From 8118e519992ba3fe6d38bd7e0dc8470fd6aadfcc Mon Sep 17 00:00:00 2001 From: =?UTF-8?q?Lisandro=20Dami=C3=A1n=20Nicanor=20P=C3=A9rez=20Meyer?= Date: Mon, 22 May 2023 11:40:25 -0300 Subject: [PATCH] Add a patch to fix CVE-2023-32762. Yes, there was another CVE... --- debian/changelog | 3 +++ debian/patches/cve-2023-32762.diff | 15 +++++++++++++++ debian/patches/series | 1 + 3 files changed, 19 insertions(+) create mode 100644 debian/patches/cve-2023-32762.diff diff --git a/debian/changelog b/debian/changelog index b1d3577..d6697fd 100644 --- a/debian/changelog +++ b/debian/changelog @@ -1,5 +1,8 @@ qt6-base (6.4.2+dfsg-9) UNRELEASED; urgency=medium + [ Lisandro Damián Nicanor Pérez Meyer ] + * Add a patch to fix CVE-2023-32762. + -- Debian Qt/KDE Maintainers Mon, 22 May 2023 11:36:51 -0300 qt6-base (6.4.2+dfsg-8) unstable; urgency=medium diff --git a/debian/patches/cve-2023-32762.diff b/debian/patches/cve-2023-32762.diff new file mode 100644 index 0000000..92b76fa --- /dev/null +++ b/debian/patches/cve-2023-32762.diff @@ -0,0 +1,15 @@ +--- + src/network/access/qhsts.cpp | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +--- a/src/network/access/qhsts.cpp ++++ b/src/network/access/qhsts.cpp +@@ -328,7 +328,7 @@ bool QHstsHeaderParser::parse(const QLis + { + for (const auto &h : headers) { + // We use '==' since header name was already 'trimmed' for us: +- if (h.first == "Strict-Transport-Security") { ++ if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) { + header = h.second; + // RFC6797, 8.1: + // diff --git a/debian/patches/series b/debian/patches/series index 1bbf239..5403fd0 100644 --- a/debian/patches/series +++ b/debian/patches/series @@ -1,4 +1,5 @@ # fixed in 6.5 +cve-2023-32762.diff cve-2023-32763.diff upstream_Add-HPPA-detection.patch upstream_Add-M68k-detection.patch