Skip to content

Commit

Permalink
Patch Qt 6.5.1 CVE-2023-34410
Browse files Browse the repository at this point in the history
IB-7779

Signed-off-by: Raul Metsma <raul@metsma.ee>
  • Loading branch information
metsma committed Jun 22, 2023
1 parent 47c309a commit e733f89
Showing 1 changed file with 55 additions and 1 deletion.
56 changes: 55 additions & 1 deletion prepare_osx_build_environment.sh
Original file line number Diff line number Diff line change
Expand Up @@ -5,7 +5,7 @@ set -e

######### Versions of libraries/frameworks to be compiled
QT_VER="6.5.1"
OPENSSL_VER="3.0.8"
OPENSSL_VER="3.0.9"
OPENLDAP_VER="2.6.4"
REBUILD=false
BUILD_PATH=~/cmake_builds
Expand Down Expand Up @@ -108,6 +108,60 @@ if [[ "$REBUILD" = true || ! -d ${QT_PATH} ]] ; then
tar xf ${PACKAGE}.tar.xz
pushd ${PACKAGE}
if [[ "${PACKAGE}" == *"qtbase"* ]] ; then
# CVE-2023-34410-qtbase-6.5.diff
patch -Np1 <<'EOF'
--- a/src/plugins/tls/schannel/qtls_schannel.cpp
+++ b/src/plugins/tls/schannel/qtls_schannel.cpp
@@ -2106,6 +2106,27 @@
verifyDepth = DWORD(q->peerVerifyDepth());
const auto &caCertificates = q->sslConfiguration().caCertificates();
+
+ if (!rootCertOnDemandLoadingAllowed()
+ && !(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN)
+ && (q->peerVerifyMode() == QSslSocket::VerifyPeer
+ || (isClient && q->peerVerifyMode() == QSslSocket::AutoVerifyPeer))) {
+ // When verifying a peer Windows "helpfully" builds a chain that
+ // may include roots from the system store. But we don't want that if
+ // the user has set their own CA certificates.
+ // Since Windows claims this is not a partial chain the root is included
+ // and we have to check that it is one of our configured CAs.
+ CERT_CHAIN_ELEMENT *element = chain->rgpElement[chain->cElement - 1];
+ QSslCertificate certificate = getCertificateFromChainElement(element);
+ if (!caCertificates.contains(certificate)) {
+ auto error = QSslError(QSslError::CertificateUntrusted, certificate);
+ sslErrors += error;
+ emit q->peerVerifyError(error);
+ if (q->state() != QAbstractSocket::ConnectedState)
+ return false;
+ }
+ }
+
QList<QSslCertificate> peerCertificateChain;
for (DWORD i = 0; i < verifyDepth; i++) {
CERT_CHAIN_ELEMENT *element = chain->rgpElement[i];
--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@@ -1973,6 +1973,10 @@
, flushTriggered(false)
{
QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
+ // If the global configuration doesn't allow root certificates to be loaded
+ // on demand then we have to disable it for this socket as well.
+ if (!configuration.allowRootCertOnDemandLoading)
+ allowRootCertOnDemandLoading = false;
const auto *tlsBackend = tlsBackendInUse();
if (!tlsBackend) {
@@ -2281,6 +2285,7 @@
ptr->sessionProtocol = global->sessionProtocol;
ptr->ciphers = global->ciphers;
ptr->caCertificates = global->caCertificates;
+ ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;
ptr->protocol = global->protocol;
ptr->peerVerifyMode = global->peerVerifyMode;
ptr->peerVerifyDepth = global->peerVerifyDepth;
EOF
./configure -prefix ${QT_PATH} -opensource -nomake tests -nomake examples -no-securetransport -openssl-linked -confirm-license -appstore-compliant -- -DOPENSSL_ROOT_DIR=${OPENSSL_PATH} -DCMAKE_OSX_ARCHITECTURES="x86_64;arm64"
else
${QT_PATH}/bin/qt-configure-module .
Expand Down

0 comments on commit e733f89

Please sign in to comment.