diff options
author | orbea <orbea@riseup.net> | 2023-05-24 10:13:13 -0700 |
---|---|---|
committer | orbea <orbea@riseup.net> | 2023-05-24 10:13:13 -0700 |
commit | 9121a6d114c04e1530a14b657449d5d2aeb4c93b (patch) | |
tree | b7c608ff842906ff061e75117982362c4281d4e6 | |
parent | dev-db/mysql-connector-c++: stabilize 8.0.32 for arm, ppc64, x86 (diff) | |
download | libressl-9121a6d114c04e1530a14b657449d5d2aeb4c93b.tar.gz libressl-9121a6d114c04e1530a14b657449d5d2aeb4c93b.tar.bz2 libressl-9121a6d114c04e1530a14b657449d5d2aeb4c93b.zip |
dev-qt/qtbase: add 6.5.0-r2
Signed-off-by: orbea <orbea@riseup.net>
-rw-r--r-- | dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-32762.patch | 54 | ||||
-rw-r--r-- | dev-qt/qtbase/qtbase-6.5.0-r2.ebuild (renamed from dev-qt/qtbase/qtbase-6.5.0-r1.ebuild) | 1 |
2 files changed, 55 insertions, 0 deletions
diff --git a/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-32762.patch b/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-32762.patch new file mode 100644 index 0000000..3574706 --- /dev/null +++ b/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-32762.patch @@ -0,0 +1,54 @@ +From eae7c36d681acfb82572b56e24bbb2cd42242e57 Mon Sep 17 00:00:00 2001 +From: =?utf8?q?M=C3=A5rten=20Nordheim?= <marten.nordheim@qt.io> +Date: Fri, 5 May 2023 11:07:26 +0200 +Subject: [PATCH] Hsts: match header names case insensitively + +Header field names are always considered to be case-insensitive. + +Fixes: QTBUG-113392 +Change-Id: Ifb4def4bb7f2ac070416cdc76581a769f1e52b43 +Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org> +Reviewed-by: Edward Welbourne <edward.welbourne@qt.io> +Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io> +(cherry picked from commit 1b736a815be0222f4b24289cf17575fc15707305) +Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org> +--- + src/network/access/qhsts.cpp | 4 ++-- + tests/auto/network/access/hsts/tst_qhsts.cpp | 6 ++++++ + 2 files changed, 8 insertions(+), 2 deletions(-) + +diff --git a/src/network/access/qhsts.cpp b/src/network/access/qhsts.cpp +index 39905f354807..82deede17298 100644 +--- a/src/network/access/qhsts.cpp ++++ b/src/network/access/qhsts.cpp +@@ -327,8 +327,8 @@ quoted-pair = "\" CHAR + bool QHstsHeaderParser::parse(const QList<QPair<QByteArray, QByteArray>> &headers) + { + for (const auto &h : headers) { +- // We use '==' since header name was already 'trimmed' for us: +- if (h.first == "Strict-Transport-Security") { ++ // We compare directly because header name was already 'trimmed' for us: ++ if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) { + header = h.second; + // RFC6797, 8.1: + // +diff --git a/tests/auto/network/access/hsts/tst_qhsts.cpp b/tests/auto/network/access/hsts/tst_qhsts.cpp +index 252f5e8f5792..97a2d2889e57 100644 +--- a/tests/auto/network/access/hsts/tst_qhsts.cpp ++++ b/tests/auto/network/access/hsts/tst_qhsts.cpp +@@ -216,6 +216,12 @@ void tst_QHsts::testSTSHeaderParser() + QVERIFY(parser.expirationDate() > QDateTime::currentDateTimeUtc()); + QVERIFY(parser.includeSubDomains()); + ++ list.pop_back(); ++ list << Header("strict-transport-security", "includeSubDomains;max-age=1000"); ++ QVERIFY(parser.parse(list)); ++ QVERIFY(parser.expirationDate() > QDateTime::currentDateTimeUtc()); ++ QVERIFY(parser.includeSubDomains()); ++ + list.pop_back(); + // Invalid (includeSubDomains twice): + list << Header("Strict-Transport-Security", "max-age = 1000 ; includeSubDomains;includeSubDomains"); +-- +2.16.3 + diff --git a/dev-qt/qtbase/qtbase-6.5.0-r1.ebuild b/dev-qt/qtbase/qtbase-6.5.0-r2.ebuild index e3c6abe..08f45a6 100644 --- a/dev-qt/qtbase/qtbase-6.5.0-r1.ebuild +++ b/dev-qt/qtbase/qtbase-6.5.0-r2.ebuild @@ -106,6 +106,7 @@ RDEPEND="${DEPEND}" PATCHES=( "${FILESDIR}/${PN}-6.5.0-libressl.patch" "${FILESDIR}/${PN}-6.5.0-setActiveWindow-deprecated-version.patch" + "${FILESDIR}/${PN}-6.5.0-CVE-2023-32762.patch" ) src_configure() { |