gentoo auto-resync : 10:06:2023 - 15:51:39

author: V3n3RiX <venerix@koprulu.sector> 2023-06-10 15:51:39 +0100
committer: V3n3RiX <venerix@koprulu.sector> 2023-06-10 15:51:39 +0100
commit: 42e82780761e75f17a5cc96626558a297782f385 (patch)
tree: 45425190df4e3cbf429fd2b0834f320d51fd6579 /dev-qt/qtbase
parent: 3d00647fec2600e217d690a64ba45a41f1a2fa0c (diff)
6 files changed, 58 insertions, 200 deletions
diff --git a/dev-qt/qtbase/Manifest b/dev-qt/qtbase/Manifest
index 29e80d7ee5e6..def4801572f2 100644
--- a/dev-qt/qtbase/Manifest
+++ b/dev-qt/qtbase/Manifest
@@ -1,6 +1,4 @@
-AUX qtbase-6.5.0-CVE-2023-32762.patch 2425 BLAKE2B 3a69063ebf4e94debe19eb97747e7fcbae626177ae265d44a4cca5576584192b6d878d65241dbc2c6e791ae8e7163835d274bc3387fe4035901a8d7c9e14470a SHA512 6631f772416fdd1d870fc98377617003d892e100357995b540d9e6abb5fedc9620a69042d8ba64fa72f3c03728a084e04cf8bf6256ba02dde8236060de9bfa79
-AUX qtbase-6.5.0-CVE-2023-33285.patch 4119 BLAKE2B cb1cb7e9a5feebc56e9e6c0707bef0eba45574d2e4a41f46a7735ffcf94c5c3db6c6a9531cb50074466888582e02eb353f48f79e82ed3e60b167f14d63cf059a SHA512 a2e4e75a1cefc83ac3deeac9e55d20bc9dfe79b7fc738863b88320f49d0de4362a8f3e05269e61b3e675b77d7a728254903fdda2ebd19a2b7b93a43e4674cfe4
-AUX qtbase-6.5.0-setActiveWindow-deprecated-version.patch 1237 BLAKE2B 5a0dee47bded6460d4643964b54bcccde2a286b6d8ffe6201781814fe6a19f2ec5d07c91bdda68004cc5a516e74a7437fba4959326d150d93ece9e834756d2ba SHA512 019d88b27295a62087f27c655afced7f59576bcb2faa8c791a303f8254d359fa006f6a2aafd665812c646c535665783cc2b1a0dfa26043407122ef462b260d06
-DIST qtbase-everywhere-src-6.5.0.tar.xz 48020636 BLAKE2B 234000eeb6e1b57a1c7561613bf437453fc2db0d23d5ddd61c38961311a7de5263c086864554aff7a0bc1e5a406af78ef8342eed3c8a5f48b9237912614f380b SHA512 29f70b9a9650afdd8e34703a7a8191feab4c3a25d0bc3a41010ea842389335b24e2685721fdb4a03653475ebd9bf8a8e4f4a77bf5d64b1289590b5ca0e4623f3
-EBUILD qtbase-6.5.0-r3.ebuild 5141 BLAKE2B f854b8898d8badde636833732fb1e4a5497d7be6f539b17296d62e3a5de6f76d935f8cce1cbdf530eaae217a974857f8ca22969975368627955975f69530a4ab SHA512 6e59666648f738ded48583135a299773c13a5fe8106f613b3ceac526e43cdcca641b7118edd25348d1341e8ec582ec565e1fba96522269ac22e3c80f05a7c38b
+AUX qtbase-6.5.1-CVE-2023-34410.patch 2731 BLAKE2B a0b894782aad05e904e76112391df4895606fa95cdd6365bdfcf5096be769750c4e3c5a331a43498d5a4c84b712a4df595eb4c629fa47e458fda6475c7ff8451 SHA512 eb19ff548835ca208d1209fc8c712dfb2cca91170b23535e87879e843d599bf5d4939b2f3d9c47ef73c238ff8c939f6fd85f0b5300ee97457a4bae76d0d29f67
+DIST qtbase-everywhere-src-6.5.1.tar.xz 48287392 BLAKE2B 47872492f21a936d980891c28df61591380bc236adc66b57a90fbb87dd292cdeb3c632fb1159231ba40142d25e02944e4c5e8568153f1286e0a1abc8c5b26699 SHA512 7f7b20bbc25cda65266d6067cdd68e3e077636988d67dbf5783f79a61186135fb3a36d57ac72cfe4501012035b630ab1f5849148e4817726d4f459fa1937e91a
+EBUILD qtbase-6.5.1.ebuild 5024 BLAKE2B 7f1a1ee51b3a887c8f8331102a2b4c96276164af8e03ceadc3fd1392fc6c603e8aed11ecb6c1d068bd5668fe59cc49420837ad0cc9a9427c90ce532e7720e370 SHA512 032e019184ab6c78aae283dbdc7595b6f62844f75b62a8b299b40d692c8100ddb9277b8a204b1f38767929bdb1ae2f14e023f0e31fe35789b56c3b8839e0160e
 MISC metadata.xml 1762 BLAKE2B fd53799e4a3668fb8d32798f1d128df86aaa7181563655ffb71d6c15a7bab33e5fb08f3c5b41695e8fee4a46f5a5216030d0aeb0927eaeec387136ec66964a8f SHA512 6e05599e981d07f7a6d79eda9e1ef9e41383e05aec5442fed8a46be87245b6e9a77fb9b469fe656f9fdd29ffb69767136c0922baed3c5448ca8c58ee70ad713d
diff --git a/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-32762.patch b/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-32762.patch
deleted file mode 100644
index 3574706fcd85..000000000000
--- a/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-32762.patch
+++ /dev/null
@@ -1,54 +0,0 @@
-From eae7c36d681acfb82572b56e24bbb2cd42242e57 Mon Sep 17 00:00:00 2001
-From: =?utf8?q?M=C3=A5rten=20Nordheim?= <marten.nordheim@qt.io>
-Date: Fri, 5 May 2023 11:07:26 +0200
-Subject: [PATCH] Hsts: match header names case insensitively
-
-Header field names are always considered to be case-insensitive.
-
-Fixes: QTBUG-113392
-Change-Id: Ifb4def4bb7f2ac070416cdc76581a769f1e52b43
-Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
-Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
-Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
-(cherry picked from commit 1b736a815be0222f4b24289cf17575fc15707305)
-Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
----
- src/network/access/qhsts.cpp                 | 4 ++--
- tests/auto/network/access/hsts/tst_qhsts.cpp | 6 ++++++
- 2 files changed, 8 insertions(+), 2 deletions(-)
-
-diff --git a/src/network/access/qhsts.cpp b/src/network/access/qhsts.cpp
-index 39905f354807..82deede17298 100644
---- a/src/network/access/qhsts.cpp
-+++ b/src/network/access/qhsts.cpp
-@@ -327,8 +327,8 @@ quoted-pair    = "\" CHAR
- bool QHstsHeaderParser::parse(const QList<QPair<QByteArray, QByteArray>> &headers)
- {
-     for (const auto &h : headers) {
--        // We use '==' since header name was already 'trimmed' for us:
--        if (h.first == "Strict-Transport-Security") {
-+        // We compare directly because header name was already 'trimmed' for us:
-+        if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) {
-             header = h.second;
-             // RFC6797, 8.1:
-             //
-diff --git a/tests/auto/network/access/hsts/tst_qhsts.cpp b/tests/auto/network/access/hsts/tst_qhsts.cpp
-index 252f5e8f5792..97a2d2889e57 100644
---- a/tests/auto/network/access/hsts/tst_qhsts.cpp
-+++ b/tests/auto/network/access/hsts/tst_qhsts.cpp
-@@ -216,6 +216,12 @@ void tst_QHsts::testSTSHeaderParser()
-     QVERIFY(parser.expirationDate() > QDateTime::currentDateTimeUtc());
-     QVERIFY(parser.includeSubDomains());
- 
-+    list.pop_back();
-+    list << Header("strict-transport-security", "includeSubDomains;max-age=1000");
-+    QVERIFY(parser.parse(list));
-+    QVERIFY(parser.expirationDate() > QDateTime::currentDateTimeUtc());
-+    QVERIFY(parser.includeSubDomains());
-+
-     list.pop_back();
-     // Invalid (includeSubDomains twice):
-     list << Header("Strict-Transport-Security", "max-age = 1000 ; includeSubDomains;includeSubDomains");
--- 
-2.16.3
-
diff --git a/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-33285.patch b/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-33285.patch
deleted file mode 100644
index c982cce36e9e..000000000000
--- a/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-33285.patch
+++ /dev/null
@@ -1,101 +0,0 @@
-From a2dc11b37fd71f785c342c40549f54edfdd1a6f8 Mon Sep 17 00:00:00 2001
-From: Thiago Macieira <thiago.macieira@intel.com>
-Date: Thu, 11 May 2023 21:40:15 -0700
-Subject: [PATCH] QDnsLookup/Unix: make sure we don't overflow the buffer
-MIME-Version: 1.0
-Content-Type: text/plain; charset=utf8
-Content-Transfer-Encoding: 8bit
-
-The DNS Records are variable length and encode their size in 16 bits
-before the Record Data (RDATA). Ensure that both the RDATA and the
-Record header fields before it fall inside the buffer we have.
-
-Additionally reject any replies containing more than one query records.
-
-[ChangeLog][QtNetwork][QDnsLookup] Fixed a bug that could cause a buffer
-overflow in Unix systems while parsing corrupt, malicious, or truncated
-replies.
-
-Pick-to: 5.15 6.2 6.5.1
-Change-Id: I3e3bfef633af4130a03afffd175e4b9547654b95
-Reviewed-by: MÃ¥rten Nordheim <marten.nordheim@qt.io>
-Reviewed-by: Jani Heikkinen <jani.heikkinen@qt.io>
-(cherry picked from commit 7dba2c87619d558a61a30eb30cc1d9c3fe6df94c)
-Reviewed-by: Daniel Smith <Daniel.Smith@qt.io>
----
- src/network/kernel/qdnslookup_unix.cpp | 31 +++++++++++++++++++++++++------
- 1 file changed, 25 insertions(+), 6 deletions(-)
-
-diff --git a/src/network/kernel/qdnslookup_unix.cpp b/src/network/kernel/qdnslookup_unix.cpp
-index 8db79028f775..ad7bb51f67a5 100644
---- a/src/network/kernel/qdnslookup_unix.cpp
-+++ b/src/network/kernel/qdnslookup_unix.cpp
-@@ -193,7 +193,6 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
-     // responseLength in case of error, we still can extract the
-     // exact error code from the response.
-     HEADER *header = (HEADER*)response;
--    const int answerCount = ntohs(header->ancount);
-     switch (header->rcode) {
-     case NOERROR:
-         break;
-@@ -227,18 +226,31 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
-         return;
-     }
- 
--    // Skip the query host, type (2 bytes) and class (2 bytes).
-     char host[PACKETSZ], answer[PACKETSZ];
-     unsigned char *p = response + sizeof(HEADER);
--    int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
--    if (status < 0) {
-+    int status;
-+
-+    if (ntohs(header->qdcount) == 1) {
-+        // Skip the query host, type (2 bytes) and class (2 bytes).
-+        status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
-+        if (status < 0) {
-+            reply->error = QDnsLookup::InvalidReplyError;
-+            reply->errorString = tr("Could not expand domain name");
-+            return;
-+        }
-+        if ((p - response) + status + 4 >= responseLength)
-+            header->qdcount = 0xffff;   // invalid reply below
-+        else
-+            p += status + 4;
-+    }
-+    if (ntohs(header->qdcount) > 1) {
-         reply->error = QDnsLookup::InvalidReplyError;
--        reply->errorString = tr("Could not expand domain name");
-+        reply->errorString = tr("Invalid reply received");
-         return;
-     }
--    p += status + 4;
- 
-     // Extract results.
-+    const int answerCount = ntohs(header->ancount);
-     int answerIndex = 0;
-     while ((p < response + responseLength) && (answerIndex < answerCount)) {
-         status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
-@@ -250,6 +262,11 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
-         const QString name = QUrl::fromAce(host);
- 
-         p += status;
-+
-+        if ((p - response) + 10 > responseLength) {
-+            // probably just a truncated reply, return what we have
-+            return;
-+        }
-         const quint16 type = (p[0] << 8) | p[1];
-         p += 2; // RR type
-         p += 2; // RR class
-@@ -257,6 +274,8 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
-         p += 4;
-         const quint16 size = (p[0] << 8) | p[1];
-         p += 2;
-+        if ((p - response) + size > responseLength)
-+            return;             // truncated
- 
-         if (type == QDnsLookup::A) {
-             if (size != 4) {
--- 
-2.16.3
-
diff --git a/dev-qt/qtbase/files/qtbase-6.5.0-setActiveWindow-deprecated-version.patch b/dev-qt/qtbase/files/qtbase-6.5.0-setActiveWindow-deprecated-version.patch
deleted file mode 100644
index 0ba60e01e02a..000000000000
--- a/dev-qt/qtbase/files/qtbase-6.5.0-setActiveWindow-deprecated-version.patch
+++ /dev/null
@@ -1,35 +0,0 @@
-Upstream commit: https://code.qt.io/cgit/qt/qtbase.git/commit/?h=6.5&id=bbb330c95fd
-
-From bbb330c95fdf6161b23227cb08cec58cca31e465 Mon Sep 17 00:00:00 2001
-From: Nicolas Fella <nicolas.fella@kdab.com>
-Date: Tue, 14 Mar 2023 19:14:41 +0100
-Subject: QApplication: Fix DEPRECATED_VERSION for setActiveWindow
-
-It's not deprecated in 6.4, only 6.5
-
-Change-Id: I86a09b9ce5a7f4d8b1d80a6e67218dfe00f93844
-Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
-(cherry picked from commit 99975ec07feb6b1a9f6be9e0d392a35e40f9550a)
-Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
----
- src/widgets/kernel/qapplication.h | 4 ++--
- 1 file changed, 2 insertions(+), 2 deletions(-)
-
-diff --git a/src/widgets/kernel/qapplication.h b/src/widgets/kernel/qapplication.h
-index c4c73d4cf8..fd698fb69f 100644
---- a/src/widgets/kernel/qapplication.h
-+++ b/src/widgets/kernel/qapplication.h
-@@ -79,8 +79,8 @@ public:
- 
-     static QWidget *activeWindow();
- 
--#if QT_DEPRECATED_SINCE(6,4)
--    QT_DEPRECATED_VERSION_X_6_4("Use QWidget::activateWindow() instead.")
-+#if QT_DEPRECATED_SINCE(6, 5)
-+    QT_DEPRECATED_VERSION_X_6_5("Use QWidget::activateWindow() instead.")
-     static void setActiveWindow(QWidget* act);
- #endif
- 
--- 
-cgit v1.2.3
-
diff --git a/dev-qt/qtbase/files/qtbase-6.5.1-CVE-2023-34410.patch b/dev-qt/qtbase/files/qtbase-6.5.1-CVE-2023-34410.patch
new file mode 100644
index 000000000000..6f1264709e01
--- /dev/null
+++ b/dev-qt/qtbase/files/qtbase-6.5.1-CVE-2023-34410.patch
@@ -0,0 +1,54 @@
+From: https://lists.qt-project.org/pipermail/development/2023-June/044031.html
+
+--- a/src/plugins/tls/schannel/qtls_schannel.cpp
++++ b/src/plugins/tls/schannel/qtls_schannel.cpp
+@@ -2106,6 +2106,27 @@ bool TlsCryptographSchannel::verifyCertContext(CERT_CONTEXT *certContext)
+         verifyDepth = DWORD(q->peerVerifyDepth());
+
+     const auto &caCertificates = q->sslConfiguration().caCertificates();
++
++    if (!rootCertOnDemandLoadingAllowed()
++            && !(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN)
++            && (q->peerVerifyMode() == QSslSocket::VerifyPeer
++                    || (isClient && q->peerVerifyMode() == QSslSocket::AutoVerifyPeer))) {
++        // When verifying a peer Windows "helpfully" builds a chain that
++        // may include roots from the system store. But we don't want that if
++        // the user has set their own CA certificates.
++        // Since Windows claims this is not a partial chain the root is included
++        // and we have to check that it is one of our configured CAs.
++        CERT_CHAIN_ELEMENT *element = chain->rgpElement[chain->cElement - 1];
++        QSslCertificate certificate = getCertificateFromChainElement(element);
++        if (!caCertificates.contains(certificate)) {
++            auto error = QSslError(QSslError::CertificateUntrusted, certificate);
++            sslErrors += error;
++            emit q->peerVerifyError(error);
++            if (q->state() != QAbstractSocket::ConnectedState)
++                return false;
++        }
++    }
++
+     QList<QSslCertificate> peerCertificateChain;
+     for (DWORD i = 0; i < verifyDepth; i++) {
+         CERT_CHAIN_ELEMENT *element = chain->rgpElement[i];
+
+--- a/src/network/ssl/qsslsocket.cpp
++++ b/src/network/ssl/qsslsocket.cpp
+@@ -1973,6 +1973,10 @@ QSslSocketPrivate::QSslSocketPrivate()
+     , flushTriggered(false)
+ {
+     QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
++    // If the global configuration doesn't allow root certificates to be loaded
++    // on demand then we have to disable it for this socket as well.
++    if (!configuration.allowRootCertOnDemandLoading)
++        allowRootCertOnDemandLoading = false;
+
+     const auto *tlsBackend = tlsBackendInUse();
+     if (!tlsBackend) {
+@@ -2281,6 +2285,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri
+     ptr->sessionProtocol = global->sessionProtocol;
+     ptr->ciphers = global->ciphers;
+     ptr->caCertificates = global->caCertificates;
++    ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;
+     ptr->protocol = global->protocol;
+     ptr->peerVerifyMode = global->peerVerifyMode;
+     ptr->peerVerifyDepth = global->peerVerifyDepth;
diff --git a/dev-qt/qtbase/qtbase-6.5.0-r3.ebuild b/dev-qt/qtbase/qtbase-6.5.1.ebuild
index c0afe61d6725..770570eb3710 100644
--- a/dev-qt/qtbase/qtbase-6.5.0-r3.ebuild
+++ b/dev-qt/qtbase/qtbase-6.5.1.ebuild
@@ -103,11 +103,7 @@ DEPEND="
 "
 RDEPEND="${DEPEND}"
 
-PATCHES=(
-	"${FILESDIR}/${PN}-6.5.0-setActiveWindow-deprecated-version.patch"
-	"${FILESDIR}/${PN}-6.5.0-CVE-2023-32762.patch"
-	"${FILESDIR}/${PN}-6.5.0-CVE-2023-33285.patch"
-)
+PATCHES=( "${FILESDIR}/${PN}-6.5.1-CVE-2023-34410.patch" )
 
 src_configure() {
 	local mycmakeargs=(
author	V3n3RiX <venerix@koprulu.sector>	2023-06-10 15:51:39 +0100
committer	V3n3RiX <venerix@koprulu.sector>	2023-06-10 15:51:39 +0100
commit	42e82780761e75f17a5cc96626558a297782f385 (patch)
tree	45425190df4e3cbf429fd2b0834f320d51fd6579 /dev-qt/qtbase
parent	3d00647fec2600e217d690a64ba45a41f1a2fa0c (diff)