$(package)_patches += windows_func_fix.patch
$(package)_patches += WindowsToolchain.cmake
$(package)_patches += revert_f99ee441.patch
+$(package)_patches += CVE-2023-34410-qtbase-6.5.diff
$(package)_qttools_file_name=qttools-$($(package)_suffix)
$(package)_qttools_sha256_hash=5744df9e84b2a86f7f932ffc00341c7d7209e741fd1c0679a32b855fcceb2329
mv $($(package)_patch_dir)/riscvToolchain.cmake . && \
cd qtbase && \
patch -p1 -i $($(package)_patch_dir)/revert_f99ee441.patch && \
+ patch -p1 -i $($(package)_patch_dir)/CVE-2023-34410-qtbase-6.5.diff && \
cd ../qtmultimedia && \
patch -p1 -i $($(package)_patch_dir)/qtmultimedia-fixes.patch && \
patch -p1 -i $($(package)_patch_dir)/v4l2.patch
--- /dev/null
+--- a/src/plugins/tls/schannel/qtls_schannel.cpp\r
++++ b/src/plugins/tls/schannel/qtls_schannel.cpp\r
+@@ -2106,6 +2106,27 @@ bool TlsCryptographSchannel::verifyCertContext(CERT_CONTEXT *certContext)\r
+ verifyDepth = DWORD(q->peerVerifyDepth());\r
+\r
+ const auto &caCertificates = q->sslConfiguration().caCertificates();\r
++\r
++ if (!rootCertOnDemandLoadingAllowed()\r
++ && !(chain->TrustStatus.dwErrorStatus & CERT_TRUST_IS_PARTIAL_CHAIN)\r
++ && (q->peerVerifyMode() == QSslSocket::VerifyPeer\r
++ || (isClient && q->peerVerifyMode() == QSslSocket::AutoVerifyPeer))) {\r
++ // When verifying a peer Windows "helpfully" builds a chain that\r
++ // may include roots from the system store. But we don't want that if\r
++ // the user has set their own CA certificates.\r
++ // Since Windows claims this is not a partial chain the root is included\r
++ // and we have to check that it is one of our configured CAs.\r
++ CERT_CHAIN_ELEMENT *element = chain->rgpElement[chain->cElement - 1];\r
++ QSslCertificate certificate = getCertificateFromChainElement(element);\r
++ if (!caCertificates.contains(certificate)) {\r
++ auto error = QSslError(QSslError::CertificateUntrusted, certificate);\r
++ sslErrors += error;\r
++ emit q->peerVerifyError(error);\r
++ if (q->state() != QAbstractSocket::ConnectedState)\r
++ return false;\r
++ }\r
++ }\r
++\r
+ QList<QSslCertificate> peerCertificateChain;\r
+ for (DWORD i = 0; i < verifyDepth; i++) {\r
+ CERT_CHAIN_ELEMENT *element = chain->rgpElement[i];\r
+\r
+--- a/src/network/ssl/qsslsocket.cpp\r
++++ b/src/network/ssl/qsslsocket.cpp\r
+@@ -1973,6 +1973,10 @@ QSslSocketPrivate::QSslSocketPrivate()\r
+ , flushTriggered(false)\r
+ {\r
+ QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);\r
++ // If the global configuration doesn't allow root certificates to be loaded\r
++ // on demand then we have to disable it for this socket as well.\r
++ if (!configuration.allowRootCertOnDemandLoading)\r
++ allowRootCertOnDemandLoading = false;\r
+\r
+ const auto *tlsBackend = tlsBackendInUse();\r
+ if (!tlsBackend) {\r
+@@ -2281,6 +2285,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri\r
+ ptr->sessionProtocol = global->sessionProtocol;\r
+ ptr->ciphers = global->ciphers;\r
+ ptr->caCertificates = global->caCertificates;\r
++ ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;\r
+ ptr->protocol = global->protocol;\r
+ ptr->peerVerifyMode = global->peerVerifyMode;\r
+ ptr->peerVerifyDepth = global->peerVerifyDepth;\r
projects / gamesguru / feather.git / commitdiff