mirror of
https://github.com/microsoft/vcpkg.git
synced 2024-12-27 18:31:15 +08:00
[qt5] Apply CVE fixes (#32031)
This commit is contained in:
parent
ae56ff4adb
commit
a76139fb41
68
ports/qt5-base/patches/CVE-2023-33285-qtbase-5.15.diff
Normal file
68
ports/qt5-base/patches/CVE-2023-33285-qtbase-5.15.diff
Normal file
@ -0,0 +1,68 @@
|
||||
--- a/src/network/kernel/qdnslookup_unix.cpp
|
||||
+++ b/src/network/kernel/qdnslookup_unix.cpp
|
||||
@@ -227,7 +227,6 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
|
||||
// responseLength in case of error, we still can extract the
|
||||
// exact error code from the response.
|
||||
HEADER *header = (HEADER*)response;
|
||||
- const int answerCount = ntohs(header->ancount);
|
||||
switch (header->rcode) {
|
||||
case NOERROR:
|
||||
break;
|
||||
@@ -260,18 +259,31 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
|
||||
return;
|
||||
}
|
||||
|
||||
- // Skip the query host, type (2 bytes) and class (2 bytes).
|
||||
char host[PACKETSZ], answer[PACKETSZ];
|
||||
unsigned char *p = response + sizeof(HEADER);
|
||||
- int status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
|
||||
- if (status < 0) {
|
||||
+ int status;
|
||||
+
|
||||
+ if (ntohs(header->qdcount) == 1) {
|
||||
+ // Skip the query host, type (2 bytes) and class (2 bytes).
|
||||
+ status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
|
||||
+ if (status < 0) {
|
||||
+ reply->error = QDnsLookup::InvalidReplyError;
|
||||
+ reply->errorString = tr("Could not expand domain name");
|
||||
+ return;
|
||||
+ }
|
||||
+ if ((p - response) + status + 4 >= responseLength)
|
||||
+ header->qdcount = 0xffff; // invalid reply below
|
||||
+ else
|
||||
+ p += status + 4;
|
||||
+ }
|
||||
+ if (ntohs(header->qdcount) > 1) {
|
||||
reply->error = QDnsLookup::InvalidReplyError;
|
||||
- reply->errorString = tr("Could not expand domain name");
|
||||
+ reply->errorString = tr("Invalid reply received");
|
||||
return;
|
||||
}
|
||||
- p += status + 4;
|
||||
|
||||
// Extract results.
|
||||
+ const int answerCount = ntohs(header->ancount);
|
||||
int answerIndex = 0;
|
||||
while ((p < response + responseLength) && (answerIndex < answerCount)) {
|
||||
status = local_dn_expand(response, response + responseLength, p, host, sizeof(host));
|
||||
@@ -283,6 +295,11 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
|
||||
const QString name = QUrl::fromAce(host);
|
||||
|
||||
p += status;
|
||||
+
|
||||
+ if ((p - response) + 10 > responseLength) {
|
||||
+ // probably just a truncated reply, return what we have
|
||||
+ return;
|
||||
+ }
|
||||
const quint16 type = (p[0] << 8) | p[1];
|
||||
p += 2; // RR type
|
||||
p += 2; // RR class
|
||||
@@ -290,6 +307,8 @@ void QDnsLookupRunnable::query(const int requestType, const QByteArray &requestN
|
||||
p += 4;
|
||||
const quint16 size = (p[0] << 8) | p[1];
|
||||
p += 2;
|
||||
+ if ((p - response) + size > responseLength)
|
||||
+ return; // truncated
|
||||
|
||||
if (type == QDnsLookup::A) {
|
||||
if (size != 4) {
|
52
ports/qt5-base/patches/CVE-2023-34410-qtbase-5.15.diff
Normal file
52
ports/qt5-base/patches/CVE-2023-34410-qtbase-5.15.diff
Normal file
@ -0,0 +1,52 @@
|
||||
--- a/src/network/ssl/qsslsocket_schannel.cpp
|
||||
+++ b/src/network/ssl/qsslsocket_schannel.cpp
|
||||
@@ -1880,6 +1880,28 @@ bool QSslSocketBackendPrivate::verifyCertContext(CERT_CONTEXT *certContext)
|
||||
if (configuration.peerVerifyDepth > 0 && DWORD(configuration.peerVerifyDepth) < verifyDepth)
|
||||
verifyDepth = DWORD(configuration.peerVerifyDepth);
|
||||
|
||||
+ const auto &caCertificates = q->sslConfiguration().caCertificates();
|
||||
+
|
||||
+ if (!rootCertOnDemandLoadingAllowed()
|
||||
+ && !(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN)
|
||||
+ && (q->peerVerifyMode() == QSslSocket::VerifyPeer
|
||||
+ || (isClient && q->peerVerifyMode() == QSslSocket::AutoVerifyPeer))) {
|
||||
+ // When verifying a peer Windows "helpfully" builds a chain that
|
||||
+ // may include roots from the system store. But we don't want that if
|
||||
+ // the user has set their own CA certificates.
|
||||
+ // Since Windows claims this is not a partial chain the root is included
|
||||
+ // and we have to check that it is one of our configured CAs.
|
||||
+ CERT_CHAIN_ELEMENT *element = chain->rgpElement[chain->cElement - 1];
|
||||
+ QSslCertificate certificate = getCertificateFromChainElement(element);
|
||||
+ if (!caCertificates.contains(certificate)) {
|
||||
+ auto error = QSslError(QSslError::CertificateUntrusted, certificate);
|
||||
+ sslErrors += error;
|
||||
+ emit q->peerVerifyError(error);
|
||||
+ if (q->state() != QAbstractSocket::ConnectedState)
|
||||
+ return false;
|
||||
+ }
|
||||
+ }
|
||||
+
|
||||
for (DWORD i = 0; i < verifyDepth; i++) {
|
||||
CERT_CHAIN_ELEMENT *element = chain->rgpElement[i];
|
||||
QSslCertificate certificate = getCertificateFromChainElement(element);
|
||||
--- a/src/network/ssl/qsslsocket.cpp
|
||||
+++ b/src/network/ssl/qsslsocket.cpp
|
||||
@@ -2221,6 +2221,10 @@ QSslSocketPrivate::QSslSocketPrivate()
|
||||
, flushTriggered(false)
|
||||
{
|
||||
QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
|
||||
+ // If the global configuration doesn't allow root certificates to be loaded
|
||||
+ // on demand then we have to disable it for this socket as well.
|
||||
+ if (!configuration.allowRootCertOnDemandLoading)
|
||||
+ allowRootCertOnDemandLoading = false;
|
||||
}
|
||||
|
||||
/*!
|
||||
@@ -2470,6 +2474,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri
|
||||
ptr->sessionProtocol = global->sessionProtocol;
|
||||
ptr->ciphers = global->ciphers;
|
||||
ptr->caCertificates = global->caCertificates;
|
||||
+ ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;
|
||||
ptr->protocol = global->protocol;
|
||||
ptr->peerVerifyMode = global->peerVerifyMode;
|
||||
ptr->peerVerifyDepth = global->peerVerifyDepth;
|
@ -49,6 +49,8 @@ qt_download_submodule( OUT_SOURCE_PATH SOURCE_PATH
|
||||
# CVE fixes from https://download.qt.io/official_releases/qt/5.15/
|
||||
patches/CVE-2023-32762-qtbase-5.15.diff
|
||||
patches/CVE-2023-32763-qtbase-5.15.diff
|
||||
patches/CVE-2023-33285-qtbase-5.15.diff
|
||||
patches/CVE-2023-34410-qtbase-5.15.diff
|
||||
|
||||
patches/winmain_pro.patch #Moves qtmain to manual-link
|
||||
patches/windows_prf.patch #fixes the qtmain dependency due to the above move
|
||||
|
@ -1,7 +1,7 @@
|
||||
{
|
||||
"name": "qt5-base",
|
||||
"version": "5.15.10",
|
||||
"port-version": 1,
|
||||
"port-version": 2,
|
||||
"description": "Qt5 Application Framework Base Module. Includes Core, GUI, Widgets, Networking, SQL, Concurrent and other essential qt components.",
|
||||
"homepage": "https://www.qt.io/",
|
||||
"license": null,
|
||||
|
@ -6582,7 +6582,7 @@
|
||||
},
|
||||
"qt5-base": {
|
||||
"baseline": "5.15.10",
|
||||
"port-version": 1
|
||||
"port-version": 2
|
||||
},
|
||||
"qt5-canvas3d": {
|
||||
"baseline": "0",
|
||||
|
@ -1,5 +1,10 @@
|
||||
{
|
||||
"versions": [
|
||||
{
|
||||
"git-tree": "47eb2c538dd9220fcf44ca6a72f1aa64e4fb8d26",
|
||||
"version": "5.15.10",
|
||||
"port-version": 2
|
||||
},
|
||||
{
|
||||
"git-tree": "3088e8df941cddfdc7dd5a5b6efae7386cb3d388",
|
||||
"version": "5.15.10",
|
||||
|
Loading…
x
Reference in New Issue
Block a user