[packages/qt5-qtbase] upstream fix for CVE-2023-32762; rel 3

Tue, 23 May 2023 08:36:05 -0700 

commit bf22aa0a101e9b6fe1af405845cc15d0aa48b006
Author: Jan Palus <[email protected]>
Date:   Tue May 23 17:34:12 2023 +0200

    upstream fix for CVE-2023-32762; rel 3
    
    as advised in:
    https://lists.qt-project.org/pipermail/announce/2023-May/000414.html

 CVE-2023-32762-qtbase-5.15.diff | 13 +++++++++++++
 qt5-qtbase.spec                 |  4 +++-
 2 files changed, 16 insertions(+), 1 deletion(-)
---
diff --git a/qt5-qtbase.spec b/qt5-qtbase.spec
index c35d728..be7b7df 100644
--- a/qt5-qtbase.spec
+++ b/qt5-qtbase.spec
@@ -71,7 +71,7 @@ Summary:      Qt5 - base components
 Summary(pl.UTF-8):     Biblioteka Qt5 - podstawowe komponenty
 Name:          qt5-%{orgname}
 Version:       5.15.9
-Release:       2
+Release:       3
 License:       LGPL v3 or GPL v2 or GPL v3 or commercial
 Group:         X11/Libraries
 Source0:       
https://download.qt.io/official_releases/qt/5.15/%{version}/submodules/%{orgname}-everywhere-opensource-src-%{version}.tar.xz
@@ -82,6 +82,7 @@ Patch0:               %{name}-system_cacerts.patch
 Patch1:                parallel-install.patch
 Patch2:                egl-x11.patch
 Patch3:                CVE-2023-32763-qtbase-5.15.diff
+Patch4:                CVE-2023-32762-qtbase-5.15.diff
 URL:           https://www.qt.io/
 %{?with_directfb:BuildRequires:        DirectFB-devel}
 BuildRequires: EGL-devel
@@ -1178,6 +1179,7 @@ Generator plików makefile dla aplikacji Qt5.
 %patch1 -p1
 %patch2 -p1
 %patch3 -p1
+%patch4 -p1
 
 %{__sed} -i -e 's,usr/X11R6/,usr/,g' mkspecs/linux-g++-64/qmake.conf
 
diff --git a/CVE-2023-32762-qtbase-5.15.diff b/CVE-2023-32762-qtbase-5.15.diff
new file mode 100644
index 0000000..f0bc00f
--- /dev/null
+++ b/CVE-2023-32762-qtbase-5.15.diff
@@ -0,0 +1,13 @@
+--- a/src/network/access/qhsts.cpp
++++ b/src/network/access/qhsts.cpp
+@@ -364,8 +364,8 @@ quoted-pair    = "\" CHAR
+ bool QHstsHeaderParser::parse(const QList<QPair<QByteArray, QByteArray>> 
&headers)
+ {
+     for (const auto &h : headers) {
+-        // We use '==' since header name was already 'trimmed' for us:
+-        if (h.first == "Strict-Transport-Security") {
++        // We compare directly because header name was already 'trimmed' for 
us:
++        if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) 
== 0) {
+             header = h.second;
+             // RFC6797, 8.1:
+             //
================================================================

---- gitweb:

http://git.pld-linux.org/gitweb.cgi/packages/qt5-qtbase.git/commitdiff/bf22aa0a101e9b6fe1af405845cc15d0aa48b006

_______________________________________________
pld-cvs-commit mailing list
[email protected]
http://lists.pld-linux.org/mailman/listinfo/pld-cvs-commit

Reply via email to