From mboxrd@z Thu Jan 1 00:00:00 1970 Return-Path: Received: from lists.gentoo.org (pigeon.gentoo.org [208.92.234.80]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (2048 bits)) (No client certificate requested) by finch.gentoo.org (Postfix) with ESMTPS id 4874515806E for ; Wed, 24 May 2023 06:52:43 +0000 (UTC) Received: from pigeon.gentoo.org (localhost [127.0.0.1]) by pigeon.gentoo.org (Postfix) with SMTP id 36A03E07C7; Wed, 24 May 2023 06:52:42 +0000 (UTC) Received: from smtp.gentoo.org (dev.gentoo.org [IPv6:2001:470:ea4a:1:5054:ff:fec7:86e4]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by pigeon.gentoo.org (Postfix) with ESMTPS id 17229E07C7 for ; Wed, 24 May 2023 06:52:42 +0000 (UTC) Received: from oystercatcher.gentoo.org (oystercatcher.gentoo.org [148.251.78.52]) (using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits) key-exchange X25519 server-signature RSA-PSS (4096 bits)) (No client certificate requested) by smtp.gentoo.org (Postfix) with ESMTPS id 478AC340BDD for ; Wed, 24 May 2023 06:52:41 +0000 (UTC) Received: from localhost.localdomain (localhost [IPv6:::1]) by oystercatcher.gentoo.org (Postfix) with ESMTP id D7FA08E4 for ; Wed, 24 May 2023 06:52:39 +0000 (UTC) From: "Jimi Huotari" To: gentoo-commits@lists.gentoo.org Content-Transfer-Encoding: 8bit Content-type: text/plain; charset=UTF-8 Reply-To: gentoo-dev@lists.gentoo.org, "Jimi Huotari" Message-ID: <1684911145.4c3e28351aba00d13ba92a26a23bc51bca630d7d.chiitoo@gentoo> Subject: [gentoo-commits] repo/gentoo:master commit in: dev-qt/qtbase/, dev-qt/qtbase/files/ X-VCS-Repository: repo/gentoo X-VCS-Files: dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-32762.patch dev-qt/qtbase/qtbase-6.5.0-r2.ebuild X-VCS-Directories: dev-qt/qtbase/files/ dev-qt/qtbase/ X-VCS-Committer: chiitoo X-VCS-Committer-Name: Jimi Huotari X-VCS-Revision: 4c3e28351aba00d13ba92a26a23bc51bca630d7d X-VCS-Branch: master Date: Wed, 24 May 2023 06:52:39 +0000 (UTC) Precedence: bulk List-Post: List-Help: List-Unsubscribe: List-Subscribe: List-Id: Gentoo Linux mail X-BeenThere: gentoo-commits@lists.gentoo.org X-Auto-Response-Suppress: DR, RN, NRN, OOF, AutoReply X-Archives-Salt: d5872d19-a4ea-423b-86c3-a581b27b4e4d X-Archives-Hash: 0e00962996fe08b8dfdf3f31bf252eb6 commit: 4c3e28351aba00d13ba92a26a23bc51bca630d7d Author: Jimi Huotari gentoo org> AuthorDate: Wed May 24 06:43:38 2023 +0000 Commit: Jimi Huotari gentoo org> CommitDate: Wed May 24 06:52:25 2023 +0000 URL: https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=4c3e2835 dev-qt/qtbase: add patch for CVE-2023-32762 See also: https://www.qt.io/blog/security-advisory-qt-network Signed-off-by: Jimi Huotari gentoo.org> .../qtbase/files/qtbase-6.5.0-CVE-2023-32762.patch | 54 ++++++ dev-qt/qtbase/qtbase-6.5.0-r2.ebuild | 192 +++++++++++++++++++++ 2 files changed, 246 insertions(+) diff --git a/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-32762.patch b/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-32762.patch new file mode 100644 index 000000000000..3574706fcd85 --- /dev/null +++ b/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-32762.patch @@ -0,0 +1,54 @@ +From eae7c36d681acfb82572b56e24bbb2cd42242e57 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?M=C3=A5rten=20Nordheim?= +Date: Fri, 5 May 2023 11:07:26 +0200 +Subject: [PATCH] Hsts: match header names case insensitively + +Header field names are always considered to be case-insensitive. + +Fixes: QTBUG-113392 +Change-Id: Ifb4def4bb7f2ac070416cdc76581a769f1e52b43 +Reviewed-by: Qt CI Bot +Reviewed-by: Edward Welbourne +Reviewed-by: Volker Hilsheimer +(cherry picked from commit 1b736a815be0222f4b24289cf17575fc15707305) +Reviewed-by: Qt Cherry-pick Bot +--- + src/network/access/qhsts.cpp | 4 ++-- + tests/auto/network/access/hsts/tst_qhsts.cpp | 6 ++++++ + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/network/access/qhsts.cpp b/src/network/access/qhsts.cpp +index 39905f354807..82deede17298 100644 +--- a/src/network/access/qhsts.cpp ++++ b/src/network/access/qhsts.cpp +@@ -327,8 +327,8 @@ quoted-pair = "\" CHAR + bool QHstsHeaderParser::parse(const QList> &headers) + { + for (const auto &h : headers) { +- // We use '==' since header name was already 'trimmed' for us: +- if (h.first == "Strict-Transport-Security") { ++ // We compare directly because header name was already 'trimmed' for us: ++ if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) { + header = h.second; + // RFC6797, 8.1: + // +diff --git a/tests/auto/network/access/hsts/tst_qhsts.cpp b/tests/auto/network/access/hsts/tst_qhsts.cpp +index 252f5e8f5792..97a2d2889e57 100644 +--- a/tests/auto/network/access/hsts/tst_qhsts.cpp ++++ b/tests/auto/network/access/hsts/tst_qhsts.cpp +@@ -216,6 +216,12 @@ void tst_QHsts::testSTSHeaderParser() + QVERIFY(parser.expirationDate() > QDateTime::currentDateTimeUtc()); + QVERIFY(parser.includeSubDomains()); + ++ list.pop_back(); ++ list << Header("strict-transport-security", "includeSubDomains;max-age=1000"); ++ QVERIFY(parser.parse(list)); ++ QVERIFY(parser.expirationDate() > QDateTime::currentDateTimeUtc()); ++ QVERIFY(parser.includeSubDomains()); ++ + list.pop_back(); + // Invalid (includeSubDomains twice): + list << Header("Strict-Transport-Security", "max-age = 1000 ; includeSubDomains;includeSubDomains"); +-- +2.16.3 + diff --git a/dev-qt/qtbase/qtbase-6.5.0-r2.ebuild b/dev-qt/qtbase/qtbase-6.5.0-r2.ebuild new file mode 100644 index 000000000000..afcd30dfe9f6 --- /dev/null +++ b/dev-qt/qtbase/qtbase-6.5.0-r2.ebuild @@ -0,0 +1,192 @@ +# Copyright 2021-2023 Gentoo Authors +# Distributed under the terms of the GNU General Public License v2 + +EAPI=8 + +inherit qt6-build + +DESCRIPTION="Cross-platform application development framework" + +if [[ ${QT6_BUILD_TYPE} == release ]]; then + KEYWORDS="~amd64" +fi + +# Qt Modules +IUSE="+concurrent +dbus +gui +network +sql opengl +widgets +xml zstd" +REQUIRED_USE=" + opengl? ( gui ) + widgets? ( gui ) + X? ( || ( evdev libinput ) ) +" + +QTGUI_IUSE="accessibility egl eglfs evdev gles2-only +jpeg +libinput tslib tuio vulkan +X" +QTNETWORK_IUSE="brotli gssapi libproxy sctp +ssl vnc" +QTSQL_IUSE="freetds mysql oci8 odbc postgres +sqlite" +IUSE+=" ${QTGUI_IUSE} ${QTNETWORK_IUSE} ${QTSQL_IUSE} cups gtk icu systemd +udev" +# QtPrintSupport = QtGui + QtWidgets enabled. +# ibus = xkbcommon + dbus, and xkbcommon needs either libinput or X +REQUIRED_USE+=" + $(printf '%s? ( gui ) ' ${QTGUI_IUSE//+/}) + $(printf '%s? ( network ) ' ${QTNETWORK_IUSE//+/}) + $(printf '%s? ( sql ) ' ${QTSQL_IUSE//+/}) + accessibility? ( dbus X ) + cups? ( gui widgets ) + eglfs? ( egl ) + gtk? ( widgets ) + gui? ( || ( eglfs X ) || ( libinput X ) ) + libinput? ( udev ) + sql? ( || ( freetds mysql oci8 odbc postgres sqlite ) ) + vnc? ( gui ) + X? ( gles2-only? ( egl ) ) +" + +# TODO: +# qtimageformats: mng not done yet, qtimageformats.git upstream commit 9443239c +# qtnetwork: connman, networkmanager +DEPEND=" + app-crypt/libb2 + dev-libs/double-conversion:= + dev-libs/glib:2 + dev-libs/libpcre2:=[pcre16,unicode] + dev-util/gtk-update-icon-cache + media-libs/fontconfig + >=media-libs/freetype-2.6.1:2 + >=media-libs/harfbuzz-1.6.0:= + media-libs/tiff:= + >=sys-apps/dbus-1.4.20 + sys-libs/zlib:= + brotli? ( app-arch/brotli:= ) + evdev? ( sys-libs/mtdev ) + freetds? ( dev-db/freetds ) + gles2-only? ( media-libs/libglvnd ) + !gles2-only? ( media-libs/libglvnd[X] ) + gssapi? ( virtual/krb5 ) + gtk? ( + x11-libs/gtk+:3 + x11-libs/libX11 + x11-libs/pango + ) + gui? ( media-libs/libpng:= ) + icu? ( dev-libs/icu:= ) + !icu? ( virtual/libiconv ) + jpeg? ( media-libs/libjpeg-turbo:= ) + libinput? ( + dev-libs/libinput:= + >=x11-libs/libxkbcommon-0.5.0 + ) + libproxy? ( net-libs/libproxy ) + mysql? ( dev-db/mysql-connector-c:= ) + oci8? ( dev-db/oracle-instantclient:=[sdk] ) + odbc? ( dev-db/unixODBC ) + postgres? ( dev-db/postgresql:* ) + sctp? ( kernel_linux? ( net-misc/lksctp-tools ) ) + sqlite? ( dev-db/sqlite:3 ) + ssl? ( dev-libs/openssl:= ) + systemd? ( sys-apps/systemd:= ) + tslib? ( >=x11-libs/tslib-1.21 ) + udev? ( virtual/libudev:= ) + vulkan? ( dev-util/vulkan-headers ) + X? ( + x11-libs/libdrm + x11-libs/libICE + x11-libs/libSM + x11-libs/libX11 + >=x11-libs/libxcb-1.12:= + >=x11-libs/libxkbcommon-0.5.0[X] + x11-libs/xcb-util-cursor + x11-libs/xcb-util-image + x11-libs/xcb-util-keysyms + x11-libs/xcb-util-renderutil + x11-libs/xcb-util-wm + ) + zstd? ( app-arch/zstd:= ) +" +RDEPEND="${DEPEND}" + +PATCHES=( + "${FILESDIR}/${PN}-6.5.0-setActiveWindow-deprecated-version.patch" + "${FILESDIR}/${PN}-6.5.0-CVE-2023-32762.patch" +) + +src_configure() { + local mycmakeargs=( + -DINSTALL_ARCHDATADIR=${QT6_ARCHDATADIR} + -DINSTALL_BINDIR=${QT6_BINDIR} + -DINSTALL_DATADIR=${QT6_DATADIR} + -DINSTALL_DOCDIR=${QT6_DOCDIR} + -DINSTALL_EXAMPLESDIR=${QT6_EXAMPLESDIR} + -DINSTALL_INCLUDEDIR=${QT6_HEADERDIR} + -DINSTALL_LIBDIR=${QT6_LIBDIR} + -DINSTALL_LIBEXECDIR=${QT6_LIBEXECDIR} + -DINSTALL_MKSPECSDIR=${QT6_ARCHDATADIR}/mkspecs + -DINSTALL_PLUGINSDIR=${QT6_PLUGINDIR} + -DINSTALL_QMLDIR=${QT6_QMLDIR} + -DINSTALL_SYSCONFDIR=${QT6_SYSCONFDIR} + -DINSTALL_TRANSLATIONSDIR=${QT6_TRANSLATIONDIR} + -DQT_FEATURE_androiddeployqt=OFF + $(qt_feature concurrent) + $(qt_feature dbus) + $(qt_feature gui) + $(qt_feature gui testlib) + $(qt_feature icu) + $(qt_feature network) + $(qt_feature sql) + $(qt_feature systemd journald) + $(qt_feature udev libudev) + $(qt_feature xml) + $(qt_feature zstd) + ) + use gui && mycmakeargs+=( + $(qt_feature accessibility accessibility_atspi_bridge) + $(qt_feature egl) + $(qt_feature egl xcb_egl_plugin) + $(qt_feature eglfs eglfs_egldevice) + $(qt_feature eglfs eglfs_gbm) + $(qt_feature evdev) + $(qt_feature evdev mtdev) + -DQT_FEATURE_gif=ON + $(qt_feature jpeg) + $(qt_feature opengl) + $(qt_feature gles2-only opengles2) + $(qt_feature libinput) + $(qt_feature tslib) + $(qt_feature tuio tuiotouch) + $(qt_feature vulkan) + $(qt_feature widgets) + $(qt_feature X xcb) + $(qt_feature X xcb_xlib) + ) + use widgets && mycmakeargs+=( + $(qt_feature cups) + $(qt_feature gtk gtk3) + ) + if use libinput || use X; then + mycmakeargs+=( -DQT_FEATURE_xkbcommon=ON ) + fi + use network && mycmakeargs+=( + $(qt_feature brotli) + $(qt_feature gssapi) + $(qt_feature libproxy) + $(qt_feature sctp) + $(qt_feature ssl openssl) + $(qt_feature vnc) + ) + use sql && mycmakeargs+=( + $(qt_feature freetds sql_tds) + $(qt_feature mysql sql_mysql) + $(qt_feature oci8 sql_oci) + $(qt_feature odbc sql_odbc) + $(qt_feature postgres sql_psql) + $(qt_feature sqlite sql_sqlite) + $(qt_feature sqlite system_sqlite) + ) + + qt6-build_src_configure +} + +src_install() { + qt6-build_src_install + + # https://bugs.gentoo.org/863395 + qt6_symlink_binary_to_path qmake 6 +}