microsoft
/
CBL-Mariner
зеркало из https://github.com/microsoft/CBL-Mariner.git
1
0
Форкнуть 0
Код Задачи Пакеты Проекты Релизы Вики Активность

[AUTO-CHERRYPICK] qt5-qtbase: Add patch to resolve CVE-2024-39936. - branch main (#10129) 

Co-authored-by: Sumynwa <sumsharma@microsoft.com>
This commit is contained in:
CBL-Mariner-Bot 2024-08-19 11:39:02 -07:00 коммит произвёл GitHub
Родитель 063e609db9
Коммит a58b51846f
Не найден ключ, соответствующий данной подписи
Идентификатор ключа GPG: B5690EEEBB952194
3 изменённых файлов: 251 добавлений и 1 удалений
Показать статистику Скачать Patch файл Скачать Diff файл Показать все файлы Свернуть все файлы

136
SPECS/qt5-qtbase/CVE-2024-39936.patch Normal file
Просмотреть файл

@ -0,0 +1,136 @@
diff --git a/src/network/access/qhttp2protocolhandler.cpp b/src/network/access/qhttp2protocolhandler.cpp
index d1b5dfda2e2..ee04a1856c6 100644
--- a/src/network/access/qhttp2protocolhandler.cpp
+++ b/src/network/access/qhttp2protocolhandler.cpp
@@ -375,12 +375,12 @@ bool QHttp2ProtocolHandler::sendRequest()
}
}
- if (!prefaceSent && !sendClientPreface())
- return false;
-
if (!requests.size())
return true;
+ if (!prefaceSent && !sendClientPreface())
+ return false;
+
m_channel->state = QHttpNetworkConnectionChannel::WritingState;
// Check what was promised/pushed, maybe we do not have to send a request
// and have a response already?
diff --git a/src/network/access/qhttpnetworkconnectionchannel.cpp b/src/network/access/qhttpnetworkconnectionchannel.cpp
index bd2f32e3528..6f3bd807a09 100644
--- a/src/network/access/qhttpnetworkconnectionchannel.cpp
+++ b/src/network/access/qhttpnetworkconnectionchannel.cpp
@@ -255,6 +255,10 @@ void QHttpNetworkConnectionChannel::abort()
bool QHttpNetworkConnectionChannel::sendRequest()
{
Q_ASSERT(!protocolHandler.isNull());
+ if (waitingForPotentialAbort) {
+ needInvokeSendRequest = true;
+ return false; // this return value is unused
+ }
return protocolHandler->sendRequest();
}
@@ -267,21 +271,28 @@ bool QHttpNetworkConnectionChannel::sendRequest()
void QHttpNetworkConnectionChannel::sendRequestDelayed()
{
QMetaObject::invokeMethod(this, [this] {
- Q_ASSERT(!protocolHandler.isNull());
if (reply)
- protocolHandler->sendRequest();
+ sendRequest();
}, Qt::ConnectionType::QueuedConnection);
}
void QHttpNetworkConnectionChannel::_q_receiveReply()
{
Q_ASSERT(!protocolHandler.isNull());
+ if (waitingForPotentialAbort) {
+ needInvokeReceiveReply = true;
+ return;
+ }
protocolHandler->_q_receiveReply();
}
void QHttpNetworkConnectionChannel::_q_readyRead()
{
Q_ASSERT(!protocolHandler.isNull());
+ if (waitingForPotentialAbort) {
+ needInvokeReadyRead = true;
+ return;
+ }
protocolHandler->_q_readyRead();
}
@@ -1289,7 +1300,18 @@ void QHttpNetworkConnectionChannel::_q_encrypted()
// Similar to HTTP/1.1 counterpart below:
const auto &pairs = spdyRequestsToSend.values(); // (request, reply)
const auto &pair = pairs.first();
+ waitingForPotentialAbort = true;
emit pair.second->encrypted();
+
+ // We don't send or handle any received data until any effects from
+ // emitting encrypted() have been processed. This is necessary
+ // because the user may have called abort(). We may also abort the
+ // whole connection if the request has been aborted and there is
+ // no more requests to send.
+ QMetaObject::invokeMethod(this,
+ &QHttpNetworkConnectionChannel::checkAndResumeCommunication,
+ Qt::QueuedConnection);
+
// In case our peer has sent us its settings (window size, max concurrent streams etc.)
// let's give _q_receiveReply a chance to read them first ('invokeMethod', QueuedConnection).
QMetaObject::invokeMethod(connection, "_q_startNextRequest", Qt::QueuedConnection);
@@ -1307,6 +1329,26 @@ void QHttpNetworkConnectionChannel::_q_encrypted()
}
}
+void QHttpNetworkConnectionChannel::checkAndResumeCommunication()
+{
+ Q_ASSERT(connection->connectionType() > QHttpNetworkConnection::ConnectionTypeHTTP);
+
+ // Because HTTP/2 requires that we send a SETTINGS frame as the first thing we do, and respond
+ // to a SETTINGS frame with an ACK, we need to delay any handling until we can ensure that any
+ // effects from emitting encrypted() have been processed.
+ // This function is called after encrypted() was emitted, so check for changes.
+
+ if (!reply && spdyRequestsToSend.isEmpty())
+ abort();
+ waitingForPotentialAbort = false;
+ if (needInvokeReadyRead)
+ _q_readyRead();
+ if (needInvokeReceiveReply)
+ _q_receiveReply();
+ if (needInvokeSendRequest)
+ sendRequest();
+}
+
void QHttpNetworkConnectionChannel::requeueSpdyRequests()
{
QList<HttpMessagePair> spdyPairs = spdyRequestsToSend.values();
diff --git a/src/network/access/qhttpnetworkconnectionchannel_p.h b/src/network/access/qhttpnetworkconnectionchannel_p.h
index 6be0c51f9fe..613fda7bc31 100644
--- a/src/network/access/qhttpnetworkconnectionchannel_p.h
+++ b/src/network/access/qhttpnetworkconnectionchannel_p.h
@@ -107,6 +107,10 @@ public:
QAbstractSocket *socket;
bool ssl;
bool isInitialized;
+ bool waitingForPotentialAbort = false;
+ bool needInvokeReceiveReply = false;
+ bool needInvokeReadyRead = false;
+ bool needInvokeSendRequest = false;
ChannelState state;
QHttpNetworkRequest request; // current request, only used for HTTP
QHttpNetworkReply *reply; // current reply for this request, only used for HTTP
@@ -187,6 +191,8 @@ public:
void closeAndResendCurrentRequest();
void resendCurrentRequest();
+ void checkAndResumeCommunication();
+
bool isSocketBusy() const;
bool isSocketWriting() const;
bool isSocketWaiting() const;

105
SPECS/qt5-qtbase/qt5-qtbase-5.15-http-encrypted-signal.patch Normal file
Просмотреть файл

@ -0,0 +1,105 @@
From 09e22c6c3280d4187b1ed2d979ceea478b7bed75 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= <marten.nordheim@qt.io>
Date: Tue, 11 Aug 2020 17:20:03 +0200
Subject: [PATCH] QNAM: Don't error out if the server doesn't support any ALPN
we request
If we ask for HTTP/2 or 1.1 and the server doesn't list either then we
should still try to connect using HTTP/1(.1) just in case, to keep
compatibility.
Task-number: QTBUG-85902
Change-Id: I6ff2e38ac9d767e482a19ee4c81d101be37d3fab
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
---
From 62d85389a4a3ef22db80e721bf7c646a50874452 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= <marten.nordheim@qt.io>
Date: Tue, 18 Aug 2020 12:10:16 +0200
Subject: [PATCH] http: When falling back to http/1 use the socket's ssl config
And not the ssl configuration we have on the reply since it's missing
e.g. the newly received session ticket.
Change-Id: Idfeb09012a847605a76d1fe4fb881c663d019b4a
Reviewed-by: Peter Hartmann <peter@edelhirsch.io>
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
---
From 95064c35826793c5d6a4edff9fa08ad308b047bb Mon Sep 17 00:00:00 2001
From: Timur Pocheptsov <timur.pocheptsov@qt.io>
Date: Tue, 20 Jul 2021 08:16:28 +0200
Subject: [PATCH] H2: emit encrypted for at least the first reply, similar to
H1
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
Fixes: QTBUG-95277
Change-Id: I1fe01503376c0d6278e366d7bd31b412b7cc3a69
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
(cherry picked from commit c23b7886348dc313ccec1a131850a7cce1b429de)
---
src/network/access/qhttpnetworkconnectionchannel.cpp | 22 +++++++++----------
1 file changed, 10 insertions(+), 12 deletions(-)
diff --git a/src/network/access/qhttpnetworkconnectionchannel.cpp b/src/network/access/qhttpnetworkconnectionchannel.cpp
index 1fac24ab..d078b194 100644
--- a/src/network/access/qhttpnetworkconnectionchannel.cpp
+++ b/src/network/access/qhttpnetworkconnectionchannel.cpp
@@ -1176,8 +1176,7 @@ void QHttpNetworkConnectionChannel::_q_encrypted()
// after establishing a secure connection we immediately start sending
// HTTP/2 frames.
switch (sslSocket->sslConfiguration().nextProtocolNegotiationStatus()) {
- case QSslConfiguration::NextProtocolNegotiationNegotiated:
- case QSslConfiguration::NextProtocolNegotiationUnsupported: {
+ case QSslConfiguration::NextProtocolNegotiationNegotiated: {
QByteArray nextProtocol = sslSocket->sslConfiguration().nextNegotiatedProtocol();
if (nextProtocol == QSslConfiguration::NextProtocolHttp1_1) {
// fall through to create a QHttpProtocolHandler
@@ -1199,17 +1198,12 @@ void QHttpNetworkConnectionChannel::_q_encrypted()
}
}
Q_FALLTHROUGH();
+ case QSslConfiguration::NextProtocolNegotiationUnsupported: // No agreement, try HTTP/1(.1)
case QSslConfiguration::NextProtocolNegotiationNone: {
protocolHandler.reset(new QHttpProtocolHandler(this));
- if (!sslConfiguration.data()) {
- // Our own auto-tests bypass the normal initialization (done by
- // QHttpThreadDelegate), this means in the past we'd have here
- // the default constructed QSslConfiguration without any protocols
- // to negotiate. Let's create it now:
- sslConfiguration.reset(new QSslConfiguration);
- }
- QList<QByteArray> protocols = sslConfiguration->allowedNextProtocols();
+ QSslConfiguration newConfiguration = sslSocket->sslConfiguration();
+ QList<QByteArray> protocols = newConfiguration.allowedNextProtocols();
const int nProtocols = protocols.size();
// Clear the protocol that we failed to negotiate, so we do not try
// it again on other channels that our connection can create/open.
@@ -1219,10 +1213,10 @@ void QHttpNetworkConnectionChannel::_q_encrypted()
protocols.removeAll(QSslConfiguration::NextProtocolSpdy3_0);
if (nProtocols > protocols.size()) {
- sslConfiguration->setAllowedNextProtocols(protocols);
+ newConfiguration.setAllowedNextProtocols(protocols);
const int channelCount = connection->d_func()->channelCount;
for (int i = 0; i < channelCount; ++i)
- connection->d_func()->channels[i].setSslConfiguration(*sslConfiguration);
+ connection->d_func()->channels[i].setSslConfiguration(newConfiguration);
}
connection->setConnectionType(QHttpNetworkConnection::ConnectionTypeHTTP);
@@ -1257,6 +1251,10 @@ void QHttpNetworkConnectionChannel::_q_encrypted()
connection->connectionType() == QHttpNetworkConnection::ConnectionTypeHTTP2Direct) {
// we call setSpdyWasUsed(true) on the replies in the SPDY handler when the request is sent
if (spdyRequestsToSend.count() > 0) {
+ // Similar to HTTP/1.1 counterpart below:
+ const auto &pairs = spdyRequestsToSend.values(); // (request, reply)
+ const auto &pair = pairs.first();
+ emit pair.second->encrypted();
// In case our peer has sent us its settings (window size, max concurrent streams etc.)
// let's give _q_receiveReply a chance to read them first ('invokeMethod', QueuedConnection).
QMetaObject::invokeMethod(connection, "_q_startNextRequest", Qt::QueuedConnection);
--
2.25.1

11
SPECS/qt5-qtbase/qt5-qtbase.spec
Просмотреть файл

@ -33,7 +33,7 @@
Name: qt5-qtbase
Summary: Qt5 - QtBase components
Version: 5.12.11
Release: 12%{?dist}
Release: 13%{?dist}
# See LICENSE.GPL3-EXCEPT.txt, for exception details
License: GFDL AND LGPLv3 AND GPLv2 AND GPLv3 with exceptions AND QT License Agreement 4.0
Vendor: Microsoft Corporation
@ -159,6 +159,10 @@ Patch89: CVE-2021-38593.patch
# Fix CVE-2022-25643
Patch90: CVE-2022-25643.patch
# Fix CVE-2024-39936
Patch91: qt5-qtbase-5.15-http-encrypted-signal.patch
Patch92: CVE-2024-39936.patch
# Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires.
# Those themes are there for platform integration. If the required libraries are
# not there, the platform to integrate with isn't either. Then Qt will just
@ -270,6 +274,8 @@ Qt5 libraries used for drawing widgets and OpenGL items.
%patch88 -p1
%patch89 -p1
%patch90 -p1
%patch91 -p1
%patch92 -p1
## upstream patches
@ -775,6 +781,9 @@ fi
%{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QXdgDesktopPortalThemePlugin.cmake
%changelog
* Wed Aug 07 2024 Sumedh Sharma <sumsharma@microsoft.com> - 5.12.11-13
- Add patch to resolve CVE-2024-39936.
* Wed Mar 27 2024 Alberto David Perez Guevara <aperezguevar@microsoft.com> - 5.12.11-12
- Add patch to resolve CVE-2022-25643.