import qt5-qtbase-5.12.5-6.el8

This commit is contained in:
CentOS Sources 2020-11-03 06:55:00 -05:00 committed by Andrew Lukoshko
parent b4eb4d52c3
commit 1a866aae43
5 changed files with 425 additions and 5 deletions

View File

@ -0,0 +1,146 @@
From f432c08882ffebe5074ea28de871559a98a4d094 Mon Sep 17 00:00:00 2001
From: Lars Knoll <lars.knoll@qt.io>
Date: Wed, 26 Feb 2020 10:42:10 +0100
Subject: Add an expansion limit for entities
Recursively defined entities can easily exhaust all available
memory. Limit entity expansion to a default of 4096 characters to
avoid DoS attacks when a user loads untrusted content.
[ChangeLog][QtCore][QXmlStream] QXmlStreamReader does now
limit the expansion of entities to 4096 characters. Documents where
a single entity expands to more characters than the limit are not
considered well formed. The limit is there to avoid DoS attacks through
recursively expanding entities when loading untrusted content. Qt 5.15
will add methods that allow changing that limit.
Fixes: QTBUG-47417
Change-Id: I94387815d74fcf34783e136387ee57fac5ded0c9
Reviewed-by: Oswald Buddenhagen <oswald.buddenhagen@gmx.de>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
(cherry picked from commit fd4be84d23a0db4186cb42e736a9de3af722c7f7)
Reviewed-by: Eirik Aavitsland <eirik.aavitsland@qt.io>
---
src/corelib/serialization/qxmlstream.g | 14 ++++++++++++-
src/corelib/serialization/qxmlstream_p.h | 14 ++++++++++++-
.../serialization/qxmlstream/tst_qxmlstream.cpp | 23 ++++++++++++++++++++--
3 files changed, 47 insertions(+), 4 deletions(-)
diff --git a/src/corelib/serialization/qxmlstream.g b/src/corelib/serialization/qxmlstream.g
index 10bfcd491c..5726bafb26 100644
--- a/src/corelib/serialization/qxmlstream.g
+++ b/src/corelib/serialization/qxmlstream.g
@@ -277,9 +277,19 @@ public:
QHash<QStringView, Entity> entityHash;
QHash<QStringView, Entity> parameterEntityHash;
QXmlStreamSimpleStack<Entity *>entityReferenceStack;
+ int entityExpansionLimit = 4096;
+ int entityLength = 0;
inline bool referenceEntity(Entity &entity) {
if (entity.isCurrentlyReferenced) {
- raiseWellFormedError(QXmlStream::tr("Recursive entity detected."));
+ raiseWellFormedError(QXmlStream::tr("Self-referencing entity detected."));
+ return false;
+ }
+ // entityLength represents the amount of additional characters the
+ // entity expands into (can be negative for e.g. &amp;). It's used to
+ // avoid DoS attacks through recursive entity expansions
+ entityLength += entity.value.size() - entity.name.size() - 2;
+ if (entityLength > entityExpansionLimit) {
+ raiseWellFormedError(QXmlStream::tr("Entity expands to more characters than the entity expansion limit."));
return false;
}
entity.isCurrentlyReferenced = true;
@@ -830,6 +840,8 @@ entity_done ::= ENTITY_DONE;
/.
case $rule_number:
entityReferenceStack.pop()->isCurrentlyReferenced = false;
+ if (entityReferenceStack.isEmpty())
+ entityLength = 0;
clearSym();
break;
./
diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h
index 61f501f81b..31053f8e0b 100644
--- a/src/corelib/serialization/qxmlstream_p.h
+++ b/src/corelib/serialization/qxmlstream_p.h
@@ -774,9 +774,19 @@ public:
QHash<QStringView, Entity> entityHash;
QHash<QStringView, Entity> parameterEntityHash;
QXmlStreamSimpleStack<Entity *>entityReferenceStack;
+ int entityExpansionLimit = 4096;
+ int entityLength = 0;
inline bool referenceEntity(Entity &entity) {
if (entity.isCurrentlyReferenced) {
- raiseWellFormedError(QXmlStream::tr("Recursive entity detected."));
+ raiseWellFormedError(QXmlStream::tr("Self-referencing entity detected."));
+ return false;
+ }
+ // entityLength represents the amount of additional characters the
+ // entity expands into (can be negative for e.g. &amp;). It's used to
+ // avoid DoS attacks through recursive entity expansions
+ entityLength += entity.value.size() - entity.name.size() - 2;
+ if (entityLength > entityExpansionLimit) {
+ raiseWellFormedError(QXmlStream::tr("Entity expands to more characters than the entity expansion limit."));
return false;
}
entity.isCurrentlyReferenced = true;
@@ -1308,6 +1318,8 @@ bool QXmlStreamReaderPrivate::parse()
case 10:
entityReferenceStack.pop()->isCurrentlyReferenced = false;
+ if (entityReferenceStack.isEmpty())
+ entityLength = 0;
clearSym();
break;
diff --git a/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp b/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp
index 8fdf91b090..1f9a0d575d 100644
--- a/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp
+++ b/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp
@@ -393,8 +393,6 @@ public:
return true;
}
- QXmlStreamReader reader(&inputFile);
-
/* See testcases.dtd which reads: 'Nonvalidating parsers
* must also accept "invalid" testcases, but validating ones must reject them.' */
if(type == QLatin1String("invalid") || type == QLatin1String("valid"))
@@ -580,6 +578,8 @@ private slots:
void roundTrip() const;
void roundTrip_data() const;
+ void entityExpansionLimit() const;
+
private:
static QByteArray readFile(const QString &filename);
@@ -1756,6 +1756,25 @@ void tst_QXmlStream::roundTrip_data() const
"</root>\n";
}
+void tst_QXmlStream::entityExpansionLimit() const
+{
+ QString xml = QStringLiteral("<?xml version=\"1.0\"?>"
+ "<!DOCTYPE foo ["
+ "<!ENTITY a \"0123456789\" >"
+ "<!ENTITY b \"&a;&a;&a;&a;&a;&a;&a;&a;&a;&a;\" >"
+ "<!ENTITY c \"&b;&b;&b;&b;&b;&b;&b;&b;&b;&b;\" >"
+ "<!ENTITY d \"&c;&c;&c;&c;&c;&c;&c;&c;&c;&c;\" >"
+ "]>"
+ "<foo>&d;&d;&d;</foo>");
+ {
+ QXmlStreamReader reader(xml);
+ do {
+ reader.readNext();
+ } while (!reader.atEnd());
+ QCOMPARE(reader.error(), QXmlStreamReader::NotWellFormedError);
+ }
+}
+
void tst_QXmlStream::roundTrip() const
{
QFETCH(QString, in);
--
cgit v1.2.1

View File

@ -0,0 +1,28 @@
From bf131e8d2181b3404f5293546ed390999f760404 Mon Sep 17 00:00:00 2001
From: Olivier Goffart <ogoffart@woboq.com>
Date: Fri, 8 Nov 2019 11:30:40 +0100
Subject: Do not load plugin from the $PWD
I see no reason why this would make sense to look for plugins in the current
directory. And when there are plugins there, it may actually be wrong
Change-Id: I5f5aa168021fedddafce90effde0d5762cd0c4c5
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
---
src/corelib/plugin/qpluginloader.cpp | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/corelib/plugin/qpluginloader.cpp b/src/corelib/plugin/qpluginloader.cpp
index cadff4f32b..c2443dbdda 100644
--- a/src/corelib/plugin/qpluginloader.cpp
+++ b/src/corelib/plugin/qpluginloader.cpp
@@ -305,7 +305,6 @@ static QString locatePlugin(const QString& fileName)
paths.append(fileName.left(slash)); // don't include the '/'
} else {
paths = QCoreApplication::libraryPaths();
- paths.prepend(QStringLiteral(".")); // search in current dir first
}
for (const QString &path : qAsConst(paths)) {
--
cgit v1.2.1

View File

@ -0,0 +1,161 @@
From 36a8bdbc8417506513207daf4f36533a3d6632f3 Mon Sep 17 00:00:00 2001
From: Timur Pocheptsov <timur.pocheptsov@qt.io>
Date: Mon, 13 Apr 2020 20:31:34 +0200
Subject: [PATCH] OpenSSL: handle SSL_shutdown's errors properly
Do not call SSL_shutdown on a session that is in handshake state (SSL_in_init(s)
returns 1). Also, do not call SSL_shutdown if a session encountered a fatal
error (SSL_ERROR_SYSCALL or SSL_ERROR_SSL was found before). If SSL_shutdown
was unsuccessful (returned code != 1), we have to clear the error(s) it queued.
Unfortunately, SSL_in_init was a macro in OpenSSL 1.0.x. We have to
resolve SSL_state to implement SSL_in_init.
Fixes: QTBUG-83450
Change-Id: I6326119f4e79605429263045ac20605c30dccca3
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
(cherry picked from commit 8907635da59c2ae0e8db01f27b24a841b830e655)
(cherry picked from commit 8ddffc6ba4f38bb8dbeb0cf61b6b10ee73505bbb)
---
diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
index 4f49a71..9f9eaf3 100644
--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@@ -2108,7 +2108,7 @@
shutdown = false;
pendingClose = false;
flushTriggered = false;
-
+ systemOrSslErrorDetected = false;
// we don't want to clear the ignoreErrorsList, so
// that it is possible setting it before connecting
// ignoreErrorsList.clear();
diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
index ec772dd..c4abc1e 100644
--- a/src/network/ssl/qsslsocket_openssl.cpp
+++ b/src/network/ssl/qsslsocket_openssl.cpp
@@ -471,10 +471,16 @@
void QSslSocketBackendPrivate::destroySslContext()
{
if (ssl) {
- // We do not send a shutdown alert here. Just mark the session as
- // resumable for qhttpnetworkconnection's "optimization", otherwise
- // OpenSSL won't start a session resumption.
- q_SSL_shutdown(ssl);
+ if (!q_SSL_in_init(ssl) && !systemOrSslErrorDetected) {
+ // We do not send a shutdown alert here. Just mark the session as
+ // resumable for qhttpnetworkconnection's "optimization", otherwise
+ // OpenSSL won't start a session resumption.
+ if (q_SSL_shutdown(ssl) != 1) {
+ // Some error may be queued, clear it.
+ const auto errors = getErrorsFromOpenSsl();
+ Q_UNUSED(errors);
+ }
+ }
q_SSL_free(ssl);
ssl = nullptr;
}
@@ -909,6 +915,7 @@
case SSL_ERROR_SSL: // error in the SSL library
// we do not know exactly what the error is, nor whether we can recover from it,
// so just return to prevent an endless loop in the outer "while" statement
+ systemOrSslErrorDetected = true;
{
const ScopedBool bg(inSetAndEmitError, true);
setErrorAndEmit(QAbstractSocket::SslInternalError,
@@ -1309,8 +1316,12 @@
void QSslSocketBackendPrivate::disconnectFromHost()
{
if (ssl) {
- if (!shutdown) {
- q_SSL_shutdown(ssl);
+ if (!shutdown && !q_SSL_in_init(ssl) && !systemOrSslErrorDetected) {
+ if (q_SSL_shutdown(ssl) != 1) {
+ // Some error may be queued, clear it.
+ const auto errors = getErrorsFromOpenSsl();
+ Q_UNUSED(errors);
+ }
shutdown = true;
transmit();
}
diff --git a/src/network/ssl/qsslsocket_openssl11_symbols_p.h b/src/network/ssl/qsslsocket_openssl11_symbols_p.h
index 0c32b0a..c80baa2 100644
--- a/src/network/ssl/qsslsocket_openssl11_symbols_p.h
+++ b/src/network/ssl/qsslsocket_openssl11_symbols_p.h
@@ -186,4 +186,11 @@
}
void q_SSL_set_psk_use_session_callback(SSL *s, q_SSL_psk_use_session_cb_func_t);
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
+// What a mess!
+int q_SSL_in_init(SSL *s);
+#else
+int q_SSL_in_init(const SSL *s);
+#endif // 1.1.1 or 1.1.0
+
#endif
diff --git a/src/network/ssl/qsslsocket_openssl_symbols.cpp b/src/network/ssl/qsslsocket_openssl_symbols.cpp
index 62ac228..60ba3a0 100644
--- a/src/network/ssl/qsslsocket_openssl_symbols.cpp
+++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp
@@ -161,6 +161,11 @@
DEFINEFUNC2(void *, OPENSSL_sk_value, OPENSSL_STACK *a, a, int b, b, return nullptr, return)
DEFINEFUNC(int, SSL_session_reused, SSL *a, a, return 0, return)
DEFINEFUNC2(unsigned long, SSL_CTX_set_options, SSL_CTX *ctx, ctx, unsigned long op, op, return 0, return)
+#if OPENSSL_VERSION_NUMBER < 0x10101000L
+DEFINEFUNC(int, SSL_in_init, SSL *a, a, return 0, return)
+#else
+DEFINEFUNC(int, SSL_in_init, const SSL *a, a, return 0, return)
+#endif
#ifdef TLS1_3_VERSION
DEFINEFUNC2(int, SSL_CTX_set_ciphersuites, SSL_CTX *ctx, ctx, const char *str, str, return 0, return)
DEFINEFUNC2(void, SSL_set_psk_use_session_callback, SSL *ssl, ssl, q_SSL_psk_use_session_cb_func_t callback, callback, return, DUMMYARG)
@@ -213,6 +218,7 @@
// Functions below are either deprecated or removed in OpenSSL >= 1.1:
DEFINEFUNC(unsigned char *, ASN1_STRING_data, ASN1_STRING *a, a, return nullptr, return)
+DEFINEFUNC(int, SSL_state, const SSL *a, a, return 0, return)
#ifdef SSLEAY_MACROS
DEFINEFUNC3(void *, ASN1_dup, i2d_of_void *a, a, d2i_of_void *b, b, char *c, c, return nullptr, return)
@@ -988,6 +994,7 @@
#if QT_CONFIG(opensslv11)
RESOLVEFUNC(OPENSSL_init_ssl)
+ RESOLVEFUNC(SSL_in_init)
RESOLVEFUNC(OPENSSL_init_crypto)
RESOLVEFUNC(ASN1_STRING_get0_data)
RESOLVEFUNC(EVP_CIPHER_CTX_reset)
@@ -1060,6 +1067,7 @@
#else // !opensslv11
RESOLVEFUNC(ASN1_STRING_data)
+ RESOLVEFUNC(SSL_state)
#ifdef SSLEAY_MACROS
RESOLVEFUNC(ASN1_dup)
diff --git a/src/network/ssl/qsslsocket_opensslpre11_symbols_p.h b/src/network/ssl/qsslsocket_opensslpre11_symbols_p.h
index 48364ce..c139ecb 100644
--- a/src/network/ssl/qsslsocket_opensslpre11_symbols_p.h
+++ b/src/network/ssl/qsslsocket_opensslpre11_symbols_p.h
@@ -132,6 +132,8 @@
int q_SSL_library_init();
void q_SSL_load_error_strings();
+int q_SSL_state(const SSL *a);
+#define q_SSL_in_init(a) (q_SSL_state(a) & SSL_ST_INIT)
#if OPENSSL_VERSION_NUMBER >= 0x10001000L
int q_SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func);
diff --git a/src/network/ssl/qsslsocket_p.h b/src/network/ssl/qsslsocket_p.h
index 6f34c6c..e657987 100644
--- a/src/network/ssl/qsslsocket_p.h
+++ b/src/network/ssl/qsslsocket_p.h
@@ -220,6 +220,7 @@
bool verifyErrorsHaveBeenIgnored();
bool paused;
bool flushTriggered;
+ bool systemOrSslErrorDetected = false;
};
QT_END_NAMESPACE

View File

@ -0,0 +1,52 @@
From e6f1fde24f77f63fb16b2df239f82a89d2bf05dd Mon Sep 17 00:00:00 2001
From: Thiago Macieira <thiago.macieira@intel.com>
Date: Fri, 10 Jan 2020 09:26:27 -0800
Subject: QLibrary/Unix: do not attempt to load a library relative to $PWD
I added the code in commit 5219c37f7c98f37f078fee00fe8ca35d83ff4f5d to
find libraries in a haswell/ subdir of the main path, but we only need
to do that transformation if the library is contains at least one
directory seprator. That is, if the user asks to load "lib/foo", then we
should try "lib/haswell/foo" (often, the path prefix will be absolute).
When the library name the user requested has no directory separators, we
let dlopen() do the transformation for us. Testing on Linux confirms
glibc does so:
$ LD_DEBUG=libs /lib64/ld-linux-x86-64.so.2 --inhibit-cache ./qml -help |& grep Xcursor
1972475: find library=libXcursor.so.1 [0]; searching
1972475: trying file=/usr/lib64/haswell/avx512_1/libXcursor.so.1
1972475: trying file=/usr/lib64/haswell/libXcursor.so.1
1972475: trying file=/usr/lib64/libXcursor.so.1
1972475: calling init: /usr/lib64/libXcursor.so.1
1972475: calling fini: /usr/lib64/libXcursor.so.1 [0]
Fixes: QTBUG-81272
Change-Id: I596aec77785a4e4e84d5fffd15e89689bb91ffbb
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
---
src/corelib/plugin/qlibrary_unix.cpp | 4 +++-
1 file changed, 3 insertions(+), 1 deletion(-)
diff --git a/src/corelib/plugin/qlibrary_unix.cpp b/src/corelib/plugin/qlibrary_unix.cpp
index e0381498..7cc7c8e3 100644
--- a/src/corelib/plugin/qlibrary_unix.cpp
+++ b/src/corelib/plugin/qlibrary_unix.cpp
@@ -1,7 +1,7 @@
/****************************************************************************
**
** Copyright (C) 2016 The Qt Company Ltd.
-** Copyright (C) 2018 Intel Corporation
+** Copyright (C) 2020 Intel Corporation
** Contact: https://www.qt.io/licensing/
**
** This file is part of the QtCore module of the Qt Toolkit.
@@ -208,6 +208,8 @@ bool QLibraryPrivate::load_sys()
for(int suffix = 0; retry && !pHnd && suffix < suffixes.size(); suffix++) {
if (!prefixes.at(prefix).isEmpty() && name.startsWith(prefixes.at(prefix)))
continue;
+ if (path.isEmpty() && prefixes.at(prefix).contains(QLatin1Char('/')))
+ continue;
if (!suffixes.at(suffix).isEmpty() && name.endsWith(suffixes.at(suffix)))
continue;
if (loadHints & QLibrary::LoadArchiveMemberHint) {

View File

@ -42,7 +42,7 @@ BuildRequires: pkgconfig(libsystemd)
Name: qt5-qtbase Name: qt5-qtbase
Summary: Qt5 - QtBase components Summary: Qt5 - QtBase components
Version: 5.12.5 Version: 5.12.5
Release: 4%{?dist} Release: 6%{?dist}
# See LGPL_EXCEPTIONS.txt, for exception details # See LGPL_EXCEPTIONS.txt, for exception details
License: LGPLv2 with exceptions or GPLv3 with exceptions License: LGPLv2 with exceptions or GPLv3 with exceptions
@ -116,6 +116,21 @@ Patch68: qtbase-ambiguous-python-shebang.patch
Patch101: qtbase-allow-dbus-not-running-during-build.patch Patch101: qtbase-allow-dbus-not-running-during-build.patch
# Security fixes
# CVE-2020-0570 qt5: qt: files placed by attacker can influence the working directory and lead to malicious code execution
Patch200: qtbase-qlibrary-do-not-attempt-to-load-library-relative-to-pwd.patch
# CVE-2020-0569 qt5-qtbase: qt: files placed by attacker can influence the working directory and lead to malicious code execution
Patch201: qtbase-do-not-load-plugin-from-pwd.patch
# CVE-2015-9541 qt5: qt: XML entity expansion vulnerability
Patch202: qtbase-add-expansion-limit-for-entities.patch
# CVE-2020-13962 qt5-qtbase: qt5: incorrectly calls SSL_shutdown() in OpenSSL mid-handshake causing denial of service in TLS applications
Patch203: qtbase-openssl-handle-ssl-shutdown-errors-properly.patch
# Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires. # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires.
# Those themes are there for platform integration. If the required libraries are # Those themes are there for platform integration. If the required libraries are
# not there, the platform to integrate with isn't either. Then Qt will just # not there, the platform to integrate with isn't either. Then Qt will just
@ -379,6 +394,12 @@ Qt5 libraries used for drawing widgets and OpenGL items.
%patch101 -p1 -b .qtbase-allow-dbus-not-running-during-build %patch101 -p1 -b .qtbase-allow-dbus-not-running-during-build
# Security fixes
%patch200 -p1 -b .qlibrary-do-not-attempt-to-load-library-relative-to-pwd
%patch201 -p1 -b .do-not-load-plugin-from-pwd
%patch202 -p1 -b .add-expansion-limit-for-entities
%patch203 -p1 -b .openssl-handle-ssl-shutdown-errors-properly
# move some bundled libs to ensure they're not accidentally used # move some bundled libs to ensure they're not accidentally used
pushd src/3rdparty pushd src/3rdparty
mkdir UNUSED mkdir UNUSED
@ -1013,19 +1034,31 @@ fi
%changelog %changelog
* Wed Nov 27 2019 Jan Grulich <jgrulich@redhat.com> - 5.12-5-4 * Tue Jul 14 2020 Jan Grulich <jgrulich@redhat.com> - 5.12.5-6
- OpenSSL: handle SSL_shutdown's errors properly
Resolves: bz#1851538
* Mon May 11 2020 Jan Grulich <jgrulich@redhat.com> - 5.12.5-5
- Fix: Files placed by attacker can influence the working directory and lead to malicious code execution
Resolves: bz#1814739
Resolves: bz#1814683
- Fix: XML entity expansion vulnerability
Resolves: bz#1822193
* Wed Nov 27 2019 Jan Grulich <jgrulich@redhat.com> - 5.12.5-4
- Fix build on RHEL 7 kernel - Fix build on RHEL 7 kernel
Resolves: bz#1733135 Resolves: bz#1733135
* Thu Nov 07 2019 Jan Grulich <jgrulich@redhat.com> - 5.12-5-2 * Thu Nov 07 2019 Jan Grulich <jgrulich@redhat.com> - 5.12.5-2
- Remove Android specific test to avoid unnecessary dependencies - Remove Android specific test to avoid unnecessary dependencies
Resolves: bz#1733135 Resolves: bz#1733135
* Tue Oct 29 2019 Jan Grulich <jgrulich@redhat.com> - 5.12-5-1 * Tue Oct 29 2019 Jan Grulich <jgrulich@redhat.com> - 5.12.5-1
- 5.12.5 + sync with Fedora - 5.12.5 + sync with Fedora
Resolves: bz#1733135 Resolves: bz#1733135
* Wed May 22 2019 Jan Grulich <jgrulich@redhat.com> - 5.11-1-7 * Wed May 22 2019 Jan Grulich <jgrulich@redhat.com> - 5.11.1-7
- Move libQt5EglFSDeviceIntegration lib out of the -devel subpkg - Move libQt5EglFSDeviceIntegration lib out of the -devel subpkg
Resolves: bz#1692970 Resolves: bz#1692970