commit: bfa63407717e18916b47899d9380f569479b45e4 Author: orbea <orbea <AT> riseup <DOT> net> AuthorDate: Tue Jun 13 03:42:01 2023 +0000 Commit: orbea <orbea <AT> riseup <DOT> net> CommitDate: Tue Jun 13 03:42:01 2023 +0000 URL: https://gitweb.gentoo.org/repo/proj/libressl.git/commit/?id=bfa63407
dev-qt/qtnetwork: add 5.15.9-r3 Signed-off-by: orbea <orbea <AT> riseup.net> .../files/qtnetwork-5.15.9-CVE-2023-34410.patch | 113 +++++++++++++++++++++ dev-qt/qtnetwork/qtnetwork-5.15.9-r3.ebuild | 83 +++++++++++++++ 2 files changed, 196 insertions(+) diff --git a/dev-qt/qtnetwork/files/qtnetwork-5.15.9-CVE-2023-34410.patch b/dev-qt/qtnetwork/files/qtnetwork-5.15.9-CVE-2023-34410.patch new file mode 100644 index 0000000..3c91452 --- /dev/null +++ b/dev-qt/qtnetwork/files/qtnetwork-5.15.9-CVE-2023-34410.patch @@ -0,0 +1,113 @@ +From 51a3c8d7b8140f0bf6912d14a58bcd0092b868a1 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= <[email protected]> +Date: Wed, 10 May 2023 16:43:41 +0200 +Subject: [PATCH 1/2] Schannel: Reject certificate not signed by a configured + CA certificate + +Not entirely clear why, but when building the certificate chain for a +peer the system certificate store is searched for root certificates. +General expectation is that after calling +`sslConfiguration.setCaCertificates()` the system certificates will +not be taken into consideration. + +To work around this behavior, we do a manual check that the root of the +chain is part of the configured CA certificates. + +Pick-to: 6.5 6.2 5.15 +Change-Id: I03666a4d9b0eac39ae97e150b4743120611a11b3 +Reviewed-by: Edward Welbourne <[email protected]> +Reviewed-by: Volker Hilsheimer <[email protected]> +(cherry picked from commit ada2c573c1a25f8d96577734968fe317ddfa292a) +--- + src/network/ssl/qsslsocket_schannel.cpp | 22 ++++++++++++++++++++++ + 1 file changed, 22 insertions(+) + +diff --git a/src/network/ssl/qsslsocket_schannel.cpp b/src/network/ssl/qsslsocket_schannel.cpp +index c956ce3c2b..d1b23af29b 100644 +--- a/src/network/ssl/qsslsocket_schannel.cpp ++++ b/src/network/ssl/qsslsocket_schannel.cpp +@@ -1880,6 +1880,28 @@ bool QSslSocketBackendPrivate::verifyCertContext(CERT_CONTEXT *certContext) + if (configuration.peerVerifyDepth > 0 && DWORD(configuration.peerVerifyDepth) < verifyDepth) + verifyDepth = DWORD(configuration.peerVerifyDepth); + ++ const auto &caCertificates = q->sslConfiguration().caCertificates(); ++ ++ if (!rootCertOnDemandLoadingAllowed() ++ && !(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN) ++ && (q->peerVerifyMode() == QSslSocket::VerifyPeer ++ || (isClient && q->peerVerifyMode() == QSslSocket::AutoVerifyPeer))) { ++ // When verifying a peer Windows "helpfully" builds a chain that ++ // may include roots from the system store. But we don't want that if ++ // the user has set their own CA certificates. ++ // Since Windows claims this is not a partial chain the root is included ++ // and we have to check that it is one of our configured CAs. ++ CERT_CHAIN_ELEMENT *element = chain->rgpElement[chain->cElement - 1]; ++ QSslCertificate certificate = getCertificateFromChainElement(element); ++ if (!caCertificates.contains(certificate)) { ++ auto error = QSslError(QSslError::CertificateUntrusted, certificate); ++ sslErrors += error; ++ emit q->peerVerifyError(error); ++ if (q->state() != QAbstractSocket::ConnectedState) ++ return false; ++ } ++ } ++ + for (DWORD i = 0; i < verifyDepth; i++) { + CERT_CHAIN_ELEMENT *element = chain->rgpElement[i]; + QSslCertificate certificate = getCertificateFromChainElement(element); +-- +2.41.0 + + +From a933f89e1f69b97ccb9d1e5f82d9a619c02afcd2 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= <[email protected]> +Date: Thu, 25 May 2023 14:40:29 +0200 +Subject: [PATCH 2/2] Ssl: Copy the on-demand cert loading bool from default + config + +Otherwise individual sockets will still load system certificates when +a chain doesn't match against the configured CA certificates. +That's not intended behavior, since specifically setting the CA +certificates means you don't want the system certificates to be used. + +Follow-up to/amends ada2c573c1a25f8d96577734968fe317ddfa292a + +This is potentially a breaking change because now, if you ever add a +CA to the default config, it will disable loading system certificates +on demand for all sockets. And the only way to re-enable it is to +create a null-QSslConfiguration and set it as the new default. + +Pick-to: 6.5 6.2 5.15 +Change-Id: Ic3b2ab125c0cdd58ad654af1cb36173960ce2d1e +Reviewed-by: Timur Pocheptsov <[email protected]> +(cherry picked from commit 57ba6260c0801055b7188fdaa1818b940590f5f1) +--- + src/network/ssl/qsslsocket.cpp | 5 +++++ + 1 file changed, 5 insertions(+) + +diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp +index 5bb6e7ee4a..2a0b3a4f1d 100644 +--- a/src/network/ssl/qsslsocket.cpp ++++ b/src/network/ssl/qsslsocket.cpp +@@ -2221,6 +2221,10 @@ QSslSocketPrivate::QSslSocketPrivate() + , flushTriggered(false) + { + QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration); ++ // If the global configuration doesn't allow root certificates to be loaded ++ // on demand then we have to disable it for this socket as well. ++ if (!configuration.allowRootCertOnDemandLoading) ++ allowRootCertOnDemandLoading = false; + } + + /*! +@@ -2470,6 +2474,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri + ptr->sessionProtocol = global->sessionProtocol; + ptr->ciphers = global->ciphers; + ptr->caCertificates = global->caCertificates; ++ ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading; + ptr->protocol = global->protocol; + ptr->peerVerifyMode = global->peerVerifyMode; + ptr->peerVerifyDepth = global->peerVerifyDepth; +-- +2.41.0 + diff --git a/dev-qt/qtnetwork/qtnetwork-5.15.9-r3.ebuild b/dev-qt/qtnetwork/qtnetwork-5.15.9-r3.ebuild new file mode 100644 index 0000000..a166a59 --- /dev/null +++ b/dev-qt/qtnetwork/qtnetwork-5.15.9-r3.ebuild @@ -0,0 +1,83 @@ +# Copyright 1999-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +if [[ ${PV} != *9999* ]]; then + QT5_KDEPATCHSET_REV=1 + KEYWORDS="~amd64 ~arm ~arm64 ~hppa ~loong ~ppc ~ppc64 ~riscv ~sparc ~x86" +fi + +QT5_MODULE="qtbase" +inherit qt5-build + +DESCRIPTION="Network abstraction library for the Qt5 framework" + +IUSE="connman gssapi libproxy networkmanager sctp +ssl" + +DEPEND=" + =dev-qt/qtcore-${QT5_PV}*:5= + sys-libs/zlib:= + connman? ( =dev-qt/qtdbus-${QT5_PV}* ) + gssapi? ( virtual/krb5 ) + libproxy? ( net-libs/libproxy ) + networkmanager? ( =dev-qt/qtdbus-${QT5_PV}* ) + sctp? ( kernel_linux? ( net-misc/lksctp-tools ) ) + ssl? ( >=dev-libs/openssl-1.1.1:0= ) +" +RDEPEND="${DEPEND} + connman? ( net-misc/connman ) + networkmanager? ( net-misc/networkmanager ) +" + +PATCHES=( + "${FILESDIR}/${PN}-5.15.7-libressl.patch" #562050 + "${FILESDIR}/${P}-QDnsLookup-dont-overflow-the-buffer.patch" + "${FILESDIR}/${P}-CVE-2023-32762.patch" + "${FILESDIR}/${P}-libproxy-0.5-pkgconfig.patch" + "${FILESDIR}/${P}-CVE-2023-34410.patch" +) + +QT5_TARGET_SUBDIRS=( + src/network + src/plugins/bearer/generic +) + +QT5_GENTOO_CONFIG=( + libproxy:libproxy: + ssl::SSL + ssl::OPENSSL + ssl:openssl-linked:LINKED_OPENSSL +) + +QT5_GENTOO_PRIVATE_CONFIG=( + :network +) + +pkg_setup() { + use connman && QT5_TARGET_SUBDIRS+=(src/plugins/bearer/connman) + use networkmanager && QT5_TARGET_SUBDIRS+=(src/plugins/bearer/networkmanager) +} + +src_configure() { + local myconf=( + $(usev connman -dbus-linked) + $(qt_use gssapi feature-gssapi) + $(qt_use libproxy) + $(usev networkmanager -dbus-linked) + $(qt_use sctp) + $(usev ssl -openssl-linked) + -no-dtls # Required for libressl + ) + qt5-build_src_configure +} + +src_install() { + qt5-build_src_install + + # workaround for bug 652650 + if use ssl; then + sed -e "/^#define QT_LINKED_OPENSSL/s/$/ true/" \ + -i "${D}${QT5_HEADERDIR}"/Gentoo/${PN}-qconfig.h || die + fi +}
