diff options
author | V3n3RiX <venerix@koprulu.sector> | 2023-07-26 22:32:29 +0100 |
---|---|---|
committer | V3n3RiX <venerix@koprulu.sector> | 2023-07-26 22:32:29 +0100 |
commit | 0250b30ba9ae7ae15cc33f2a2acfd31bc936dfe9 (patch) | |
tree | ae2326788b7e4edc036e8faa1b87fb26b4333442 /dev-qt/qtbase/files | |
parent | d1bfba210fcc5b5a1ebebbe8234ef70f018a73bb (diff) |
gentoo auto-resync : 26:07:2023 - 22:32:29
Diffstat (limited to 'dev-qt/qtbase/files')
-rw-r--r-- | dev-qt/qtbase/files/qtbase-6.5.1-CVE-2023-34410.patch | 54 |
1 files changed, 0 insertions, 54 deletions
diff --git a/dev-qt/qtbase/files/qtbase-6.5.1-CVE-2023-34410.patch b/dev-qt/qtbase/files/qtbase-6.5.1-CVE-2023-34410.patch deleted file mode 100644 index 6f1264709e01..000000000000 --- a/dev-qt/qtbase/files/qtbase-6.5.1-CVE-2023-34410.patch +++ /dev/null @@ -1,54 +0,0 @@ -From: https://lists.qt-project.org/pipermail/development/2023-June/044031.html - ---- a/src/plugins/tls/schannel/qtls_schannel.cpp -+++ b/src/plugins/tls/schannel/qtls_schannel.cpp -@@ -2106,6 +2106,27 @@ bool TlsCryptographSchannel::verifyCertContext(CERT_CONTEXT *certContext) - verifyDepth = DWORD(q->peerVerifyDepth()); - - const auto &caCertificates = q->sslConfiguration().caCertificates(); -+ -+ if (!rootCertOnDemandLoadingAllowed() -+ && !(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN) -+ && (q->peerVerifyMode() == QSslSocket::VerifyPeer -+ || (isClient && q->peerVerifyMode() == QSslSocket::AutoVerifyPeer))) { -+ // When verifying a peer Windows "helpfully" builds a chain that -+ // may include roots from the system store. But we don't want that if -+ // the user has set their own CA certificates. -+ // Since Windows claims this is not a partial chain the root is included -+ // and we have to check that it is one of our configured CAs. -+ CERT_CHAIN_ELEMENT *element = chain->rgpElement[chain->cElement - 1]; -+ QSslCertificate certificate = getCertificateFromChainElement(element); -+ if (!caCertificates.contains(certificate)) { -+ auto error = QSslError(QSslError::CertificateUntrusted, certificate); -+ sslErrors += error; -+ emit q->peerVerifyError(error); -+ if (q->state() != QAbstractSocket::ConnectedState) -+ return false; -+ } -+ } -+ - QList<QSslCertificate> peerCertificateChain; - for (DWORD i = 0; i < verifyDepth; i++) { - CERT_CHAIN_ELEMENT *element = chain->rgpElement[i]; - ---- a/src/network/ssl/qsslsocket.cpp -+++ b/src/network/ssl/qsslsocket.cpp -@@ -1973,6 +1973,10 @@ QSslSocketPrivate::QSslSocketPrivate() - , flushTriggered(false) - { - QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration); -+ // If the global configuration doesn't allow root certificates to be loaded -+ // on demand then we have to disable it for this socket as well. -+ if (!configuration.allowRootCertOnDemandLoading) -+ allowRootCertOnDemandLoading = false; - - const auto *tlsBackend = tlsBackendInUse(); - if (!tlsBackend) { -@@ -2281,6 +2285,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri - ptr->sessionProtocol = global->sessionProtocol; - ptr->ciphers = global->ciphers; - ptr->caCertificates = global->caCertificates; -+ ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading; - ptr->protocol = global->protocol; - ptr->peerVerifyMode = global->peerVerifyMode; - ptr->peerVerifyDepth = global->peerVerifyDepth; |