>
AuthorDate: Tue Jun 13 03:42:01 2023 +0000
Commit: orbea <orbea <AT> riseup <DOT> net>
CommitDate: Tue Jun 13 03:42:01 2023 +0000
URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=bfa63407
dev-qt/qtnetwork: add 5.15.9-r3
Signed-off-by: orbea <orbea <AT> riseup.net>
.../files/qtnetwork-5.15.9-CVE-2023-34410.patch | 113 +++++++++++++++++++++
dev-qt/qtnetwork/qtnetwork-5.15.9-r3.ebuild | 83 +++++++++++++++
2 files changed, 196 insertions(+)
diff --git a/dev-qt/qtnetwork/files/qtnetwork-5.15.9-CVE-2023-34410.patch b/dev-qt/qtnetwork/files/qtnetwork-5.15.9-CVE-2023-34410.patch
new file mode 100644
index 0000000..3c91452
--- /dev/null
+++ b/dev-qt/qtnetwork/files/qtnetwork-5.15.9-CVE-2023-34410.patch
@@ -0,0 +1,113 @@
+From 51a3c8d7b8140f0bf6912d14a58bcd0092b868a1 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= <marten.nordheim@qt.io>
+Date: Wed, 10 May 2023 16:43:41 +0200
+Subject: [PATCH 1/2] Schannel: Reject certificate not signed by a configured
+ CA certificate
+
+Not entirely clear why, but when building the certificate chain for a
+peer the system certificate store is searched for root certificates.
+General expectation is that after calling
+`sslConfiguration.setCaCertificates()` the system certificates will
+not be taken into consideration.
+
+To work around this behavior, we do a manual check that the root of the
+chain is part of the configured CA certificates.
+
+Pick-to: 6.5 6.2 5.15
+Change-Id: I03666a4d9b0eac39ae97e150b4743120611a11b3
+Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
+Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
+(cherry picked from commit ada2c573c1a25f8d96577734968fe317ddfa292a)
+---
+ src/network/ssl/qsslsocket_schannel.cpp | 22 ++++++++++++++++++++++
+ 1 file changed, 22 insertions(+)
+
+diff --git a/src/network/ssl/qsslsocket_schannel.cpp b/src/network/ssl/qsslsocket_schannel.cpp
+index c956ce3c2b..d1b23af29b 100644
+--- a/src/network/ssl/qsslsocket_schannel.cpp
++++ b/src/network/ssl/qsslsocket_schannel.cpp
+@@ -1880,6 +1880,28 @@ bool QSslSocketBackendPrivate::verifyCertContext(CERT_CONTEXT *certContext)
+ if (configuration.peerVerifyDepth > 0 && DWORD(configuration.peerVerifyDepth) < verifyDepth)
+ verifyDepth = DWORD(configuration.peerVerifyDepth);
+
++ const auto &caCertificates = q->sslConfiguration().caCertificates();
++
++ if (!rootCertOnDemandLoadingAllowed()
++ && !(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN)
++ && (q->peerVerifyMode() == QSslSocket::VerifyPeer
++ || (isClient && q->peerVerifyMode() == QSslSocket::AutoVerifyPeer))) {
++ // When verifying a peer Windows "helpfully" builds a chain that
++ // may include roots from the system store. But we don't want that if
++ // the user has set their own CA certificates.
++ // Since Windows claims this is not a partial chain the root is included
++ // and we have to check that it is one of our configured CAs.
++ CERT_CHAIN_ELEMENT *element = chain->rgpElement[chain->cElement - 1];
++ QSslCertificate certificate = getCertificateFromChainElement(element);
++ if (!caCertificates.contains(certificate)) {
++ auto error = QSslError(QSslError::CertificateUntrusted, certificate);
++ sslErrors += error;
++ emit q->peerVerifyError(error);
++ if (q->state() != QAbstractSocket::ConnectedState)
++ return false;
++ }
++ }
++
+ for (DWORD i = 0; i < verifyDepth; i++) {
+ CERT_CHAIN_ELEMENT *element = chain->rgpElement[i];
+ QSslCertificate certificate = getCertificateFromChainElement(element);
+--
+2.41.0
+
+
+From a933f89e1f69b97ccb9d1e5f82d9a619c02afcd2 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= <marten.nordheim@qt.io>
+Date: Thu, 25 May 2023 14:40:29 +0200
+Subject: [PATCH 2/2] Ssl: Copy the on-demand cert loading bool from default
+ config
+
+Otherwise individual sockets will still load system certificates when
+a chain doesn't match against the configured CA certificates.
+That's not intended behavior, since specifically setting the CA
+certificates means you don't want the system certificates to be used.
+
+Follow-up to/amends ada2c573c1a25f8d96577734968fe317ddfa292a
+
+This is potentially a breaking change because now, if you ever add a
+CA to the default config, it will disable loading system certificates
+on demand for all sockets. And the only way to re-enable it is to
+create a null-QSslConfiguration and set it as the new default.
+
+Pick-to: 6.5 6.2 5.15
+Change-Id: Ic3b2ab125c0cdd58ad654af1cb36173960ce2d1e
+Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
+(cherry picked from commit 57ba6260c0801055b7188fdaa1818b940590f5f1)
+---
+ src/network/ssl/qsslsocket.cpp | 5 +++++
+ 1 file changed, 5 insertions(+)
+
+diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
+index 5bb6e7ee4a..2a0b3a4f1d 100644
+--- a/src/network/ssl/qsslsocket.cpp
++++ b/src/network/ssl/qsslsocket.cpp
+@@ -2221,6 +2221,10 @@ QSslSocketPrivate::QSslSocketPrivate()
+ , flushTriggered(false)
+ {
+ QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
++ // If the global configuration doesn't allow root certificates to be loaded
++ // on demand then we have to disable it for this socket as well.
++ if (!configuration.allowRootCertOnDemandLoading)
++ allowRootCertOnDemandLoading = false;
+ }
+
+ /*!
+@@ -2470,6 +2474,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri
+ ptr->sessionProtocol = global->sessionProtocol;
+ ptr->ciphers = global->ciphers;
+ ptr->caCertificates = global->caCertificates;
++ ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;
+ ptr->protocol = global->protocol;
+ ptr->peerVerifyMode = global->peerVerifyMode;
+ ptr->peerVerifyDepth = global->peerVerifyDepth;
+--
+2.41.0
+
diff --git a/dev-qt/qtnetwork/qtnetwork-5.15.9-r3.ebuild b/dev-qt/qtnetwork/qtnetwork-5.15.9-r3.ebuild
new file mode 100644
index 0000000..a166a59
--- /dev/null
+++ b/dev-qt/qtnetwork/qtnetwork-5.15.9-r3.ebuild
@@ -0,0 +1,83 @@
+# Copyright 1999-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+if [[ ${PV} != *9999* ]]; then
+ QT5_KDEPATCHSET_REV=1
+ KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~loong ~ppc ~ppc64 ~riscv ~sparc ~x86"
+fi
+
+QT5_MODULE="qtbase"
+inherit qt5-build
+
+DESCRIPTION="Network abstraction library for the Qt5 framework"
+
+IUSE="connman gssapi libproxy networkmanager sctp +ssl"
+
+DEPEND="
+ =dev-qt/qtcore-${QT5_PV}*:5=
+ sys-libs/zlib:=
+ connman? ( =dev-qt/qtdbus-${QT5_PV}* )
+ gssapi? ( virtual/krb5 )
+ libproxy? ( net-libs/libproxy )
+ networkmanager? ( =dev-qt/qtdbus-${QT5_PV}* )
+ sctp? ( kernel_linux? ( net-misc/lksctp-tools ) )
+ ssl? ( >=dev-libs/openssl-1.1.1:0= )
+"
+RDEPEND="${DEPEND}
+ connman? ( net-misc/connman )
+ networkmanager? ( net-misc/networkmanager )
+"
+
+PATCHES=(
+ "${FILESDIR}/${PN}-5.15.7-libressl.patch" #562050
+ "${FILESDIR}/${P}-QDnsLookup-dont-overflow-the-buffer.patch"
+ "${FILESDIR}/${P}-CVE-2023-32762.patch"
+ "${FILESDIR}/${P}-libproxy-0.5-pkgconfig.patch"
+ "${FILESDIR}/${P}-CVE-2023-34410.patch"
+)
+
+QT5_TARGET_SUBDIRS=(
+ src/network
+ src/plugins/bearer/generic
+)
+
+QT5_GENTOO_CONFIG=(
+ libproxy:libproxy:
+ ssl::SSL
+ ssl::OPENSSL
+ ssl:openssl-linked:LINKED_OPENSSL
+)
+
+QT5_GENTOO_PRIVATE_CONFIG=(
+ :network
+)
+
+pkg_setup() {
+ use connman && QT5_TARGET_SUBDIRS+=(src/plugins/bearer/connman)
+ use networkmanager && QT5_TARGET_SUBDIRS+=(src/plugins/bearer/networkmanager)
+}
+
+src_configure() {
+ local myconf=(
+ $(usev connman -dbus-linked)
+ $(qt_use gssapi feature-gssapi)
+ $(qt_use libproxy)
+ $(usev networkmanager -dbus-linked)
+ $(qt_use sctp)
+ $(usev ssl -openssl-linked)
+ -no-dtls # Required for libressl
+ )
+ qt5-build_src_configure
+}
+
+src_install() {
+ qt5-build_src_install
+
+ # workaround for bug 652650
+ if use ssl; then
+ sed -e "/^#define QT_LINKED_OPENSSL/s/$/ true/" \
+ -i "${D}${QT5_HEADERDIR}"/Gentoo/${PN}-qconfig.h || die
+ fi
+}
next reply other threads:[~2023-06-13 3:45 UTC|newest]
Thread overview: 12+ messages / expand[flat|nested] mbox.gz Atom feed top
2023-06-13 3:45 orbea [this message]
-- strict thread matches above, loose matches on Subject: below --
2023-07-12 14:50 [gentoo-commits] repo/proj/libressl:master commit in: dev-qt/qtnetwork/files/, dev-qt/qtnetwork/ orbea
2023-05-31 15:34 orbea
2022-12-01 18:19 Quentin Retornaz
2022-10-07 21:11 Quentin Retornaz
2022-05-01 0:19 Quentin Retornaz
2022-01-20 1:29 Quentin Retornaz
2020-11-28 19:22 Stefan Strogin
2020-11-28 19:18 Stefan Strogin
2020-05-27 8:15 Stefan Strogin
2019-03-02 0:51 Stefan Strogin
2019-03-02 0:51 Stefan Strogin
Reply instructions:
You may reply publicly to this message via plain-text email
using any one of the following methods:
* Save the following mbox file, import it into your mail client,
and reply-to-all from there: mbox
Avoid top-posting and favor interleaved quoting:
https://en.wikipedia.org/wiki/Posting_style#Interleaved_style
* Reply using the --to, --cc, and --in-reply-to
switches of git-send-email(1):
git send-email \
--in-reply-to=1686627721.bfa63407717e18916b47899d9380f569479b45e4.orbea@gentoo \
--to=orbea@riseup.net \
--cc=gentoo-commits@lists.gentoo.org \
--cc=gentoo-dev@lists.gentoo.org \
/path/to/YOUR_REPLY
https://kernel.org/pub/software/scm/git/docs/git-send-email.html
* If your mail client supports setting the In-Reply-To header
via mailto: links, try the mailto: link
Be sure your reply has a Subject: header at the top and a blank line
before the message body.
This is a public inbox, see mirroring instructions
for how to clone and mirror all data and code used for this inbox