Don't allow remote attacker to bypass security restrictions caused by
flaw in certificate validation (CVE-2023-34410) Resolves: bz#2212754
This commit is contained in:
parent
b347b50161
commit
c64d896b79
31
CVE-2023-34410-qtbase-5.15.patch
Normal file
31
CVE-2023-34410-qtbase-5.15.patch
Normal file
@ -0,0 +1,31 @@
|
|||||||
|
diff --git a/src/network/ssl/qsslsocket_schannel.cpp b/src/network/ssl/qsslsocket_schannel.cpp
|
||||||
|
index c956ce3c..86381886 100644
|
||||||
|
--- a/src/network/ssl/qsslsocket_schannel.cpp
|
||||||
|
+++ b/src/network/ssl/qsslsocket_schannel.cpp
|
||||||
|
@@ -1880,6 +1880,26 @@ bool QSslSocketBackendPrivate::verifyCertContext(CERT_CONTEXT *certContext)
|
||||||
|
if (configuration.peerVerifyDepth > 0 && DWORD(configuration.peerVerifyDepth) < verifyDepth)
|
||||||
|
verifyDepth = DWORD(configuration.peerVerifyDepth);
|
||||||
|
|
||||||
|
+ if (!rootCertOnDemandLoadingAllowed()
|
||||||
|
+ && !(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN)
|
||||||
|
+ && (q->peerVerifyMode() == QSslSocket::VerifyPeer
|
||||||
|
+ || (isClient && q->peerVerifyMode() == QSslSocket::AutoVerifyPeer))) {
|
||||||
|
+ // When verifying a peer Windows "helpfully" builds a chain that
|
||||||
|
+ // may include roots from the system store. But we don't want that if
|
||||||
|
+ // the user has set their own CA certificates.
|
||||||
|
+ // Since Windows claims this is not a partial chain the root is included
|
||||||
|
+ // and we have to check that it is one of our configured CAs.
|
||||||
|
+ CERT_CHAIN_ELEMENT *element = chain->rgpElement[chain->cElement - 1];
|
||||||
|
+ QSslCertificate certificate = getCertificateFromChainElement(element);
|
||||||
|
+ if (!caCertificates.contains(certificate)) {
|
||||||
|
+ auto error = QSslError(QSslError::CertificateUntrusted, certificate);
|
||||||
|
+ sslErrors += error;
|
||||||
|
+ emit q->peerVerifyError(error);
|
||||||
|
+ if (q->state() != QAbstractSocket::ConnectedState)
|
||||||
|
+ return false;
|
||||||
|
+ }
|
||||||
|
+ }
|
||||||
|
+
|
||||||
|
for (DWORD i = 0; i < verifyDepth; i++) {
|
||||||
|
CERT_CHAIN_ELEMENT *element = chain->rgpElement[i];
|
||||||
|
QSslCertificate certificate = getCertificateFromChainElement(element);
|
@ -57,7 +57,7 @@ BuildRequires: pkgconfig(libsystemd)
|
|||||||
Name: qt5-qtbase
|
Name: qt5-qtbase
|
||||||
Summary: Qt5 - QtBase components
|
Summary: Qt5 - QtBase components
|
||||||
Version: 5.15.9
|
Version: 5.15.9
|
||||||
Release: 4%{?dist}
|
Release: 5%{?dist}
|
||||||
|
|
||||||
|
|
||||||
# See LGPL_EXCEPTIONS.txt, for exception details
|
# See LGPL_EXCEPTIONS.txt, for exception details
|
||||||
@ -146,6 +146,7 @@ Patch101: qtbase-5.15.8-fix-missing-qtsan-include.patch
|
|||||||
Patch110: CVE-2023-32762-qtbase-5.15.patch
|
Patch110: CVE-2023-32762-qtbase-5.15.patch
|
||||||
Patch111: CVE-2023-32763-qtbase-5.15.patch
|
Patch111: CVE-2023-32763-qtbase-5.15.patch
|
||||||
Patch112: CVE-2023-33285-qtbase-5.15.patch
|
Patch112: CVE-2023-33285-qtbase-5.15.patch
|
||||||
|
Patch113: CVE-2023-34410-qtbase-5.15.patch
|
||||||
|
|
||||||
# gating related patches
|
# gating related patches
|
||||||
Patch200: qtbase-disable-tests-not-working-in-gating.patch
|
Patch200: qtbase-disable-tests-not-working-in-gating.patch
|
||||||
@ -432,6 +433,7 @@ Qt5 libraries used for drawing widgets and OpenGL items.
|
|||||||
%patch -P110 -p1
|
%patch -P110 -p1
|
||||||
%patch -P111 -p1
|
%patch -P111 -p1
|
||||||
%patch -P112 -p1
|
%patch -P112 -p1
|
||||||
|
%patch -P113 -p1
|
||||||
|
|
||||||
## gating related patches
|
## gating related patches
|
||||||
%patch -P200 -p1 -b .disable-tests-not-working-in-gating
|
%patch -P200 -p1 -b .disable-tests-not-working-in-gating
|
||||||
@ -1132,6 +1134,11 @@ fi
|
|||||||
|
|
||||||
|
|
||||||
%changelog
|
%changelog
|
||||||
|
* Tue Jun 06 2023 Jan Grulich <jgrulich@redhat.com> - 5.15.9-5
|
||||||
|
- Don't allow remote attacker to bypass security restrictions caused by
|
||||||
|
flaw in certificate validation (CVE-2023-34410)
|
||||||
|
Resolves: bz#2212754
|
||||||
|
|
||||||
* Wed May 24 2023 Jan Grulich <jgrulich@redhat.com> - 5.15.9-4
|
* Wed May 24 2023 Jan Grulich <jgrulich@redhat.com> - 5.15.9-4
|
||||||
- Fix specific overflow in qtextlayout
|
- Fix specific overflow in qtextlayout
|
||||||
- Fix incorrect parsing of the strict-transport-security (HSTS) header
|
- Fix incorrect parsing of the strict-transport-security (HSTS) header
|
||||||
|
Loading…
Reference in New Issue
Block a user