Don't allow remote attacker to bypass security restrictions caused by

flaw in certificate validation (CVE-2023-34410) Resolves: bz#2212753
2023-06-06 15:23:30 +02:00 · 2023-06-06 15:23:30 +02:00 · c063415565
commit c063415565
parent 2757b48f73
2 changed files with 39 additions and 1 deletions
--- a/CVE-2023-34410-qtbase-5.15.patch
+++ b/CVE-2023-34410-qtbase-5.15.patch
@ -0,0 +1,31 @@
+diff --git a/src/network/ssl/qsslsocket_schannel.cpp b/src/network/ssl/qsslsocket_schannel.cpp
+index c956ce3c..86381886 100644
+--- a/src/network/ssl/qsslsocket_schannel.cpp
+++ b/src/network/ssl/qsslsocket_schannel.cpp
+@@ -1880,6 +1880,26 @@ bool QSslSocketBackendPrivate::verifyCertContext(CERT_CONTEXT *certContext)
+     if (configuration.peerVerifyDepth > 0 && DWORD(configuration.peerVerifyDepth) < verifyDepth)
+         verifyDepth = DWORD(configuration.peerVerifyDepth);
+ 
+    if (!rootCertOnDemandLoadingAllowed()
+            && !(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN)
+            && (q->peerVerifyMode() == QSslSocket::VerifyPeer
+                    || (isClient && q->peerVerifyMode() == QSslSocket::AutoVerifyPeer))) {
+        // When verifying a peer Windows "helpfully" builds a chain that
+        // may include roots from the system store. But we don't want that if
+        // the user has set their own CA certificates.
+        // Since Windows claims this is not a partial chain the root is included
+        // and we have to check that it is one of our configured CAs.
+        CERT_CHAIN_ELEMENT *element = chain->rgpElement[chain->cElement - 1];
+        QSslCertificate certificate = getCertificateFromChainElement(element);
+        if (!caCertificates.contains(certificate)) {
+            auto error = QSslError(QSslError::CertificateUntrusted, certificate);
+            sslErrors += error;
+            emit q->peerVerifyError(error);
+            if (q->state() != QAbstractSocket::ConnectedState)
+                return false;
+        }
+    }
+
+     for (DWORD i = 0; i < verifyDepth; i++) {
+         CERT_CHAIN_ELEMENT *element = chain->rgpElement[i];
+         QSslCertificate certificate = getCertificateFromChainElement(element);
--- a/qt5-qtbase.spec
+++ b/qt5-qtbase.spec
@ -41,7 +41,7 @@ BuildRequires: pkgconfig(libsystemd)
 Name:    qt5-qtbase
 Summary: Qt5 - QtBase components
 Version: 5.15.3
-Release: 2%{?dist}
+Release: 3%{?dist}

 # See LGPL_EXCEPTIONS.txt, for exception details
 License: LGPLv2 with exceptions or GPLv3 with exceptions
@ -127,6 +127,7 @@ Source100: kde-5.15-rollup-20220324.patch.gz
 Patch110: CVE-2023-32762-qtbase-5.15.patch
 Patch111: CVE-2023-32763-qtbase-5.15.patch
 Patch112: CVE-2023-33285-qtbase-5.15.patch
+Patch113: CVE-2023-34410-qtbase-5.15.patch

 # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires.
 # Those themes are there for platform integration. If the required libraries are
@ -388,6 +389,7 @@ Qt5 libraries used for drawing widgets and OpenGL items.
 %patch110 -p1
 %patch111 -p1
 %patch112 -p1
+%patch113 -p1

 # move some bundled libs to ensure they're not accidentally used
 pushd src/3rdparty
@ -1062,6 +1064,11 @@ fi


 %changelog
+* Tue Jun 06 2023 Jan Grulich <jgrulich@redhat.com> - 5.15.3-3
+- Don't allow remote attacker to bypass security restrictions caused by
+  flaw in certificate validation (CVE-2023-34410)
+  Resolves: bz#2212753
+
 * Wed May 24 2023 Jan Grulich <jgrulich@redhat.com> - 5.15.3-2
 - Fix specific overflow in qtextlayout
 - Fix incorrect parsing of the strict-transport-security (HSTS) header