Lubuntu
/
qt6-base
3
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

Remove patches that have been applied upstream.

Browse Source
ci/unstable
Patrick Franz 1 year ago
parent 5a9ee9002c
commit e57a7fa7df
No known key found for this signature in database
GPG Key ID: 9E9F7A603077FE56
11 changed files with 1 additions and 1049 deletions
Show Stats Download Patch File Download Diff File

1
debian/changelog vendored
Unescape View File

@ -4,6 +4,7 @@ qt6-base (6.6.0+dfsg-1) UNRELEASED; urgency=medium
* New upstream release (6.6.0).
* Update ABI to 6.6.0.
* Remove references to htmlinfo examples.
* Remove patches that have been applied upstream.
-- Debian Qt/KDE Maintainers <debian-qt-kde@lists.debian.org> Tue, 10 Oct 2023 17:54:32 +0200

342
debian/patches/cve-2023-24607.patch vendored
Unescape View File

@ -1,342 +0,0 @@
Description: Fix CVE-2023-24607
CVE-2023-24607 can trigger a DOS with a specifically crafted string,
see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031871.
This patch https://codereview.qt-project.org/c/qt/qtbase/+/456216,
https://codereview.qt-project.org/c/qt/qtbase/+/457637 and
https://codereview.qt-project.org/c/qt/qtbase/+/457937
See: https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin
Forwarded: not-needed
--- a/src/plugins/sqldrivers/odbc/qsql_odbc.cpp
+++ b/src/plugins/sqldrivers/odbc/qsql_odbc.cpp
@@ -58,23 +58,39 @@ inline static QString fromSQLTCHAR(const QVarLengthArray<SQLTCHAR>& input, qsize
return result;
}
+template <size_t SizeOfChar = sizeof(SQLTCHAR)>
+void toSQLTCHARImpl(QVarLengthArray<SQLTCHAR> &result, const QString &input); // primary template undefined
+
+template <typename Container>
+void do_append(QVarLengthArray<SQLTCHAR> &result, const Container &c)
+{
+ result.append(reinterpret_cast<const SQLTCHAR *>(c.data()), c.size());
+}
+
+template <>
+void toSQLTCHARImpl<1>(QVarLengthArray<SQLTCHAR> &result, const QString &input)
+{
+ const auto u8 = input.toUtf8();
+ do_append(result, u8);
+}
+
+template <>
+void toSQLTCHARImpl<2>(QVarLengthArray<SQLTCHAR> &result, const QString &input)
+{
+ do_append(result, input);
+}
+
+template <>
+void toSQLTCHARImpl<4>(QVarLengthArray<SQLTCHAR> &result, const QString &input)
+{
+ const auto u32 = input.toUcs4();
+ do_append(result, u32);
+}
+
inline static QVarLengthArray<SQLTCHAR> toSQLTCHAR(const QString &input)
{
QVarLengthArray<SQLTCHAR> result;
- result.resize(input.size());
- switch(sizeof(SQLTCHAR)) {
- case 1:
- memcpy(result.data(), input.toUtf8().data(), input.size());
- break;
- case 2:
- memcpy(result.data(), input.unicode(), input.size() * 2);
- break;
- case 4:
- memcpy(result.data(), input.toUcs4().data(), input.size() * 4);
- break;
- default:
- qCritical("sizeof(SQLTCHAR) is %d. Don't know how to handle this.", int(sizeof(SQLTCHAR)));
- }
+ toSQLTCHARImpl(result, input);
result.append(0); // make sure it's null terminated, doesn't matter if it already is, it does if it isn't.
return result;
}
--- a/src/plugins/sqldrivers/odbc/qsql_odbc.cpp
+++ b/src/plugins/sqldrivers/odbc/qsql_odbc.cpp
@@ -1740,10 +1740,11 @@ bool QODBCResult::exec()
case QMetaType::QString:
if (d->unicode) {
if (bindValueType(i) & QSql::Out) {
- const QByteArray &first = tmpStorage.at(i);
- QVarLengthArray<SQLTCHAR> array;
- array.append((const SQLTCHAR *)first.constData(), first.size());
- values[i] = fromSQLTCHAR(array, first.size()/sizeof(SQLTCHAR));
+ const QByteArray &bytes = tmpStorage.at(i);
+ const auto strSize = bytes.size() / sizeof(SQLTCHAR);
+ QVarLengthArray<SQLTCHAR> string(strSize);
+ memcpy(string.data(), bytes.data(), strSize * sizeof(SQLTCHAR));
+ values[i] = fromSQLTCHAR(string);
}
break;
}
--- a/src/plugins/sqldrivers/odbc/qsql_odbc.cpp
+++ b/src/plugins/sqldrivers/odbc/qsql_odbc.cpp
@@ -745,6 +745,14 @@ QChar QODBCDriverPrivate::quoteChar()
return quote;
}
+static SQLRETURN qt_string_SQLSetConnectAttr(SQLHDBC handle, SQLINTEGER attr, const QString &val)
+{
+ auto encoded = toSQLTCHAR(val);
+ return SQLSetConnectAttr(handle, attr,
+ encoded.data(),
+ SQLINTEGER(encoded.size() * sizeof(SQLTCHAR))); // size in bytes
+}
+
bool QODBCDriverPrivate::setConnectionOptions(const QString& connOpts)
{
@@ -780,10 +788,7 @@ bool QODBCDriverPrivate::setConnectionOptions(const QString& connOpts)
v = val.toUInt();
r = SQLSetConnectAttr(hDbc, SQL_ATTR_LOGIN_TIMEOUT, (SQLPOINTER) size_t(v), 0);
} else if (opt.toUpper() == "SQL_ATTR_CURRENT_CATALOG"_L1) {
- val.utf16(); // 0 terminate
- r = SQLSetConnectAttr(hDbc, SQL_ATTR_CURRENT_CATALOG,
- toSQLTCHAR(val).data(),
- SQLINTEGER(val.length() * sizeof(SQLTCHAR)));
+ r = qt_string_SQLSetConnectAttr(hDbc, SQL_ATTR_CURRENT_CATALOG, val);
} else if (opt.toUpper() == "SQL_ATTR_METADATA_ID"_L1) {
if (val.toUpper() == "SQL_TRUE"_L1) {
v = SQL_TRUE;
@@ -798,10 +803,7 @@ bool QODBCDriverPrivate::setConnectionOptions(const QString& connOpts)
v = val.toUInt();
r = SQLSetConnectAttr(hDbc, SQL_ATTR_PACKET_SIZE, (SQLPOINTER) size_t(v), 0);
} else if (opt.toUpper() == "SQL_ATTR_TRACEFILE"_L1) {
- val.utf16(); // 0 terminate
- r = SQLSetConnectAttr(hDbc, SQL_ATTR_TRACEFILE,
- toSQLTCHAR(val).data(),
- SQLINTEGER(val.length() * sizeof(SQLTCHAR)));
+ r = qt_string_SQLSetConnectAttr(hDbc, SQL_ATTR_TRACEFILE, val);
} else if (opt.toUpper() == "SQL_ATTR_TRACE"_L1) {
if (val.toUpper() == "SQL_OPT_TRACE_OFF"_L1) {
v = SQL_OPT_TRACE_OFF;
@@ -1004,9 +1006,12 @@ bool QODBCResult::reset (const QString& query)
return false;
}
- r = SQLExecDirect(d->hStmt,
- toSQLTCHAR(query).data(),
- (SQLINTEGER) query.length());
+ {
+ auto encoded = toSQLTCHAR(query);
+ r = SQLExecDirect(d->hStmt,
+ encoded.data(),
+ SQLINTEGER(encoded.size()));
+ }
if (r != SQL_SUCCESS && r != SQL_SUCCESS_WITH_INFO && r!= SQL_NO_DATA) {
setLastError(qMakeError(QCoreApplication::translate("QODBCResult",
"Unable to execute statement"), QSqlError::StatementError, d));
@@ -1355,9 +1360,12 @@ bool QODBCResult::prepare(const QString& query)
return false;
}
- r = SQLPrepare(d->hStmt,
- toSQLTCHAR(query).data(),
- (SQLINTEGER) query.length());
+ {
+ auto encoded = toSQLTCHAR(query);
+ r = SQLPrepare(d->hStmt,
+ encoded.data(),
+ SQLINTEGER(encoded.size()));
+ }
if (r != SQL_SUCCESS) {
setLastError(qMakeError(QCoreApplication::translate("QODBCResult",
@@ -1385,7 +1393,7 @@ bool QODBCResult::exec()
SQLCloseCursor(d->hStmt);
QVariantList &values = boundValues();
- QByteArrayList tmpStorage(values.count(), QByteArray()); // holds temporary buffers
+ QByteArrayList tmpStorage(values.count(), QByteArray()); // targets for SQLBindParameter()
QVarLengthArray<SQLLEN, 32> indicators(values.count());
memset(indicators.data(), 0, indicators.size() * sizeof(SQLLEN));
@@ -1600,36 +1608,36 @@ bool QODBCResult::exec()
case QMetaType::QString:
if (d->unicode) {
QByteArray &ba = tmpStorage[i];
- QString str = val.toString();
+ {
+ const auto encoded = toSQLTCHAR(val.toString());
+ ba = QByteArray(reinterpret_cast<const char *>(encoded.data()),
+ encoded.size() * sizeof(SQLTCHAR));
+ }
+
if (*ind != SQL_NULL_DATA)
- *ind = str.length() * sizeof(SQLTCHAR);
- const qsizetype strSize = str.length() * sizeof(SQLTCHAR);
+ *ind = ba.size();
if (bindValueType(i) & QSql::Out) {
- const QVarLengthArray<SQLTCHAR> a(toSQLTCHAR(str));
- ba = QByteArray((const char *)a.constData(), int(a.size() * sizeof(SQLTCHAR)));
r = SQLBindParameter(d->hStmt,
i + 1,
qParamType[bindValueType(i) & QSql::InOut],
SQL_C_TCHAR,
- strSize > 254 ? SQL_WLONGVARCHAR : SQL_WVARCHAR,
+ ba.size() > 254 ? SQL_WLONGVARCHAR : SQL_WVARCHAR,
0, // god knows... don't change this!
0,
- ba.data(),
+ const_cast<char *>(ba.constData()), // don't detach
ba.size(),
ind);
break;
}
- ba = QByteArray(reinterpret_cast<const char *>(toSQLTCHAR(str).constData()),
- int(strSize));
r = SQLBindParameter(d->hStmt,
i + 1,
qParamType[bindValueType(i) & QSql::InOut],
SQL_C_TCHAR,
- strSize > 254 ? SQL_WLONGVARCHAR : SQL_WVARCHAR,
- strSize,
+ ba.size() > 254 ? SQL_WLONGVARCHAR : SQL_WVARCHAR,
+ ba.size(),
0,
- const_cast<char *>(ba.constData()),
+ const_cast<char *>(ba.constData()), // don't detach
ba.size(),
ind);
break;
@@ -1991,14 +1999,16 @@ bool QODBCDriver::open(const QString & db,
SQLSMALLINT cb;
QVarLengthArray<SQLTCHAR> connOut(1024);
memset(connOut.data(), 0, connOut.size() * sizeof(SQLTCHAR));
- r = SQLDriverConnect(d->hDbc,
- NULL,
- toSQLTCHAR(connQStr).data(),
- (SQLSMALLINT)connQStr.length(),
- connOut.data(),
- 1024,
- &cb,
- /*SQL_DRIVER_NOPROMPT*/0);
+ {
+ auto encoded = toSQLTCHAR(connQStr);
+ r = SQLDriverConnect(d->hDbc,
+ nullptr,
+ encoded.data(), SQLSMALLINT(encoded.size()),
+ connOut.data(),
+ 1024,
+ &cb,
+ /*SQL_DRIVER_NOPROMPT*/0);
+ }
if (r != SQL_SUCCESS && r != SQL_SUCCESS_WITH_INFO) {
setLastError(qMakeError(tr("Unable to connect"), QSqlError::ConnectionError, d));
@@ -2377,17 +2387,15 @@ QStringList QODBCDriver::tables(QSql::TableType type) const
if (tableType.isEmpty())
return tl;
- QString joinedTableTypeString = tableType.join(u',');
+ {
+ auto joinedTableTypeString = toSQLTCHAR(tableType.join(u','));
- r = SQLTables(hStmt,
- NULL,
- 0,
- NULL,
- 0,
- NULL,
- 0,
- toSQLTCHAR(joinedTableTypeString).data(),
- joinedTableTypeString.length() /* characters, not bytes */);
+ r = SQLTables(hStmt,
+ nullptr, 0,
+ nullptr, 0,
+ nullptr, 0,
+ joinedTableTypeString.data(), joinedTableTypeString.size());
+ }
if (r != SQL_SUCCESS)
qSqlWarning("QODBCDriver::tables Unable to execute table list"_L1, d);
@@ -2460,28 +2468,30 @@ QSqlIndex QODBCDriver::primaryIndex(const QString& tablename) const
SQL_ATTR_CURSOR_TYPE,
(SQLPOINTER)SQL_CURSOR_FORWARD_ONLY,
SQL_IS_UINTEGER);
- r = SQLPrimaryKeys(hStmt,
- catalog.length() == 0 ? NULL : toSQLTCHAR(catalog).data(),
- catalog.length(),
- schema.length() == 0 ? NULL : toSQLTCHAR(schema).data(),
- schema.length(),
- toSQLTCHAR(table).data(),
- table.length() /* in characters, not in bytes */);
+ {
+ auto c = toSQLTCHAR(catalog);
+ auto s = toSQLTCHAR(schema);
+ auto t = toSQLTCHAR(table);
+ r = SQLPrimaryKeys(hStmt,
+ catalog.isEmpty() ? nullptr : c.data(), c.size(),
+ schema.isEmpty() ? nullptr : s.data(), s.size(),
+ t.data(), t.size());
+ }
// if the SQLPrimaryKeys() call does not succeed (e.g the driver
// does not support it) - try an alternative method to get hold of
// the primary index (e.g MS Access and FoxPro)
if (r != SQL_SUCCESS) {
- r = SQLSpecialColumns(hStmt,
- SQL_BEST_ROWID,
- catalog.length() == 0 ? NULL : toSQLTCHAR(catalog).data(),
- catalog.length(),
- schema.length() == 0 ? NULL : toSQLTCHAR(schema).data(),
- schema.length(),
- toSQLTCHAR(table).data(),
- table.length(),
- SQL_SCOPE_CURROW,
- SQL_NULLABLE);
+ auto c = toSQLTCHAR(catalog);
+ auto s = toSQLTCHAR(schema);
+ auto t = toSQLTCHAR(table);
+ r = SQLSpecialColumns(hStmt,
+ SQL_BEST_ROWID,
+ catalog.isEmpty() ? nullptr : c.data(), c.size(),
+ schema.isEmpty() ? nullptr : s.data(), s.size(),
+ t.data(), t.size(),
+ SQL_SCOPE_CURROW,
+ SQL_NULLABLE);
if (r != SQL_SUCCESS) {
qSqlWarning("QODBCDriver::primaryIndex: Unable to execute primary key list"_L1, d);
@@ -2562,15 +2572,17 @@ QSqlRecord QODBCDriver::record(const QString& tablename) const
SQL_ATTR_CURSOR_TYPE,
(SQLPOINTER)SQL_CURSOR_FORWARD_ONLY,
SQL_IS_UINTEGER);
- r = SQLColumns(hStmt,
- catalog.length() == 0 ? NULL : toSQLTCHAR(catalog).data(),
- catalog.length(),
- schema.length() == 0 ? NULL : toSQLTCHAR(schema).data(),
- schema.length(),
- toSQLTCHAR(table).data(),
- table.length(),
- NULL,
- 0);
+ {
+ auto c = toSQLTCHAR(catalog);
+ auto s = toSQLTCHAR(schema);
+ auto t = toSQLTCHAR(table);
+ r = SQLColumns(hStmt,
+ catalog.isEmpty() ? nullptr : c.data(), c.size(),
+ schema.isEmpty() ? nullptr : s.data(), s.size(),
+ t.data(), t.size(),
+ nullptr,
+ 0);
+ }
if (r != SQL_SUCCESS)
qSqlWarning("QODBCDriver::record: Unable to execute column list"_L1, d);

15
debian/patches/cve-2023-32762.diff vendored
Unescape View File

@ -1,15 +0,0 @@
---
src/network/access/qhsts.cpp | 2 +-
1 file changed, 1 insertion(+), 1 deletion(-)
--- a/src/network/access/qhsts.cpp
+++ b/src/network/access/qhsts.cpp
@@ -328,7 +328,7 @@ bool QHstsHeaderParser::parse(const QLis
{
for (const auto &h : headers) {
// We use '==' since header name was already 'trimmed' for us:
- if (h.first == "Strict-Transport-Security") {
+ if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) {
header = h.second;
// RFC6797, 8.1:
//

58
debian/patches/cve-2023-32763.diff vendored
Unescape View File

@ -1,58 +0,0 @@
---
src/gui/painting/qfixed_p.h | 17 +++++++++++++++++
src/gui/text/qtextlayout.cpp | 9 ++++++---
2 files changed, 23 insertions(+), 3 deletions(-)
--- a/src/gui/painting/qfixed_p.h
+++ b/src/gui/painting/qfixed_p.h
@@ -18,6 +18,7 @@
#include <QtGui/private/qtguiglobal_p.h>
#include "QtCore/qdebug.h"
#include "QtCore/qpoint.h"
+#include "QtCore/qnumeric.h"
#include "QtCore/qsize.h"
QT_BEGIN_NAMESPACE
@@ -136,6 +137,22 @@ constexpr inline QFixed operator+(uint i
constexpr inline QFixed operator-(uint i, QFixed d) { return -(d-i); }
// constexpr inline QFixed operator*(qreal d, QFixed d2) { return d2*d; }
+inline bool qAddOverflow(QFixed v1, QFixed v2, QFixed *r)
+{
+ int val;
+ bool result = qAddOverflow(v1.value(), v2.value(), &val);
+ r->setValue(val);
+ return result;
+}
+
+inline bool qMulOverflow(QFixed v1, QFixed v2, QFixed *r)
+{
+ int val;
+ bool result = qMulOverflow(v1.value(), v2.value(), &val);
+ r->setValue(val);
+ return result;
+}
+
#ifndef QT_NO_DEBUG_STREAM
inline QDebug &operator<<(QDebug &dbg, QFixed f)
{ return dbg << f.toReal(); }
--- a/src/gui/text/qtextlayout.cpp
+++ b/src/gui/text/qtextlayout.cpp
@@ -2105,11 +2105,14 @@ found:
eng->maxWidth = qMax(eng->maxWidth, line.textWidth);
} else {
eng->minWidth = qMax(eng->minWidth, lbh.minw);
- eng->maxWidth += line.textWidth;
+ if (qAddOverflow(eng->maxWidth, line.textWidth, &eng->maxWidth))
+ eng->maxWidth = QFIXED_MAX;
}
- if (line.textWidth > 0 && item < eng->layoutData->items.size())
- eng->maxWidth += lbh.spaceData.textWidth;
+ if (line.textWidth > 0 && item < eng->layoutData->items.size()) {
+ if (qAddOverflow(eng->maxWidth, lbh.spaceData.textWidth, &eng->maxWidth))
+ eng->maxWidth = QFIXED_MAX;
+ }
line.textWidth += trailingSpace;
if (lbh.spaceData.length) {

70
debian/patches/cve-2023-33285.diff vendored
Unescape View File

@ -1,70 +0,0 @@
diff --git a/src/network/kernel/qdnslookup_unix.cpp b/src/network/kernel/qdnslookup_unix.cpp
index 75f7c6c440..de0113494f 100644
--- a/src/network/kernel/qdnslookup_unix.cpp
+++ b/src/network/kernel/qdnslookup_unix.cpp
@@ -193,7 +193,6 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
// responseLength in case of error, we still can extract the
// exact error code from the response.
HEADER *header = (HEADER*)response;
- const int answerCount = ntohs(header->ancount);
switch (header->rcode) {
case NOERROR:
break;
@@ -226,18 +225,31 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
return;
}
- // Skip the query host, type (2 bytes) and class (2 bytes).
char host[PACKETSZ], answer[PACKETSZ];
unsigned char *p = response + sizeof(HEADER);
- int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
- if (status < 0) {
+ int status;
+
+ if (ntohs(header->qdcount) == 1) {
+ // Skip the query host, type (2 bytes) and class (2 bytes).
+ status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
+ if (status < 0) {
+ reply->error = QDnsLookup::InvalidReplyError;
+ reply->errorString = tr("Could not expand domain name");
+ return;
+ }
+ if ((p - response) + status + 4 >= responseLength)
+ header->qdcount = 0xffff; // invalid reply below
+ else
+ p += status + 4;
+ }
+ if (ntohs(header->qdcount) > 1) {
reply->error = QDnsLookup::InvalidReplyError;
- reply->errorString = tr("Could not expand domain name");
+ reply->errorString = tr("Invalid reply received");
return;
}
- p += status + 4;
// Extract results.
+ const int answerCount = ntohs(header->ancount);
int answerIndex = 0;
while ((p < response + responseLength) && (answerIndex < answerCount)) {
status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
@@ -249,6 +261,11 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
const QString name = QUrl::fromAce(host);
p += status;
+
+ if ((p - response) + 10 > responseLength) {
+ // probably just a truncated reply, return what we have
+ return;
+ }
const quint16 type = (p[0] << 8) | p[1];
p += 2; // RR type
p += 2; // RR class
@@ -256,6 +273,8 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
p += 4;
const quint16 size = (p[0] << 8) | p[1];
p += 2;
+ if ((p - response) + size > responseLength)
+ return; // truncated
if (type == QDnsLookup::A) {
if (size != 4) {

45
debian/patches/cve-2023-34410-57ba626.diff vendored
Unescape View File

@ -1,45 +0,0 @@
From 57ba6260c0801055b7188fdaa1818b940590f5f1 Mon Sep 17 00:00:00 2001
From: Mårten Nordheim <marten.nordheim@qt.io>
Date: Thu, 25 May 2023 14:40:29 +0200
Subject: [PATCH] Ssl: Copy the on-demand cert loading bool from default config
Otherwise individual sockets will still load system certificates when
a chain doesn't match against the configured CA certificates.
That's not intended behavior, since specifically setting the CA
certificates means you don't want the system certificates to be used.
Follow-up to/amends ada2c573c1a25f8d96577734968fe317ddfa292a
This is potentially a breaking change because now, if you ever add a
CA to the default config, it will disable loading system certificates
on demand for all sockets. And the only way to re-enable it is to
create a null-QSslConfiguration and set it as the new default.
Pick-to: 6.5 6.2 5.15
Change-Id: Ic3b2ab125c0cdd58ad654af1cb36173960ce2d1e
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
---
diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
index 4eefe43..0563fd0 100644
--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@@ -1973,6 +1973,10 @@
, flushTriggered(false)
{
QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
+ // If the global configuration doesn't allow root certificates to be loaded
+ // on demand then we have to disable it for this socket as well.
+ if (!configuration.allowRootCertOnDemandLoading)
+ allowRootCertOnDemandLoading = false;
const auto *tlsBackend = tlsBackendInUse();
if (!tlsBackend) {
@@ -2281,6 +2285,7 @@
ptr->sessionProtocol = global->sessionProtocol;
ptr->ciphers = global->ciphers;
ptr->caCertificates = global->caCertificates;
+ ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;
ptr->protocol = global->protocol;
ptr->peerVerifyMode = global->peerVerifyMode;
ptr->peerVerifyDepth = global->peerVerifyDepth;

275
debian/patches/cve-2023-34410-ada2c57.diff vendored
Unescape View File

@ -1,275 +0,0 @@
From ada2c573c1a25f8d96577734968fe317ddfa292a Mon Sep 17 00:00:00 2001
From: Mårten Nordheim <marten.nordheim@qt.io>
Date: Wed, 10 May 2023 16:43:41 +0200
Subject: [PATCH] Schannel: Reject certificate not signed by a configured CA certificate
Not entirely clear why, but when building the certificate chain for a
peer the system certificate store is searched for root certificates.
General expectation is that after calling
`sslConfiguration.setCaCertificates()` the system certificates will
not be taken into consideration.
To work around this behavior, we do a manual check that the root of the
chain is part of the configured CA certificates.
Pick-to: 6.5 6.2 5.15
Change-Id: I03666a4d9b0eac39ae97e150b4743120611a11b3
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
---
diff --git a/src/plugins/tls/schannel/qtls_schannel.cpp b/src/plugins/tls/schannel/qtls_schannel.cpp
index d72aaa5..ae9ff06 100644
--- a/src/plugins/tls/schannel/qtls_schannel.cpp
+++ b/src/plugins/tls/schannel/qtls_schannel.cpp
@@ -2066,6 +2066,27 @@
verifyDepth = DWORD(q->peerVerifyDepth());
const auto &caCertificates = q->sslConfiguration().caCertificates();
+
+ if (!rootCertOnDemandLoadingAllowed()
+ && !(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN)
+ && (q->peerVerifyMode() == QSslSocket::VerifyPeer
+ || (isClient && q->peerVerifyMode() == QSslSocket::AutoVerifyPeer))) {
+ // When verifying a peer Windows "helpfully" builds a chain that
+ // may include roots from the system store. But we don't want that if
+ // the user has set their own CA certificates.
+ // Since Windows claims this is not a partial chain the root is included
+ // and we have to check that it is one of our configured CAs.
+ CERT_CHAIN_ELEMENT *element = chain->rgpElement[chain->cElement - 1];
+ QSslCertificate certificate = getCertificateFromChainElement(element);
+ if (!caCertificates.contains(certificate)) {
+ auto error = QSslError(QSslError::CertificateUntrusted, certificate);
+ sslErrors += error;
+ emit q->peerVerifyError(error);
+ if (q->state() != QAbstractSocket::ConnectedState)
+ return false;
+ }
+ }
+
QList<QSslCertificate> peerCertificateChain;
for (DWORD i = 0; i < verifyDepth; i++) {
CERT_CHAIN_ELEMENT *element = chain->rgpElement[i];
diff --git a/tests/manual/network/ssl/client-auth/CMakeLists.txt b/tests/manual/network/ssl/client-auth/CMakeLists.txt
new file mode 100644
index 0000000..67ecc20
--- /dev/null
+++ b/tests/manual/network/ssl/client-auth/CMakeLists.txt
@@ -0,0 +1,24 @@
+# Copyright (C) 2023 The Qt Company Ltd.
+# SPDX-License-Identifier: BSD-3-Clause
+
+qt_internal_add_manual_test(tst_manual_ssl_client_auth
+ SOURCES
+ tst_manual_ssl_client_auth.cpp
+ LIBRARIES
+ Qt::Network
+)
+
+qt_internal_add_resource(tst_manual_ssl_client_auth "tst_manual_ssl_client_auth"
+ PREFIX
+ "/"
+ FILES
+ "certs/127.0.0.1.pem"
+ "certs/127.0.0.1-key.pem"
+ "certs/127.0.0.1-client.pem"
+ "certs/127.0.0.1-client-key.pem"
+ "certs/accepted-client.pem"
+ "certs/accepted-client-key.pem"
+ "certs/rootCA.pem"
+ BASE
+ "certs"
+)
diff --git a/tests/manual/network/ssl/client-auth/certs/.gitignore b/tests/manual/network/ssl/client-auth/certs/.gitignore
new file mode 100644
index 0000000..5866f7b
--- /dev/null
+++ b/tests/manual/network/ssl/client-auth/certs/.gitignore
@@ -0,0 +1,4 @@
+*
+!/.gitignore
+!/generate.sh
+!/accepted-client.conf
diff --git a/tests/manual/network/ssl/client-auth/certs/accepted-client.conf b/tests/manual/network/ssl/client-auth/certs/accepted-client.conf
new file mode 100644
index 0000000..a88b276
--- /dev/null
+++ b/tests/manual/network/ssl/client-auth/certs/accepted-client.conf
@@ -0,0 +1,14 @@
+[req]
+default_md = sha512
+basicConstraints = CA:FALSE
+extendedKeyUsage = clientAuth
+[req]
+distinguished_name = client_distinguished_name
+prompt = no
+[client_distinguished_name]
+C = NO
+ST = Oslo
+L = Oslo
+O = The Qt Project
+OU = The Qt Project
+CN = Fake Qt Project Client Certificate
diff --git a/tests/manual/network/ssl/client-auth/certs/generate.sh b/tests/manual/network/ssl/client-auth/certs/generate.sh
new file mode 100755
index 0000000..5dbe3b3
--- /dev/null
+++ b/tests/manual/network/ssl/client-auth/certs/generate.sh
@@ -0,0 +1,33 @@
+#!/bin/bash
+# Copyright (C) 2023 The Qt Company Ltd.
+# SPDX-License-Identifier: LicenseRef-Qt-Commercial OR GPL-3.0-only WITH Qt-GPL-exception-1.0
+
+# Requires mkcert and openssl
+
+warn () { echo "$@" >&2; }
+die () { warn "$@"; exit 1; }
+
+
+command -v mkcert 1>/dev/null 2>&1 || die "Failed to find mkcert"
+command -v openssl 1>/dev/null 2>&1 || die "Failed to find openssl"
+
+SCRIPT=$(realpath "$0")
+SCRIPTPATH=$(dirname "$SCRIPT")
+
+pushd "$SCRIPTPATH" || die "Unable to pushd to $SCRIPTPATH"
+mkcert 127.0.0.1
+mkcert -client 127.0.0.1
+warn "Remember to run mkcert -install if you haven't already"
+
+# Generate CA
+openssl genrsa -out ca-key.pem 2048
+openssl req -new -x509 -noenc -days 365 -key ca-key.pem -out rootCA.pem
+
+# Generate accepted client certificate
+openssl genrsa -out accepted-client-key.pem 2048
+openssl req -new -sha512 -nodes -key accepted-client-key.pem -out accepted-client.csr -config accepted-client.conf
+openssl x509 -req -sha512 -days 45 -in accepted-client.csr -CA rootCA.pem -CAkey ca-key.pem -CAcreateserial -out accepted-client.pem
+rm accepted-client.csr
+rm rootCA.srl
+
+popd || die "Unable to popd"
diff --git a/tests/manual/network/ssl/client-auth/tst_manual_ssl_client_auth.cpp b/tests/manual/network/ssl/client-auth/tst_manual_ssl_client_auth.cpp
new file mode 100644
index 0000000..2307cbb
--- /dev/null
+++ b/tests/manual/network/ssl/client-auth/tst_manual_ssl_client_auth.cpp
@@ -0,0 +1,118 @@
+// Copyright (C) 2023 The Qt Company Ltd.
+// SPDX-License-Identifier: LicenseRef-Qt-Commercial OR GPL-3.0-only WITH Qt-GPL-exception-1.0
+
+#include <QtCore/qcoreapplication.h>
+
+#include <QtCore/qthread.h>
+#include <QtCore/qfile.h>
+#include <QtCore/qdir.h>
+
+#include <QtNetwork/qsslsocket.h>
+#include <QtNetwork/qsslserver.h>
+#include <QtNetwork/qsslconfiguration.h>
+#include <QtNetwork/qsslkey.h>
+
+// Client and/or server presents a certificate signed by a system-trusted CA
+// but the other side presents a certificate signed by a different CA.
+constexpr bool TestServerPresentsIncorrectCa = false;
+constexpr bool TestClientPresentsIncorrectCa = true;
+
+class ServerThread : public QThread
+{
+ Q_OBJECT
+public:
+ void run() override
+ {
+ QSslServer server;
+
+ QSslConfiguration config = server.sslConfiguration();
+ QList<QSslCertificate> certs = QSslCertificate::fromPath(QStringLiteral(":/rootCA.pem"));
+ config.setCaCertificates(certs);
+ config.setLocalCertificate(QSslCertificate::fromPath(QStringLiteral(":/127.0.0.1.pem"))
+ .first());
+ QFile keyFile(QStringLiteral(":/127.0.0.1-key.pem"));
+ if (!keyFile.open(QIODevice::ReadOnly))
+ qFatal("Failed to open key file");
+ config.setPrivateKey(QSslKey(&keyFile, QSsl::Rsa));
+ config.setPeerVerifyMode(QSslSocket::VerifyPeer);
+ server.setSslConfiguration(config);
+
+ connect(&server, &QSslServer::pendingConnectionAvailable, [&server]() {
+ QSslSocket *socket = static_cast<QSslSocket *>(server.nextPendingConnection());
+ qDebug() << "[s] newConnection" << socket->peerAddress() << socket->peerPort();
+ socket->disconnectFromHost();
+ qApp->quit();
+ });
+ connect(&server, &QSslServer::startedEncryptionHandshake, [](QSslSocket *socket) {
+ qDebug() << "[s] new handshake" << socket->peerAddress() << socket->peerPort();
+ });
+ connect(&server, &QSslServer::errorOccurred,
+ [](QSslSocket *socket, QAbstractSocket::SocketError error) {
+ qDebug() << "[s] errorOccurred" << socket->peerAddress() << socket->peerPort()
+ << error << socket->errorString();
+ });
+ connect(&server, &QSslServer::peerVerifyError,
+ [](QSslSocket *socket, const QSslError &error) {
+ qDebug() << "[s] peerVerifyError" << socket->peerAddress() << socket->peerPort()
+ << error;
+ });
+ server.listen(QHostAddress::LocalHost, 24242);
+
+ exec();
+
+ server.close();
+ }
+};
+
+int main(int argc, char **argv)
+{
+ QCoreApplication app(argc, argv);
+
+ using namespace Qt::StringLiterals;
+
+ if (!QFileInfo(u":/rootCA.pem"_s).exists())
+ qFatal("rootCA.pem not found. Did you run generate.sh in the certs directory?");
+
+ ServerThread serverThread;
+ serverThread.start();
+
+ QSslSocket socket;
+ QSslConfiguration config = socket.sslConfiguration();
+ QString certificatePath;
+ QString keyFileName;
+ if constexpr (TestClientPresentsIncorrectCa) { // true: Present cert signed with incorrect CA: should fail
+ certificatePath = u":/127.0.0.1-client.pem"_s;
+ keyFileName = u":/127.0.0.1-client-key.pem"_s;
+ } else { // false: Use correct CA: should succeed
+ certificatePath = u":/accepted-client.pem"_s;
+ keyFileName = u":/accepted-client-key.pem"_s;
+ }
+ config.setLocalCertificate(QSslCertificate::fromPath(certificatePath).first());
+ if (TestServerPresentsIncorrectCa) // true: Verify server using incorrect CA: should fail
+ config.setCaCertificates(QSslCertificate::fromPath(u":/rootCA.pem"_s));
+ QFile keyFile(keyFileName);
+ if (!keyFile.open(QIODevice::ReadOnly))
+ qFatal("Failed to open key file");
+ config.setPrivateKey(QSslKey(&keyFile, QSsl::Rsa));
+ socket.setSslConfiguration(config);
+
+ QObject::connect(&socket, &QSslSocket::encrypted, []() { qDebug() << "[c] encrypted"; });
+ QObject::connect(&socket, &QSslSocket::errorOccurred,
+ [&socket](QAbstractSocket::SocketError error) {
+ qDebug() << "[c] errorOccurred" << error << socket.errorString();
+ qApp->quit();
+ });
+ QObject::connect(&socket, &QSslSocket::sslErrors, [](const QList<QSslError> &errors) {
+ qDebug() << "[c] sslErrors" << errors;
+ });
+ QObject::connect(&socket, &QSslSocket::connected, []() { qDebug() << "[c] connected"; });
+
+ socket.connectToHostEncrypted(QStringLiteral("127.0.0.1"), 24242);
+
+ const int res = app.exec();
+ serverThread.quit();
+ serverThread.wait();
+ return res;
+}
+
+#include "tst_manual_ssl_client_auth.moc"

15
debian/patches/series vendored
Unescape View File

@ -1,18 +1,3 @@
# fixed in 6.5.2
cve-2023-34410-57ba626.diff
cve-2023-34410-ada2c57.diff
# fixed in 6.5.1
cve-2023-32762.diff
cve-2023-32763.diff
cve-2023-33285.diff
upstream_Add-HPPA-detection.patch
upstream_Add-M68k-detection.patch
upstream_Add-enable-Alpha-detection.patch
# fixed in 6.4.3
cve-2023-24607.patch
# Needs to be fixed upstream.
Add-SH-detection.patch

83
debian/patches/upstream_Add-HPPA-detection.patch vendored
Unescape View File

@ -1,83 +0,0 @@
From e81cba0cd33339c2e5f5e3c670741605264b21c2 Mon Sep 17 00:00:00 2001
From: Pino Toscano <toscano.pino@tiscali.it>
Date: Thu, 6 Oct 2022 23:15:30 +0200
Subject: [PATCH] Add HPPA detection
- detect the HPPA architecture (PA-RISC) and define Q_PROCESSOR_HPPA
- set the right machine type in QElfParser for HPPA ELF files
Change-Id: I5214ce64ef1fdd0ecca3d6c1694c5db9b2852a22
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
---
src/corelib/global/archdetect.cpp | 2 ++
src/corelib/global/qglobal.cpp | 9 +++++++++
src/corelib/global/qprocessordetection.h | 9 +++++++++
src/corelib/plugin/qelfparser_p.cpp | 3 +++
4 files changed, 23 insertions(+)
--- a/src/corelib/global/archdetect.cpp
+++ b/src/corelib/global/archdetect.cpp
@@ -17,6 +17,8 @@
# define ARCH_PROCESSOR "bfin"
#elif defined(Q_PROCESSOR_WASM)
# define ARCH_PROCESSOR "wasm"
+#elif defined(Q_PROCESSOR_HPPA)
+# define ARCH_PROCESSOR "hppa"
#elif defined(Q_PROCESSOR_X86_32)
# define ARCH_PROCESSOR "i386"
#elif defined(Q_PROCESSOR_X86_64)
--- a/src/corelib/global/qprocessordetection.h
+++ b/src/corelib/global/qprocessordetection.h
@@ -140,6 +140,15 @@
// # define Q_BYTE_ORDER Q_LITTLE_ENDIAN
/*
+ PA-RISC family, no revisions or variants
+
+ PA-RISC is big-endian.
+*/
+#elif defined(__hppa__)
+# define Q_PROCESSOR_HPPA
+# define Q_BYTE_ORDER Q_BIG_ENDIAN
+
+/*
X86 family, known variants: 32- and 64-bit
X86 is little-endian.
--- a/src/corelib/plugin/qelfparser_p.cpp
+++ b/src/corelib/plugin/qelfparser_p.cpp
@@ -118,6 +118,8 @@ struct ElfMachineCheck
EM_AARCH64
#elif defined(Q_PROCESSOR_BLACKFIN)
EM_BLACKFIN
+#elif defined(Q_PROCESSOR_HPPA)
+ EM_PARISC
#elif defined(Q_PROCESSOR_IA64)
EM_IA_64
#elif defined(Q_PROCESSOR_MIPS)
@@ -383,6 +385,7 @@ Q_DECL_UNUSED Q_DECL_COLD_FUNCTION stati
#endif
case EM_IA_64: d << ", IA-64"; break;
case EM_MIPS: d << ", MIPS"; break;
+ case EM_PARISC: d << ", HPPA"; break;
case EM_PPC: d << ", PowerPC"; break;
case EM_PPC64: d << ", PowerPC 64-bit"; break;
#ifdef EM_RISCV
--- a/src/corelib/global/qglobal.cpp
+++ b/src/corelib/global/qglobal.cpp
@@ -1791,6 +1791,15 @@ bool qSharedBuild() noexcept
*/
/*!
+ \macro Q_PROCESSOR_HPPA
+ \relates <QtGlobal>
+
+ Defined if the application is compiled for PA-RISC processors.
+
+ \sa QSysInfo::buildCpuArchitecture()
+*/
+
+/*!
\macro Q_PROCESSOR_IA64
\relates <QtGlobal>

84
debian/patches/upstream_Add-M68k-detection.patch vendored
Unescape View File

@ -1,84 +0,0 @@
From ac17a394a5701174c705050640e26c9cb95d289b Mon Sep 17 00:00:00 2001
From: Pino Toscano <toscano.pino@tiscali.it>
Date: Thu, 6 Oct 2022 23:17:57 +0200
Subject: [PATCH] Add M68k detection
- detect the M68k architecture (Motorola 68000) and define
Q_PROCESSOR_M68K
- set the right machine type in QElfParser for M68k ELF files
Change-Id: Ie5694abbe1ae2bfeb5692defba0ca6062c1d60ac
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
---
src/corelib/global/archdetect.cpp | 2 ++
src/corelib/global/qglobal.cpp | 9 +++++++++
src/corelib/global/qprocessordetection.h | 9 +++++++++
src/corelib/plugin/qelfparser_p.cpp | 3 +++
4 files changed, 23 insertions(+)
--- a/src/corelib/global/archdetect.cpp
+++ b/src/corelib/global/archdetect.cpp
@@ -25,6 +25,8 @@
# define ARCH_PROCESSOR "x86_64"
#elif defined(Q_PROCESSOR_IA64)
# define ARCH_PROCESSOR "ia64"
+#elif defined(Q_PROCESSOR_M68K)
+# define ARCH_PROCESSOR "m68k"
#elif defined(Q_PROCESSOR_MIPS_64)
# define ARCH_PROCESSOR "mips64"
#elif defined(Q_PROCESSOR_MIPS)
--- a/src/corelib/global/qprocessordetection.h
+++ b/src/corelib/global/qprocessordetection.h
@@ -197,6 +197,15 @@
// Q_BYTE_ORDER not defined, use endianness auto-detection
/*
+ Motorola 68000 family, no revisions or variants
+
+ M68K is big-endian.
+*/
+#elif defined(__m68k__)
+# define Q_PROCESSOR_M68K
+# define Q_BYTE_ORDER Q_BIG_ENDIAN
+
+/*
MIPS family, known revisions: I, II, III, IV, 32, 64
MIPS is bi-endian, use endianness auto-detection implemented below.
--- a/src/corelib/plugin/qelfparser_p.cpp
+++ b/src/corelib/plugin/qelfparser_p.cpp
@@ -122,6 +122,8 @@ struct ElfMachineCheck
EM_PARISC
#elif defined(Q_PROCESSOR_IA64)
EM_IA_64
+#elif defined(Q_PROCESSOR_M68K)
+ EM_68K
#elif defined(Q_PROCESSOR_MIPS)
EM_MIPS
#elif defined(Q_PROCESSOR_POWER_32)
@@ -378,6 +380,7 @@ Q_DECL_UNUSED Q_DECL_COLD_FUNCTION stati
switch (r.machine) {
// list definitely not exhaustive!
case EM_NONE: d << ", no machine"; break;
+ case EM_68K: d << ", MC68000"; break;
case EM_ARM: d << ", ARM"; break;
case EM_AARCH64: d << ", AArch64"; break;
#ifdef EM_BLACKFIN
--- a/src/corelib/global/qglobal.cpp
+++ b/src/corelib/global/qglobal.cpp
@@ -1810,6 +1810,15 @@ bool qSharedBuild() noexcept
*/
/*!
+ \macro Q_PROCESSOR_M68K
+ \relates <QtGlobal>
+
+ Defined if the application is compiled for Motorola 68000 processors.
+
+ \sa QSysInfo::buildCpuArchitecture()
+*/
+
+/*!
\macro Q_PROCESSOR_MIPS
\relates <QtGlobal>

62
debian/patches/upstream_Add-enable-Alpha-detection.patch vendored
Unescape View File

@ -1,62 +0,0 @@
From eeb66b99df521c4a32b8eda1d889f615319355a6 Mon Sep 17 00:00:00 2001
From: Pino Toscano <toscano.pino@tiscali.it>
Date: Tue, 15 Nov 2022 07:15:44 +0100
Subject: [PATCH] Add/enable Alpha detection
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
- uncomment the Alpha detection defining Q_PROCESSOR_ALPHA, which is
already used/documented in few places
- set the right machine type in QElfParser for Alpha ELF files
Pick-to: 6.5
Change-Id: I072bdee8b73ad3c86591c764aa7075c114967fd9
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Lisandro Damián Nicanor Pérez Meyer <perezmeyer@gmail.com>
---
src/corelib/global/qprocessordetection.h | 6 +++---
src/corelib/plugin/qelfparser_p.cpp | 3 +++
2 files changed, 6 insertions(+), 3 deletions(-)
--- a/src/corelib/global/qprocessordetection.h
+++ b/src/corelib/global/qprocessordetection.h
@@ -48,8 +48,8 @@
Alpha is bi-endian, use endianness auto-detection implemented below.
*/
-// #elif defined(__alpha__) || defined(_M_ALPHA)
-// # define Q_PROCESSOR_ALPHA
+#if defined(__alpha__) || defined(_M_ALPHA)
+# define Q_PROCESSOR_ALPHA
// Q_BYTE_ORDER not defined, use endianness auto-detection
/*
@@ -58,7 +58,7 @@
ARM is bi-endian, detect using __ARMEL__ or __ARMEB__, falling back to
auto-detection implemented below.
*/
-#if defined(__arm__) || defined(__TARGET_ARCH_ARM) || defined(_M_ARM) || defined(_M_ARM64) || defined(__aarch64__) || defined(__ARM64__)
+#elif defined(__arm__) || defined(__TARGET_ARCH_ARM) || defined(_M_ARM) || defined(_M_ARM64) || defined(__aarch64__) || defined(__ARM64__)
# if defined(__aarch64__) || defined(__ARM64__) || defined(_M_ARM64)
# define Q_PROCESSOR_ARM_64
# define Q_PROCESSOR_WORDSIZE 8
--- a/src/corelib/plugin/qelfparser_p.cpp
+++ b/src/corelib/plugin/qelfparser_p.cpp
@@ -112,6 +112,8 @@ struct ElfMachineCheck
static const Elf32_Half ExpectedMachine =
#if 0
// nothing
+#elif defined(Q_PROCESSOR_ALPHA)
+ EM_ALPHA
#elif defined(Q_PROCESSOR_ARM_32)
EM_ARM
#elif defined(Q_PROCESSOR_ARM_64)
@@ -380,6 +382,7 @@ Q_DECL_UNUSED Q_DECL_COLD_FUNCTION stati
switch (r.machine) {
// list definitely not exhaustive!
case EM_NONE: d << ", no machine"; break;
+ case EM_ALPHA: d << ", Alpha"; break;
case EM_68K: d << ", MC68000"; break;
case EM_ARM: d << ", ARM"; break;
case EM_AARCH64: d << ", AArch64"; break;
Write Preview
Loading…
Cancel
Save