depends: qt: patch for CVE-2023-34410

2024-12-22 11:39:25 +00:00 · 2023-06-09 15:21:27 +02:00 · 2023-06-09 15:21:27 +02:00 · 1d515d8e93
commit 1d515d8e93
parent 897ecee268
2 changed files with 54 additions and 0 deletions
--- a/contrib/depends/packages/qt.mk
+++ b/contrib/depends/packages/qt.mk
@ -29,6 +29,7 @@ $(package)_patches += v4l2.patch
 $(package)_patches += windows_func_fix.patch
 $(package)_patches += WindowsToolchain.cmake
 $(package)_patches += revert_f99ee441.patch
+$(package)_patches += CVE-2023-34410-qtbase-6.5.diff

 $(package)_qttools_file_name=qttools-$($(package)_suffix)
 $(package)_qttools_sha256_hash=5744df9e84b2a86f7f932ffc00341c7d7209e741fd1c0679a32b855fcceb2329
@ -264,6 +265,7 @@ define $(package)_preprocess_cmds
  mv $($(package)_patch_dir)/riscvToolchain.cmake . && \
  cd qtbase && \
  patch -p1 -i $($(package)_patch_dir)/revert_f99ee441.patch && \
+  patch -p1 -i $($(package)_patch_dir)/CVE-2023-34410-qtbase-6.5.diff && \
  cd ../qtmultimedia && \
  patch -p1 -i $($(package)_patch_dir)/qtmultimedia-fixes.patch && \
  patch -p1 -i $($(package)_patch_dir)/v4l2.patch
--- a/contrib/depends/patches/qt/CVE-2023-34410-qtbase-6.5.diff
+++ b/contrib/depends/patches/qt/CVE-2023-34410-qtbase-6.5.diff
@ -0,0 +1,52 @@
+--- a/src/plugins/tls/schannel/qtls_schannel.cpp
+++ b/src/plugins/tls/schannel/qtls_schannel.cpp
+@@ -2106,6 +2106,27 @@ bool TlsCryptographSchannel::verifyCertContext(CERT_CONTEXT *certContext)
+         verifyDepth = DWORD(q->peerVerifyDepth());
+
+     const auto &caCertificates = q->sslConfiguration().caCertificates();
+
+    if (!rootCertOnDemandLoadingAllowed()
+            && !(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN)
+            && (q->peerVerifyMode() == QSslSocket::VerifyPeer
+                    || (isClient && q->peerVerifyMode() == QSslSocket::AutoVerifyPeer))) {
+        // When verifying a peer Windows "helpfully" builds a chain that
+        // may include roots from the system store. But we don't want that if
+        // the user has set their own CA certificates.
+        // Since Windows claims this is not a partial chain the root is included
+        // and we have to check that it is one of our configured CAs.
+        CERT_CHAIN_ELEMENT *element = chain->rgpElement[chain->cElement - 1];
+        QSslCertificate certificate = getCertificateFromChainElement(element);
+        if (!caCertificates.contains(certificate)) {
+            auto error = QSslError(QSslError::CertificateUntrusted, certificate);
+            sslErrors += error;
+            emit q->peerVerifyError(error);
+            if (q->state() != QAbstractSocket::ConnectedState)
+                return false;
+        }
+    }
+
+     QList<QSslCertificate> peerCertificateChain;
+     for (DWORD i = 0; i < verifyDepth; i++) {
+         CERT_CHAIN_ELEMENT *element = chain->rgpElement[i];
+
+--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
+@@ -1973,6 +1973,10 @@ QSslSocketPrivate::QSslSocketPrivate()
+     , flushTriggered(false)
+ {
+     QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
+    // If the global configuration doesn't allow root certificates to be loaded
+    // on demand then we have to disable it for this socket as well.
+    if (!configuration.allowRootCertOnDemandLoading)
+        allowRootCertOnDemandLoading = false;
+
+     const auto *tlsBackend = tlsBackendInUse();
+     if (!tlsBackend) {
+@@ -2281,6 +2285,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri
+     ptr->sessionProtocol = global->sessionProtocol;
+     ptr->ciphers = global->ciphers;
+     ptr->caCertificates = global->caCertificates;
+    ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;
+     ptr->protocol = global->protocol;
+     ptr->peerVerifyMode = global->peerVerifyMode;
+     ptr->peerVerifyDepth = global->peerVerifyDepth;