commit: 4168c2e8b862c51c9ddb9dd52d48ced57ba9e310 Author: Anna “CyberTailor” <cyber <AT> sysrq <DOT> in> AuthorDate: Sun Jun 11 08:40:06 2023 +0000 Commit: orbea <orbea <AT> riseup <DOT> net> CommitDate: Tue Jun 13 03:25:21 2023 +0000 URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=4168c2e8
dev-qt/qtbase: drop 6.5.0, add 6.5.1 Signed-off-by: Anna “CyberTailor” <cyber <AT> sysrq.in> Closes: https://github.com/gentoo/libressl/pull/531 Signed-off-by: orbea <orbea <AT> riseup.net> dev-qt/qtbase/Manifest | 2 +- .../qtbase/files/qtbase-6.5.0-CVE-2023-32762.patch | 54 ---------------------- ...-6.5.0-setActiveWindow-deprecated-version.patch | 35 -------------- .../qtbase/files/qtbase-6.5.1-CVE-2023-34410.patch | 54 ++++++++++++++++++++++ ...base-6.5.0-r3.ebuild => qtbase-6.5.1-r1.ebuild} | 7 ++- 5 files changed, 58 insertions(+), 94 deletions(-) diff --git a/dev-qt/qtbase/Manifest b/dev-qt/qtbase/Manifest index 6b955e5..3c5bf4d 100644 --- a/dev-qt/qtbase/Manifest +++ b/dev-qt/qtbase/Manifest @@ -1 +1 @@ -DIST qtbase-everywhere-src-6.5.0.tar.xz 48020636 BLAKE2B 234000eeb6e1b57a1c7561613bf437453fc2db0d23d5ddd61c38961311a7de5263c086864554aff7a0bc1e5a406af78ef8342eed3c8a5f48b9237912614f380b SHA512 29f70b9a9650afdd8e34703a7a8191feab4c3a25d0bc3a41010ea842389335b24e2685721fdb4a03653475ebd9bf8a8e4f4a77bf5d64b1289590b5ca0e4623f3 +DIST qtbase-everywhere-src-6.5.1.tar.xz 48287392 BLAKE2B 47872492f21a936d980891c28df61591380bc236adc66b57a90fbb87dd292cdeb3c632fb1159231ba40142d25e02944e4c5e8568153f1286e0a1abc8c5b26699 SHA512 7f7b20bbc25cda65266d6067cdd68e3e077636988d67dbf5783f79a61186135fb3a36d57ac72cfe4501012035b630ab1f5849148e4817726d4f459fa1937e91a diff --git a/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-32762.patch b/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-32762.patch deleted file mode 100644 index 3574706..0000000 --- a/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-32762.patch +++ /dev/null @@ -1,54 +0,0 @@ -From eae7c36d681acfb82572b56e24bbb2cd42242e57 Mon Sep 17 00:00:00 2001 -From: =?utf8?q?M=C3=A5rten=20Nordheim?= <[email protected]> -Date: Fri, 5 May 2023 11:07:26 +0200 -Subject: [PATCH] Hsts: match header names case insensitively - -Header field names are always considered to be case-insensitive. - -Fixes: QTBUG-113392 -Change-Id: Ifb4def4bb7f2ac070416cdc76581a769f1e52b43 -Reviewed-by: Qt CI Bot <[email protected]> -Reviewed-by: Edward Welbourne <[email protected]> -Reviewed-by: Volker Hilsheimer <[email protected]> -(cherry picked from commit 1b736a815be0222f4b24289cf17575fc15707305) -Reviewed-by: Qt Cherry-pick Bot <[email protected]> ---- - src/network/access/qhsts.cpp | 4 ++-- - tests/auto/network/access/hsts/tst_qhsts.cpp | 6 ++++++ - 2 files changed, 8 insertions(+), 2 deletions(-) - -diff --git a/src/network/access/qhsts.cpp b/src/network/access/qhsts.cpp -index 39905f354807..82deede17298 100644 ---- a/src/network/access/qhsts.cpp -+++ b/src/network/access/qhsts.cpp -@@ -327,8 +327,8 @@ quoted-pair = "\" CHAR - bool QHstsHeaderParser::parse(const QList<QPair<QByteArray, QByteArray>> &headers) - { - for (const auto &h : headers) { -- // We use '==' since header name was already 'trimmed' for us: -- if (h.first == "Strict-Transport-Security") { -+ // We compare directly because header name was already 'trimmed' for us: -+ if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) { - header = h.second; - // RFC6797, 8.1: - // -diff --git a/tests/auto/network/access/hsts/tst_qhsts.cpp b/tests/auto/network/access/hsts/tst_qhsts.cpp -index 252f5e8f5792..97a2d2889e57 100644 ---- a/tests/auto/network/access/hsts/tst_qhsts.cpp -+++ b/tests/auto/network/access/hsts/tst_qhsts.cpp -@@ -216,6 +216,12 @@ void tst_QHsts::testSTSHeaderParser() - QVERIFY(parser.expirationDate() > QDateTime::currentDateTimeUtc()); - QVERIFY(parser.includeSubDomains()); - -+ list.pop_back(); -+ list << Header("strict-transport-security", "includeSubDomains;max-age=1000"); -+ QVERIFY(parser.parse(list)); -+ QVERIFY(parser.expirationDate() > QDateTime::currentDateTimeUtc()); -+ QVERIFY(parser.includeSubDomains()); -+ - list.pop_back(); - // Invalid (includeSubDomains twice): - list << Header("Strict-Transport-Security", "max-age = 1000 ; includeSubDomains;includeSubDomains"); --- -2.16.3 - diff --git a/dev-qt/qtbase/files/qtbase-6.5.0-setActiveWindow-deprecated-version.patch b/dev-qt/qtbase/files/qtbase-6.5.0-setActiveWindow-deprecated-version.patch deleted file mode 100644 index 0ba60e0..0000000 --- a/dev-qt/qtbase/files/qtbase-6.5.0-setActiveWindow-deprecated-version.patch +++ /dev/null @@ -1,35 +0,0 @@ -Upstream commit: https://code.qt.io/cgit/qt/qtbase.git/commit/?h=6.5&id=bbb330c95fd - -From bbb330c95fdf6161b23227cb08cec58cca31e465 Mon Sep 17 00:00:00 2001 -From: Nicolas Fella <[email protected]> -Date: Tue, 14 Mar 2023 19:14:41 +0100 -Subject: QApplication: Fix DEPRECATED_VERSION for setActiveWindow - -It's not deprecated in 6.4, only 6.5 - -Change-Id: I86a09b9ce5a7f4d8b1d80a6e67218dfe00f93844 -Reviewed-by: Volker Hilsheimer <[email protected]> -(cherry picked from commit 99975ec07feb6b1a9f6be9e0d392a35e40f9550a) -Reviewed-by: Qt Cherry-pick Bot <[email protected]> ---- - src/widgets/kernel/qapplication.h | 4 ++-- - 1 file changed, 2 insertions(+), 2 deletions(-) - -diff --git a/src/widgets/kernel/qapplication.h b/src/widgets/kernel/qapplication.h -index c4c73d4cf8..fd698fb69f 100644 ---- a/src/widgets/kernel/qapplication.h -+++ b/src/widgets/kernel/qapplication.h -@@ -79,8 +79,8 @@ public: - - static QWidget *activeWindow(); - --#if QT_DEPRECATED_SINCE(6,4) -- QT_DEPRECATED_VERSION_X_6_4("Use QWidget::activateWindow() instead.") -+#if QT_DEPRECATED_SINCE(6, 5) -+ QT_DEPRECATED_VERSION_X_6_5("Use QWidget::activateWindow() instead.") - static void setActiveWindow(QWidget* act); - #endif - --- -cgit v1.2.3 - diff --git a/dev-qt/qtbase/files/qtbase-6.5.1-CVE-2023-34410.patch b/dev-qt/qtbase/files/qtbase-6.5.1-CVE-2023-34410.patch new file mode 100644 index 0000000..6f12647 --- /dev/null +++ b/dev-qt/qtbase/files/qtbase-6.5.1-CVE-2023-34410.patch @@ -0,0 +1,54 @@ +From: https://lists.qt-project.org/pipermail/development/2023-June/044031.html + +--- a/src/plugins/tls/schannel/qtls_schannel.cpp ++++ b/src/plugins/tls/schannel/qtls_schannel.cpp +@@ -2106,6 +2106,27 @@ bool TlsCryptographSchannel::verifyCertContext(CERT_CONTEXT *certContext) + verifyDepth = DWORD(q->peerVerifyDepth()); + + const auto &caCertificates = q->sslConfiguration().caCertificates(); ++ ++ if (!rootCertOnDemandLoadingAllowed() ++ && !(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN) ++ && (q->peerVerifyMode() == QSslSocket::VerifyPeer ++ || (isClient && q->peerVerifyMode() == QSslSocket::AutoVerifyPeer))) { ++ // When verifying a peer Windows "helpfully" builds a chain that ++ // may include roots from the system store. But we don't want that if ++ // the user has set their own CA certificates. ++ // Since Windows claims this is not a partial chain the root is included ++ // and we have to check that it is one of our configured CAs. ++ CERT_CHAIN_ELEMENT *element = chain->rgpElement[chain->cElement - 1]; ++ QSslCertificate certificate = getCertificateFromChainElement(element); ++ if (!caCertificates.contains(certificate)) { ++ auto error = QSslError(QSslError::CertificateUntrusted, certificate); ++ sslErrors += error; ++ emit q->peerVerifyError(error); ++ if (q->state() != QAbstractSocket::ConnectedState) ++ return false; ++ } ++ } ++ + QList<QSslCertificate> peerCertificateChain; + for (DWORD i = 0; i < verifyDepth; i++) { + CERT_CHAIN_ELEMENT *element = chain->rgpElement[i]; + +--- a/src/network/ssl/qsslsocket.cpp ++++ b/src/network/ssl/qsslsocket.cpp +@@ -1973,6 +1973,10 @@ QSslSocketPrivate::QSslSocketPrivate() + , flushTriggered(false) + { + QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration); ++ // If the global configuration doesn't allow root certificates to be loaded ++ // on demand then we have to disable it for this socket as well. ++ if (!configuration.allowRootCertOnDemandLoading) ++ allowRootCertOnDemandLoading = false; + + const auto *tlsBackend = tlsBackendInUse(); + if (!tlsBackend) { +@@ -2281,6 +2285,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri + ptr->sessionProtocol = global->sessionProtocol; + ptr->ciphers = global->ciphers; + ptr->caCertificates = global->caCertificates; ++ ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading; + ptr->protocol = global->protocol; + ptr->peerVerifyMode = global->peerVerifyMode; + ptr->peerVerifyDepth = global->peerVerifyDepth; diff --git a/dev-qt/qtbase/qtbase-6.5.0-r3.ebuild b/dev-qt/qtbase/qtbase-6.5.1-r1.ebuild similarity index 96% rename from dev-qt/qtbase/qtbase-6.5.0-r3.ebuild rename to dev-qt/qtbase/qtbase-6.5.1-r1.ebuild index 8f12328..fde9d03 100644 --- a/dev-qt/qtbase/qtbase-6.5.0-r3.ebuild +++ b/dev-qt/qtbase/qtbase-6.5.1-r1.ebuild @@ -22,7 +22,7 @@ REQUIRED_USE=" QTGUI_IUSE="accessibility egl eglfs evdev gles2-only +jpeg +libinput tslib tuio vulkan +X" QTNETWORK_IUSE="brotli gssapi libproxy sctp +ssl vnc" QTSQL_IUSE="freetds mysql oci8 odbc postgres +sqlite" -IUSE+=" ${QTGUI_IUSE} ${QTNETWORK_IUSE} ${QTSQL_IUSE} cups gtk icu systemd +udev" +IUSE+=" ${QTGUI_IUSE} ${QTNETWORK_IUSE} ${QTSQL_IUSE} cups gtk icu systemd +udev wayland" # QtPrintSupport = QtGui + QtWidgets enabled. # ibus = xkbcommon + dbus, and xkbcommon needs either libinput or X REQUIRED_USE+=" @@ -102,12 +102,11 @@ DEPEND=" zstd? ( app-arch/zstd:= ) " RDEPEND="${DEPEND}" +PDEPEND="wayland? ( =dev-qt/qtwayland-${PV}* )" PATCHES=( "${FILESDIR}/${PN}-6.5.0-libressl.patch" - "${FILESDIR}/${PN}-6.5.0-setActiveWindow-deprecated-version.patch" - "${FILESDIR}/${PN}-6.5.0-CVE-2023-32762.patch" - "${FILESDIR}/${PN}-6.5.0-CVE-2023-33285.patch" + "${FILESDIR}/${PN}-6.5.1-CVE-2023-34410.patch" ) src_configure() {
