commit: ba6c4d6df5c342444c0ae7c9f640a91a2c8caced Author: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> AuthorDate: Tue May 23 21:17:08 2023 +0000 Commit: Andreas Sturmlechner <asturm <AT> gentoo <DOT> org> CommitDate: Tue May 23 21:19:23 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=ba6c4d6d
dev-qt/qtnetwork: Fix CVE-2023-32762 See also: https://www.qt.io/blog/security-advisory-qt-network Signed-off-by: Andreas Sturmlechner <asturm <AT> gentoo.org> .../files/qtnetwork-5.15.9-CVE-2023-32762.patch | 39 +++++++++++ dev-qt/qtnetwork/qtnetwork-5.15.9-r2.ebuild | 79 ++++++++++++++++++++++ 2 files changed, 118 insertions(+) diff --git a/dev-qt/qtnetwork/files/qtnetwork-5.15.9-CVE-2023-32762.patch b/dev-qt/qtnetwork/files/qtnetwork-5.15.9-CVE-2023-32762.patch new file mode 100644 index 000000000000..7509414bd317 --- /dev/null +++ b/dev-qt/qtnetwork/files/qtnetwork-5.15.9-CVE-2023-32762.patch @@ -0,0 +1,39 @@ +From a196623892558623e467f20b67edb78794252a09 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= <[email protected]> +Date: Fri, 5 May 2023 11:07:26 +0200 +Subject: [PATCH] Hsts: match header names case insensitively (CVE-2023-32762) + +Header field names are always considered to be case-insensitive. + +Pick-to: 6.5 6.5.1 6.2 5.15 +Fixes: QTBUG-113392 +Change-Id: Ifb4def4bb7f2ac070416cdc76581a769f1e52b43 +Reviewed-by: Qt CI Bot <[email protected]> +Reviewed-by: Edward Welbourne <[email protected]> +Reviewed-by: Volker Hilsheimer <[email protected]> +(cherry picked from commit 1b736a815be0222f4b24289cf17575fc15707305) + +* asturmlechner 2023-05-23: Upstream backport to 5.15 taken from + https://www.qt.io/blog/security-advisory-qt-network +--- + src/network/access/qhsts.cpp | 4 ++-- + 1 file changed, 2 insertions(+), 2 deletions(-) + +diff --git a/src/network/access/qhsts.cpp b/src/network/access/qhsts.cpp +index 0cef0ad3dc..be7ef7ff58 100644 +--- a/src/network/access/qhsts.cpp ++++ b/src/network/access/qhsts.cpp +@@ -364,8 +364,8 @@ quoted-pair = "\" CHAR + bool QHstsHeaderParser::parse(const QList<QPair<QByteArray, QByteArray>> &headers) + { + for (const auto &h : headers) { +- // We use '==' since header name was already 'trimmed' for us: +- if (h.first == "Strict-Transport-Security") { ++ // We compare directly because header name was already 'trimmed' for us: ++ if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) { + header = h.second; + // RFC6797, 8.1: + // +-- +2.40.1 + diff --git a/dev-qt/qtnetwork/qtnetwork-5.15.9-r2.ebuild b/dev-qt/qtnetwork/qtnetwork-5.15.9-r2.ebuild new file mode 100644 index 000000000000..e3f87517c129 --- /dev/null +++ b/dev-qt/qtnetwork/qtnetwork-5.15.9-r2.ebuild @@ -0,0 +1,79 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +if [[ ${PV} != *9999* ]]; then + QT5_KDEPATCHSET_REV=1 + KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~loong ~ppc ~ppc64 ~riscv ~sparc ~x86" +fi + +QT5_MODULE="qtbase" +inherit qt5-build + +DESCRIPTION="Network abstraction library for the Qt5 framework" + +IUSE="connman gssapi libproxy networkmanager sctp +ssl" + +DEPEND=" + =dev-qt/qtcore-${QT5_PV}*:5= + sys-libs/zlib:= + connman? ( =dev-qt/qtdbus-${QT5_PV}* ) + gssapi? ( virtual/krb5 ) + libproxy? ( net-libs/libproxy ) + networkmanager? ( =dev-qt/qtdbus-${QT5_PV}* ) + sctp? ( kernel_linux? ( net-misc/lksctp-tools ) ) + ssl? ( >=dev-libs/openssl-1.1.1:0= ) +" +RDEPEND="${DEPEND} + connman? ( net-misc/connman ) + networkmanager? ( net-misc/networkmanager ) +" + +PATCHES=( + "${FILESDIR}/${P}-QDnsLookup-dont-overflow-the-buffer.patch" + "${FILESDIR}/${P}-CVE-2023-32762.patch" +) + +QT5_TARGET_SUBDIRS=( + src/network + src/plugins/bearer/generic +) + +QT5_GENTOO_CONFIG=( + libproxy:libproxy: + ssl::SSL + ssl::OPENSSL + ssl:openssl-linked:LINKED_OPENSSL +) + +QT5_GENTOO_PRIVATE_CONFIG=( + :network +) + +pkg_setup() { + use connman && QT5_TARGET_SUBDIRS+=(src/plugins/bearer/connman) + use networkmanager && QT5_TARGET_SUBDIRS+=(src/plugins/bearer/networkmanager) +} + +src_configure() { + local myconf=( + $(usev connman -dbus-linked) + $(qt_use gssapi feature-gssapi) + $(qt_use libproxy) + $(usev networkmanager -dbus-linked) + $(qt_use sctp) + $(usev ssl -openssl-linked) + ) + qt5-build_src_configure +} + +src_install() { + qt5-build_src_install + + # workaround for bug 652650 + if use ssl; then + sed -e "/^#define QT_LINKED_OPENSSL/s/$/ true/" \ + -i "${D}${QT5_HEADERDIR}"/Gentoo/${PN}-qconfig.h || die + fi +}
