From e733f89161e5189a6da3ae9c9e72b4bb3e46fe82 Mon Sep 17 00:00:00 2001 From: Raul Metsma Date: Thu, 22 Jun 2023 10:23:28 +0300 Subject: [PATCH] Patch Qt 6.5.1 CVE-2023-34410 IB-7779 Signed-off-by: Raul Metsma --- prepare_osx_build_environment.sh | 56 +++++++++++++++++++++++++++++++- 1 file changed, 55 insertions(+), 1 deletion(-) diff --git a/prepare_osx_build_environment.sh b/prepare_osx_build_environment.sh index c8b823611..82028c1eb 100755 --- a/prepare_osx_build_environment.sh +++ b/prepare_osx_build_environment.sh @@ -5,7 +5,7 @@ set -e ######### Versions of libraries/frameworks to be compiled QT_VER="6.5.1" -OPENSSL_VER="3.0.8" +OPENSSL_VER="3.0.9" OPENLDAP_VER="2.6.4" REBUILD=false BUILD_PATH=~/cmake_builds @@ -108,6 +108,60 @@ if [[ "$REBUILD" = true || ! -d ${QT_PATH} ]] ; then tar xf ${PACKAGE}.tar.xz pushd ${PACKAGE} if [[ "${PACKAGE}" == *"qtbase"* ]] ; then + # CVE-2023-34410-qtbase-6.5.diff + patch -Np1 <<'EOF' +--- a/src/plugins/tls/schannel/qtls_schannel.cpp ++++ b/src/plugins/tls/schannel/qtls_schannel.cpp +@@ -2106,6 +2106,27 @@ + verifyDepth = DWORD(q->peerVerifyDepth()); + + const auto &caCertificates = q->sslConfiguration().caCertificates(); ++ ++ if (!rootCertOnDemandLoadingAllowed() ++ && !(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN) ++ && (q->peerVerifyMode() == QSslSocket::VerifyPeer ++ || (isClient && q->peerVerifyMode() == QSslSocket::AutoVerifyPeer))) { ++ // When verifying a peer Windows "helpfully" builds a chain that ++ // may include roots from the system store. But we don't want that if ++ // the user has set their own CA certificates. ++ // Since Windows claims this is not a partial chain the root is included ++ // and we have to check that it is one of our configured CAs. ++ CERT_CHAIN_ELEMENT *element = chain->rgpElement[chain->cElement - 1]; ++ QSslCertificate certificate = getCertificateFromChainElement(element); ++ if (!caCertificates.contains(certificate)) { ++ auto error = QSslError(QSslError::CertificateUntrusted, certificate); ++ sslErrors += error; ++ emit q->peerVerifyError(error); ++ if (q->state() != QAbstractSocket::ConnectedState) ++ return false; ++ } ++ } ++ + QList peerCertificateChain; + for (DWORD i = 0; i < verifyDepth; i++) { + CERT_CHAIN_ELEMENT *element = chain->rgpElement[i]; +--- a/src/network/ssl/qsslsocket.cpp ++++ b/src/network/ssl/qsslsocket.cpp +@@ -1973,6 +1973,10 @@ + , flushTriggered(false) + { + QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration); ++ // If the global configuration doesn't allow root certificates to be loaded ++ // on demand then we have to disable it for this socket as well. ++ if (!configuration.allowRootCertOnDemandLoading) ++ allowRootCertOnDemandLoading = false; + + const auto *tlsBackend = tlsBackendInUse(); + if (!tlsBackend) { +@@ -2281,6 +2285,7 @@ + ptr->sessionProtocol = global->sessionProtocol; + ptr->ciphers = global->ciphers; + ptr->caCertificates = global->caCertificates; ++ ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading; + ptr->protocol = global->protocol; + ptr->peerVerifyMode = global->peerVerifyMode; + ptr->peerVerifyDepth = global->peerVerifyDepth; +EOF ./configure -prefix ${QT_PATH} -opensource -nomake tests -nomake examples -no-securetransport -openssl-linked -confirm-license -appstore-compliant -- -DOPENSSL_ROOT_DIR=${OPENSSL_PATH} -DCMAKE_OSX_ARCHITECTURES="x86_64;arm64" else ${QT_PATH}/bin/qt-configure-module .