Don't allow remote attacker to bypass security restrictions caused by

flaw in certificate validation (CVE-2023-34410) (version #2) Resolves: bz#2212754
2023-06-09 13:38:08 +02:00 · 2023-06-09 13:38:08 +02:00 · e7496ce04f
commit e7496ce04f
parent c64d896b79
2 changed files with 33 additions and 5 deletions
--- a/CVE-2023-34410-qtbase-5.15.patch
+++ b/CVE-2023-34410-qtbase-5.15.patch
@ -1,11 +1,11 @@
-diff --git a/src/network/ssl/qsslsocket_schannel.cpp b/src/network/ssl/qsslsocket_schannel.cpp
-index c956ce3c..86381886 100644
 --- a/src/network/ssl/qsslsocket_schannel.cpp
 +++ b/src/network/ssl/qsslsocket_schannel.cpp
-@@ -1880,6 +1880,26 @@ bool QSslSocketBackendPrivate::verifyCertContext(CERT_CONTEXT *certContext)
+@@ -1880,6 +1880,28 @@ bool QSslSocketBackendPrivate::verifyCertContext(CERT_CONTEXT *certContext)
     if (configuration.peerVerifyDepth > 0 && DWORD(configuration.peerVerifyDepth) < verifyDepth)
         verifyDepth = DWORD(configuration.peerVerifyDepth);

+    const auto &caCertificates = q->sslConfiguration().caCertificates();
+
 +    if (!rootCertOnDemandLoadingAllowed()
 +            && !(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN)
 +            && (q->peerVerifyMode() == QSslSocket::VerifyPeer
@ -29,3 +29,26 @@ index c956ce3c..86381886 100644
     for (DWORD i = 0; i < verifyDepth; i++) {
         CERT_CHAIN_ELEMENT *element = chain->rgpElement[i];
         QSslCertificate certificate = getCertificateFromChainElement(element);
+
+
+--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
+@@ -2221,6 +2221,10 @@ QSslSocketPrivate::QSslSocketPrivate()
+     , flushTriggered(false)
+ {
+     QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
+    // If the global configuration doesn't allow root certificates to be loaded
+    // on demand then we have to disable it for this socket as well.
+    if (!configuration.allowRootCertOnDemandLoading)
+        allowRootCertOnDemandLoading = false;
+ }
+
+ /*!
+@@ -2470,6 +2474,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri
+     ptr->sessionProtocol = global->sessionProtocol;
+     ptr->ciphers = global->ciphers;
+     ptr->caCertificates = global->caCertificates;
+    ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;
+     ptr->protocol = global->protocol;
+     ptr->peerVerifyMode = global->peerVerifyMode;
+     ptr->peerVerifyDepth = global->peerVerifyDepth;
--- a/qt5-qtbase.spec
+++ b/qt5-qtbase.spec
@ -57,7 +57,7 @@ BuildRequires: pkgconfig(libsystemd)
 Name:    qt5-qtbase
 Summary: Qt5 - QtBase components
 Version: 5.15.9
-Release: 5%{?dist}
+Release: 6%{?dist}


 # See LGPL_EXCEPTIONS.txt, for exception details
@ -1134,6 +1134,11 @@ fi


 %changelog
+* Fri Jun 09 2023 Jan Grulich <jgrulich@redhat.com> - 5.15.9-6
+- Don't allow remote attacker to bypass security restrictions caused by
+  flaw in certificate validation (CVE-2023-34410) (version #2)
+  Resolves: bz#2212754
+
 * Tue Jun 06 2023 Jan Grulich <jgrulich@redhat.com> - 5.15.9-5
 - Don't allow remote attacker to bypass security restrictions caused by
  flaw in certificate validation (CVE-2023-34410)