From e7496ce04f48992c8a4257aae25bc0fa55c4675a Mon Sep 17 00:00:00 2001 From: Jan Grulich Date: Fri, 9 Jun 2023 13:38:08 +0200 Subject: [PATCH] Don't allow remote attacker to bypass security restrictions caused by flaw in certificate validation (CVE-2023-34410) (version #2) Resolves: bz#2212754 --- CVE-2023-34410-qtbase-5.15.patch | 31 +++++++++++++++++++++++++++---- qt5-qtbase.spec | 7 ++++++- 2 files changed, 33 insertions(+), 5 deletions(-) diff --git a/CVE-2023-34410-qtbase-5.15.patch b/CVE-2023-34410-qtbase-5.15.patch index c37e6de..82c1a23 100644 --- a/CVE-2023-34410-qtbase-5.15.patch +++ b/CVE-2023-34410-qtbase-5.15.patch @@ -1,11 +1,11 @@ -diff --git a/src/network/ssl/qsslsocket_schannel.cpp b/src/network/ssl/qsslsocket_schannel.cpp -index c956ce3c..86381886 100644 --- a/src/network/ssl/qsslsocket_schannel.cpp +++ b/src/network/ssl/qsslsocket_schannel.cpp -@@ -1880,6 +1880,26 @@ bool QSslSocketBackendPrivate::verifyCertContext(CERT_CONTEXT *certContext) +@@ -1880,6 +1880,28 @@ bool QSslSocketBackendPrivate::verifyCertContext(CERT_CONTEXT *certContext) if (configuration.peerVerifyDepth > 0 && DWORD(configuration.peerVerifyDepth) < verifyDepth) verifyDepth = DWORD(configuration.peerVerifyDepth); - + ++ const auto &caCertificates = q->sslConfiguration().caCertificates(); ++ + if (!rootCertOnDemandLoadingAllowed() + && !(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN) + && (q->peerVerifyMode() == QSslSocket::VerifyPeer @@ -29,3 +29,26 @@ index c956ce3c..86381886 100644 for (DWORD i = 0; i < verifyDepth; i++) { CERT_CHAIN_ELEMENT *element = chain->rgpElement[i]; QSslCertificate certificate = getCertificateFromChainElement(element); + + +--- a/src/network/ssl/qsslsocket.cpp ++++ b/src/network/ssl/qsslsocket.cpp +@@ -2221,6 +2221,10 @@ QSslSocketPrivate::QSslSocketPrivate() + , flushTriggered(false) + { + QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration); ++ // If the global configuration doesn't allow root certificates to be loaded ++ // on demand then we have to disable it for this socket as well. ++ if (!configuration.allowRootCertOnDemandLoading) ++ allowRootCertOnDemandLoading = false; + } + + /*! +@@ -2470,6 +2474,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri + ptr->sessionProtocol = global->sessionProtocol; + ptr->ciphers = global->ciphers; + ptr->caCertificates = global->caCertificates; ++ ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading; + ptr->protocol = global->protocol; + ptr->peerVerifyMode = global->peerVerifyMode; + ptr->peerVerifyDepth = global->peerVerifyDepth; diff --git a/qt5-qtbase.spec b/qt5-qtbase.spec index b2e498a..120f0bd 100644 --- a/qt5-qtbase.spec +++ b/qt5-qtbase.spec @@ -57,7 +57,7 @@ BuildRequires: pkgconfig(libsystemd) Name: qt5-qtbase Summary: Qt5 - QtBase components Version: 5.15.9 -Release: 5%{?dist} +Release: 6%{?dist} # See LGPL_EXCEPTIONS.txt, for exception details @@ -1134,6 +1134,11 @@ fi %changelog +* Fri Jun 09 2023 Jan Grulich - 5.15.9-6 +- Don't allow remote attacker to bypass security restrictions caused by + flaw in certificate validation (CVE-2023-34410) (version #2) + Resolves: bz#2212754 + * Tue Jun 06 2023 Jan Grulich - 5.15.9-5 - Don't allow remote attacker to bypass security restrictions caused by flaw in certificate validation (CVE-2023-34410)