qtbase: Pick CVE-2023-34410 fix

An issue was discovered in Qt before 5.15.15, 6.x before 6.2.9, and
6.3.x through 6.5.x before 6.5.2. Certificate validation for TLS
does not always consider whether the root of a chain is a configured
CA certificate.

Advisory:
https://nvd.nist.gov/vuln/detail/CVE-2023-34410

Patch:
https://download.qt.io/official_releases/qt/5.15/CVE-2023-34410-qtbase-5.15.diff

Signed-off-by: Marek Vasut <marex@denx.de>

2 files changed, 55 insertions, 0 deletions

diff --git a/recipes-qt/qt5/qtbase/CVE-2023-34410-qtbase-5.15.diff b/recipes-qt/qt5/qtbase/CVE-2023-34410-qtbase-5.15.diff
new file mode 100644
index 00000000..726846c5
--- /dev/null
+++ b/recipes-qt/qt5/qtbase/CVE-2023-34410-qtbase-5.15.diff
@@ -0,0 +1,54 @@
+--- a/src/network/ssl/qsslsocket_schannel.cpp

++++ b/src/network/ssl/qsslsocket_schannel.cpp

+@@ -1880,6 +1880,28 @@ bool QSslSocketBackendPrivate::verifyCertContext(CERT_CONTEXT *certContext)

+     if (configuration.peerVerifyDepth > 0 && DWORD(configuration.peerVerifyDepth) < verifyDepth)

+         verifyDepth = DWORD(configuration.peerVerifyDepth);

+

++    const auto &caCertificates = q->sslConfiguration().caCertificates();

++

++    if (!rootCertOnDemandLoadingAllowed()

++            && !(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN)

++            && (q->peerVerifyMode() == QSslSocket::VerifyPeer

++                    || (isClient && q->peerVerifyMode() == QSslSocket::AutoVerifyPeer))) {

++        // When verifying a peer Windows "helpfully" builds a chain that

++        // may include roots from the system store. But we don't want that if

++        // the user has set their own CA certificates.

++        // Since Windows claims this is not a partial chain the root is included

++        // and we have to check that it is one of our configured CAs.

++        CERT_CHAIN_ELEMENT *element = chain->rgpElement[chain->cElement - 1];

++        QSslCertificate certificate = getCertificateFromChainElement(element);

++        if (!caCertificates.contains(certificate)) {

++            auto error = QSslError(QSslError::CertificateUntrusted, certificate);

++            sslErrors += error;

++            emit q->peerVerifyError(error);

++            if (q->state() != QAbstractSocket::ConnectedState)

++                return false;

++        }

++    }

++

+     for (DWORD i = 0; i < verifyDepth; i++) {

+         CERT_CHAIN_ELEMENT *element = chain->rgpElement[i];

+         QSslCertificate certificate = getCertificateFromChainElement(element);

+

+

+--- a/src/network/ssl/qsslsocket.cpp

++++ b/src/network/ssl/qsslsocket.cpp

+@@ -2221,6 +2221,10 @@ QSslSocketPrivate::QSslSocketPrivate()

+     , flushTriggered(false)

+ {

+     QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);

++    // If the global configuration doesn't allow root certificates to be loaded

++    // on demand then we have to disable it for this socket as well.

++    if (!configuration.allowRootCertOnDemandLoading)

++        allowRootCertOnDemandLoading = false;

+ }

+

+ /*!

+@@ -2470,6 +2474,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri

+     ptr->sessionProtocol = global->sessionProtocol;

+     ptr->ciphers = global->ciphers;

+     ptr->caCertificates = global->caCertificates;

++    ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;

+     ptr->protocol = global->protocol;

+     ptr->peerVerifyMode = global->peerVerifyMode;

+     ptr->peerVerifyDepth = global->peerVerifyDepth;
\ No newline at end of file
diff --git a/recipes-qt/qt5/qtbase_git.bb b/recipes-qt/qt5/qtbase_git.bb
index 66e45392..8fcbec4e 100644
--- a/recipes-qt/qt5/qtbase_git.bb
+++ b/recipes-qt/qt5/qtbase_git.bb
@@ -42,6 +42,7 @@ SRC_URI += "\
     file://CVE-2023-32762.patch \
     file://CVE-2023-32763-qtbase-5.15.diff \
     file://CVE-2023-33285-qtbase-5.15.diff \
+    file://CVE-2023-34410-qtbase-5.15.diff \
 "
 
 # Disable LTO for now, QT5 patches are being worked upstream, perhaps revisit with