diff options
author | Vivek Kumbhar <vkumbhar@mvista.com> | 2023-09-27 11:35:23 +0530 |
---|---|---|
committer | Martin Jansa <martin.jansa@gmail.com> | 2023-09-29 20:17:24 +0200 |
commit | b06461fcc1b4b2af35e874417a3e95dbd0fa3d32 (patch) | |
tree | e75a1268ce4f6cefbf239af7465d1a650c8f9b63 | |
parent | 0a9c9b645aff9c38cbf231692846efcaef476968 (diff) |
qtbase: CVE-2023-32762 Network incorrectly parses the header allowing unencrypted connectionns
Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com>
Signed-off-by: Martin Jansa <martin.jansa@gmail.com>
-rw-r--r-- | recipes-qt/qt5/qtbase/CVE-2023-32762.patch | 56 | ||||
-rw-r--r-- | recipes-qt/qt5/qtbase_git.bb | 1 |
2 files changed, 57 insertions, 0 deletions
diff --git a/recipes-qt/qt5/qtbase/CVE-2023-32762.patch b/recipes-qt/qt5/qtbase/CVE-2023-32762.patch new file mode 100644 index 00000000..866187f7 --- /dev/null +++ b/recipes-qt/qt5/qtbase/CVE-2023-32762.patch @@ -0,0 +1,56 @@ +From 1b736a815be0222f4b24289cf17575fc15707305 Mon Sep 17 00:00:00 2001 +From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= <marten.nordheim@qt.io> +Date: Fri, 5 May 2023 11:07:26 +0200 +Subject: [PATCH] Hsts: match header names case insensitively + +Header field names are always considered to be case-insensitive. + +Pick-to: 6.5 6.5.1 6.2 5.15 +Fixes: QTBUG-113392 +Change-Id: Ifb4def4bb7f2ac070416cdc76581a769f1e52b43 +Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org> +Reviewed-by: Edward Welbourne <edward.welbourne@qt.io> +Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io> + +Upstream-Status: Backport [https://github.com/qt/qtbase/commit/1b736a815be0222f4b24289cf17575fc15707305] +CVE: CVE-2023-32762 +Signed-off-by: Vivek Kumbhar <vkumbhar@mvista.com> +--- + src/network/access/qhsts.cpp | 4 ++-- + tests/auto/network/access/hsts/tst_qhsts.cpp | 6 ++++++ + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/network/access/qhsts.cpp b/src/network/access/qhsts.cpp +index 0cef0ad3dc..be7ef7ff58 100644 +--- a/src/network/access/qhsts.cpp ++++ b/src/network/access/qhsts.cpp +@@ -364,8 +364,8 @@ quoted-pair = "\" CHAR + bool QHstsHeaderParser::parse(const QList<QPair<QByteArray, QByteArray>> &headers) + { + for (const auto &h : headers) { +- // We use '==' since header name was already 'trimmed' for us: +- if (h.first == "Strict-Transport-Security") { ++ // We compare directly because header name was already 'trimmed' for us: ++ if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) { + header = h.second; + // RFC6797, 8.1: + // +diff --git a/tests/auto/network/access/hsts/tst_qhsts.cpp b/tests/auto/network/access/hsts/tst_qhsts.cpp +index d72991a2eb..c3c5f58c22 100644 +--- a/tests/auto/network/access/hsts/tst_qhsts.cpp ++++ b/tests/auto/network/access/hsts/tst_qhsts.cpp +@@ -241,6 +241,12 @@ void tst_QHsts::testSTSHeaderParser() + QVERIFY(parser.expirationDate() > QDateTime::currentDateTimeUtc()); + QVERIFY(parser.includeSubDomains()); + ++ list.pop_back(); ++ list << Header("strict-transport-security", "includeSubDomains;max-age=1000"); ++ QVERIFY(parser.parse(list)); ++ QVERIFY(parser.expirationDate() > QDateTime::currentDateTimeUtc()); ++ QVERIFY(parser.includeSubDomains()); ++ + list.pop_back(); + // Invalid (includeSubDomains twice): + list << Header("Strict-Transport-Security", "max-age = 1000 ; includeSubDomains;includeSubDomains"); +-- +2.35.7 diff --git a/recipes-qt/qt5/qtbase_git.bb b/recipes-qt/qt5/qtbase_git.bb index b95a86eb..05e0a4dd 100644 --- a/recipes-qt/qt5/qtbase_git.bb +++ b/recipes-qt/qt5/qtbase_git.bb @@ -39,6 +39,7 @@ SRC_URI += "\ file://0022-testlib-don-t-track-the-build-or-source-directories.patch \ file://0023-Remove-unsetting-_FILE_OFFSET_BITS.patch \ file://0026-qsql_odbc-Patch-for-CVE-2023-24607.patch \ + file://CVE-2023-32762.patch \ " # Disable LTO for now, QT5 patches are being worked upstream, perhaps revisit with |