commit libqt5-qtnetworkauth for openSUSE:Factory

Source-Sync Tue, 28 May 2024 08:29:33 -0700

Script 'mail_helper' called by obssrc
Hello community,

here is the log from the commit of package libqt5-qtnetworkauth for 
openSUSE:Factory checked in at 2024-05-28 17:28:39
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Comparing /work/SRC/openSUSE:Factory/libqt5-qtnetworkauth (Old)
 and      /work/SRC/openSUSE:Factory/.libqt5-qtnetworkauth.new.24587 (New)
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++


Package is "libqt5-qtnetworkauth"

Tue May 28 17:28:39 2024 rev:30 rq:1177087 version:5.15.13+kde1

Changes:
--------
--- 
/work/SRC/openSUSE:Factory/libqt5-qtnetworkauth/libqt5-qtnetworkauth.changes    
    2024-03-20 21:19:51.282190350 +0100
+++ 
/work/SRC/openSUSE:Factory/.libqt5-qtnetworkauth.new.24587/libqt5-qtnetworkauth.changes
     2024-05-28 17:29:22.393225347 +0200
@@ -1,0 +2,7 @@
+Tue May 21 09:37:28 UTC 2024 - Fabian Vogt <[email protected]>
+
+- Update to version 5.15.13+kde1:
+  * QAbstractOAuth: fix data race and poor seeding in generateRandomString()
+    (boo#1224782, CVE-2024-36048)
+
+-------------------------------------------------------------------

Old:
----
  qtnetworkauth-everywhere-src-5.15.13+kde0.obscpio

New:
----
  qtnetworkauth-everywhere-src-5.15.13+kde1.obscpio

++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

Other differences:
------------------
++++++ libqt5-qtnetworkauth.spec ++++++
--- /var/tmp/diff_new_pack.jKSCKH/_old  2024-05-28 17:29:23.365260892 +0200
+++ /var/tmp/diff_new_pack.jKSCKH/_new  2024-05-28 17:29:23.365260892 +0200
@@ -23,7 +23,7 @@
 %define so_version 5.15.13
 %define tar_version qtnetworkauth-everywhere-src-%{version}
 Name:           libqt5-qtnetworkauth
-Version:        5.15.13+kde0
+Version:        5.15.13+kde1
 Release:        0
 Summary:        Qt 5 NetworkAuth Library
 License:        GPL-3.0-or-later

++++++ _servicedata ++++++
--- /var/tmp/diff_new_pack.jKSCKH/_old  2024-05-28 17:29:23.409262502 +0200
+++ /var/tmp/diff_new_pack.jKSCKH/_new  2024-05-28 17:29:23.413262648 +0200
@@ -1,6 +1,6 @@
 <servicedata>
 <service name="tar_scm">
                 <param 
name="url">https://invent.kde.org/qt/qt/qtnetworkauth.git</param>
-              <param 
name="changesrevision">ed2291d454fac207f6b1555d30b9227e51be611b</param></service></servicedata>
+              <param 
name="changesrevision">81efc55a6e1d98a6b90b7a84d009f3f845be2737</param></service></servicedata>
 (No newline at EOF)
 

++++++ qtnetworkauth-everywhere-src-5.15.13+kde0.obscpio -> 
qtnetworkauth-everywhere-src-5.15.13+kde1.obscpio ++++++
diff -urN '--exclude=CVS' '--exclude=.cvsignore' '--exclude=.svn' 
'--exclude=.svnignore' 
old/qtnetworkauth-everywhere-src-5.15.13+kde0/src/oauth/qabstractoauth.cpp 
new/qtnetworkauth-everywhere-src-5.15.13+kde1/src/oauth/qabstractoauth.cpp
--- old/qtnetworkauth-everywhere-src-5.15.13+kde0/src/oauth/qabstractoauth.cpp  
2024-01-04 20:21:59.000000000 +0100
+++ new/qtnetworkauth-everywhere-src-5.15.13+kde1/src/oauth/qabstractoauth.cpp  
2024-05-23 15:20:00.000000000 +0200
@@ -37,7 +37,6 @@
 #include <QtCore/qurl.h>
 #include <QtCore/qpair.h>
 #include <QtCore/qstring.h>
-#include <QtCore/qdatetime.h>
 #include <QtCore/qurlquery.h>
 #include <QtCore/qjsondocument.h>
 #include <QtCore/qmessageauthenticationcode.h>
@@ -46,6 +45,9 @@
 #include <QtNetwork/qnetworkaccessmanager.h>
 #include <QtNetwork/qnetworkreply.h>
 
+#include <QtCore/qrandom.h>
+#include <QtCore/private/qlocking_p.h>
+
 #include <random>
 
 Q_DECLARE_METATYPE(QAbstractOAuth::Error)
@@ -290,15 +292,19 @@
     }
 }
 
+static QBasicMutex prngMutex;
+Q_GLOBAL_STATIC_WITH_ARGS(std::mt19937, prng, (*QRandomGenerator::system()))
+
 QByteArray QAbstractOAuthPrivate::generateRandomString(quint8 length)
 {
-    const char characters[] = 
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
-    static std::mt19937 
randomEngine(QDateTime::currentDateTime().toMSecsSinceEpoch());
+    constexpr char characters[] = 
"ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
     std::uniform_int_distribution<int> distribution(0, sizeof(characters) - 2);
     QByteArray data;
     data.reserve(length);
+    auto lock = qt_unique_lock(prngMutex);
     for (quint8 i = 0; i < length; ++i)
-        data.append(characters[distribution(randomEngine)]);
+        data.append(characters[distribution(*prng)]);
+    lock.unlock();
     return data;
 }
 
@@ -614,6 +620,7 @@
 }
 
 /*!
+    \threadsafe
     Generates a random string which could be used as state or nonce.
     The parameter \a length determines the size of the generated
     string.

++++++ qtnetworkauth-everywhere-src.obsinfo ++++++
--- /var/tmp/diff_new_pack.jKSCKH/_old  2024-05-28 17:29:23.553267767 +0200
+++ /var/tmp/diff_new_pack.jKSCKH/_new  2024-05-28 17:29:23.557267914 +0200
@@ -1,5 +1,5 @@
 name: qtnetworkauth-everywhere-src
-version: 5.15.13+kde0
-mtime: 1704396119
-commit: ed2291d454fac207f6b1555d30b9227e51be611b
+version: 5.15.13+kde1
+mtime: 1716470400
+commit: 81efc55a6e1d98a6b90b7a84d009f3f845be2737

commit libqt5-qtnetworkauth for openSUSE:Factory

Reply via email to