From 09caf369589843cdb90c7ee01c906a4af2ea903f Mon Sep 17 00:00:00 2001 From: CentOS Sources Date: Nov 03 2020 11:55:00 +0000 Subject: import qt5-qtbase-5.12.5-6.el8 --- diff --git a/SOURCES/qtbase-add-expansion-limit-for-entities.patch b/SOURCES/qtbase-add-expansion-limit-for-entities.patch new file mode 100644 index 0000000..162ad91 --- /dev/null +++ b/SOURCES/qtbase-add-expansion-limit-for-entities.patch @@ -0,0 +1,146 @@ +From f432c08882ffebe5074ea28de871559a98a4d094 Mon Sep 17 00:00:00 2001 +From: Lars Knoll +Date: Wed, 26 Feb 2020 10:42:10 +0100 +Subject: Add an expansion limit for entities + +Recursively defined entities can easily exhaust all available +memory. Limit entity expansion to a default of 4096 characters to +avoid DoS attacks when a user loads untrusted content. + +[ChangeLog][QtCore][QXmlStream] QXmlStreamReader does now +limit the expansion of entities to 4096 characters. Documents where +a single entity expands to more characters than the limit are not +considered well formed. The limit is there to avoid DoS attacks through +recursively expanding entities when loading untrusted content. Qt 5.15 +will add methods that allow changing that limit. + +Fixes: QTBUG-47417 +Change-Id: I94387815d74fcf34783e136387ee57fac5ded0c9 +Reviewed-by: Oswald Buddenhagen +Reviewed-by: Volker Hilsheimer +(cherry picked from commit fd4be84d23a0db4186cb42e736a9de3af722c7f7) +Reviewed-by: Eirik Aavitsland +--- + src/corelib/serialization/qxmlstream.g | 14 ++++++++++++- + src/corelib/serialization/qxmlstream_p.h | 14 ++++++++++++- + .../serialization/qxmlstream/tst_qxmlstream.cpp | 23 ++++++++++++++++++++-- + 3 files changed, 47 insertions(+), 4 deletions(-) + +diff --git a/src/corelib/serialization/qxmlstream.g b/src/corelib/serialization/qxmlstream.g +index 10bfcd491c..5726bafb26 100644 +--- a/src/corelib/serialization/qxmlstream.g ++++ b/src/corelib/serialization/qxmlstream.g +@@ -277,9 +277,19 @@ public: + QHash entityHash; + QHash parameterEntityHash; + QXmlStreamSimpleStackentityReferenceStack; ++ int entityExpansionLimit = 4096; ++ int entityLength = 0; + inline bool referenceEntity(Entity &entity) { + if (entity.isCurrentlyReferenced) { +- raiseWellFormedError(QXmlStream::tr("Recursive entity detected.")); ++ raiseWellFormedError(QXmlStream::tr("Self-referencing entity detected.")); ++ return false; ++ } ++ // entityLength represents the amount of additional characters the ++ // entity expands into (can be negative for e.g. &). It's used to ++ // avoid DoS attacks through recursive entity expansions ++ entityLength += entity.value.size() - entity.name.size() - 2; ++ if (entityLength > entityExpansionLimit) { ++ raiseWellFormedError(QXmlStream::tr("Entity expands to more characters than the entity expansion limit.")); + return false; + } + entity.isCurrentlyReferenced = true; +@@ -830,6 +840,8 @@ entity_done ::= ENTITY_DONE; + /. + case $rule_number: + entityReferenceStack.pop()->isCurrentlyReferenced = false; ++ if (entityReferenceStack.isEmpty()) ++ entityLength = 0; + clearSym(); + break; + ./ +diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h +index 61f501f81b..31053f8e0b 100644 +--- a/src/corelib/serialization/qxmlstream_p.h ++++ b/src/corelib/serialization/qxmlstream_p.h +@@ -774,9 +774,19 @@ public: + QHash entityHash; + QHash parameterEntityHash; + QXmlStreamSimpleStackentityReferenceStack; ++ int entityExpansionLimit = 4096; ++ int entityLength = 0; + inline bool referenceEntity(Entity &entity) { + if (entity.isCurrentlyReferenced) { +- raiseWellFormedError(QXmlStream::tr("Recursive entity detected.")); ++ raiseWellFormedError(QXmlStream::tr("Self-referencing entity detected.")); ++ return false; ++ } ++ // entityLength represents the amount of additional characters the ++ // entity expands into (can be negative for e.g. &). It's used to ++ // avoid DoS attacks through recursive entity expansions ++ entityLength += entity.value.size() - entity.name.size() - 2; ++ if (entityLength > entityExpansionLimit) { ++ raiseWellFormedError(QXmlStream::tr("Entity expands to more characters than the entity expansion limit.")); + return false; + } + entity.isCurrentlyReferenced = true; +@@ -1308,6 +1318,8 @@ bool QXmlStreamReaderPrivate::parse() + + case 10: + entityReferenceStack.pop()->isCurrentlyReferenced = false; ++ if (entityReferenceStack.isEmpty()) ++ entityLength = 0; + clearSym(); + break; + +diff --git a/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp b/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp +index 8fdf91b090..1f9a0d575d 100644 +--- a/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp ++++ b/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp +@@ -393,8 +393,6 @@ public: + return true; + } + +- QXmlStreamReader reader(&inputFile); +- + /* See testcases.dtd which reads: 'Nonvalidating parsers + * must also accept "invalid" testcases, but validating ones must reject them.' */ + if(type == QLatin1String("invalid") || type == QLatin1String("valid")) +@@ -580,6 +578,8 @@ private slots: + void roundTrip() const; + void roundTrip_data() const; + ++ void entityExpansionLimit() const; ++ + private: + static QByteArray readFile(const QString &filename); + +@@ -1756,6 +1756,25 @@ void tst_QXmlStream::roundTrip_data() const + "\n"; + } + ++void tst_QXmlStream::entityExpansionLimit() const ++{ ++ QString xml = QStringLiteral("" ++ "" ++ "" ++ "" ++ "" ++ "]>" ++ "&d;&d;&d;"); ++ { ++ QXmlStreamReader reader(xml); ++ do { ++ reader.readNext(); ++ } while (!reader.atEnd()); ++ QCOMPARE(reader.error(), QXmlStreamReader::NotWellFormedError); ++ } ++} ++ + void tst_QXmlStream::roundTrip() const + { + QFETCH(QString, in); +-- +cgit v1.2.1 diff --git a/SOURCES/qtbase-do-not-load-plugin-from-pwd.patch b/SOURCES/qtbase-do-not-load-plugin-from-pwd.patch new file mode 100644 index 0000000..b07a8ed --- /dev/null +++ b/SOURCES/qtbase-do-not-load-plugin-from-pwd.patch @@ -0,0 +1,28 @@ +From bf131e8d2181b3404f5293546ed390999f760404 Mon Sep 17 00:00:00 2001 +From: Olivier Goffart +Date: Fri, 8 Nov 2019 11:30:40 +0100 +Subject: Do not load plugin from the $PWD + +I see no reason why this would make sense to look for plugins in the current +directory. And when there are plugins there, it may actually be wrong + +Change-Id: I5f5aa168021fedddafce90effde0d5762cd0c4c5 +Reviewed-by: Thiago Macieira +--- + src/corelib/plugin/qpluginloader.cpp | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/corelib/plugin/qpluginloader.cpp b/src/corelib/plugin/qpluginloader.cpp +index cadff4f32b..c2443dbdda 100644 +--- a/src/corelib/plugin/qpluginloader.cpp ++++ b/src/corelib/plugin/qpluginloader.cpp +@@ -305,7 +305,6 @@ static QString locatePlugin(const QString& fileName) + paths.append(fileName.left(slash)); // don't include the '/' + } else { + paths = QCoreApplication::libraryPaths(); +- paths.prepend(QStringLiteral(".")); // search in current dir first + } + + for (const QString &path : qAsConst(paths)) { +-- +cgit v1.2.1 diff --git a/SOURCES/qtbase-openssl-handle-ssl-shutdown-errors-properly.patch b/SOURCES/qtbase-openssl-handle-ssl-shutdown-errors-properly.patch new file mode 100644 index 0000000..44db0dc --- /dev/null +++ b/SOURCES/qtbase-openssl-handle-ssl-shutdown-errors-properly.patch @@ -0,0 +1,161 @@ +From 36a8bdbc8417506513207daf4f36533a3d6632f3 Mon Sep 17 00:00:00 2001 +From: Timur Pocheptsov +Date: Mon, 13 Apr 2020 20:31:34 +0200 +Subject: [PATCH] OpenSSL: handle SSL_shutdown's errors properly + +Do not call SSL_shutdown on a session that is in handshake state (SSL_in_init(s) +returns 1). Also, do not call SSL_shutdown if a session encountered a fatal +error (SSL_ERROR_SYSCALL or SSL_ERROR_SSL was found before). If SSL_shutdown +was unsuccessful (returned code != 1), we have to clear the error(s) it queued. +Unfortunately, SSL_in_init was a macro in OpenSSL 1.0.x. We have to +resolve SSL_state to implement SSL_in_init. + +Fixes: QTBUG-83450 +Change-Id: I6326119f4e79605429263045ac20605c30dccca3 +Reviewed-by: MÃ¥rten Nordheim +(cherry picked from commit 8907635da59c2ae0e8db01f27b24a841b830e655) +(cherry picked from commit 8ddffc6ba4f38bb8dbeb0cf61b6b10ee73505bbb) +--- + +diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp +index 4f49a71..9f9eaf3 100644 +--- a/src/network/ssl/qsslsocket.cpp ++++ b/src/network/ssl/qsslsocket.cpp +@@ -2108,7 +2108,7 @@ + shutdown = false; + pendingClose = false; + flushTriggered = false; +- ++ systemOrSslErrorDetected = false; + // we don't want to clear the ignoreErrorsList, so + // that it is possible setting it before connecting + // ignoreErrorsList.clear(); +diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp +index ec772dd..c4abc1e 100644 +--- a/src/network/ssl/qsslsocket_openssl.cpp ++++ b/src/network/ssl/qsslsocket_openssl.cpp +@@ -471,10 +471,16 @@ + void QSslSocketBackendPrivate::destroySslContext() + { + if (ssl) { +- // We do not send a shutdown alert here. Just mark the session as +- // resumable for qhttpnetworkconnection's "optimization", otherwise +- // OpenSSL won't start a session resumption. +- q_SSL_shutdown(ssl); ++ if (!q_SSL_in_init(ssl) && !systemOrSslErrorDetected) { ++ // We do not send a shutdown alert here. Just mark the session as ++ // resumable for qhttpnetworkconnection's "optimization", otherwise ++ // OpenSSL won't start a session resumption. ++ if (q_SSL_shutdown(ssl) != 1) { ++ // Some error may be queued, clear it. ++ const auto errors = getErrorsFromOpenSsl(); ++ Q_UNUSED(errors); ++ } ++ } + q_SSL_free(ssl); + ssl = nullptr; + } +@@ -909,6 +915,7 @@ + case SSL_ERROR_SSL: // error in the SSL library + // we do not know exactly what the error is, nor whether we can recover from it, + // so just return to prevent an endless loop in the outer "while" statement ++ systemOrSslErrorDetected = true; + { + const ScopedBool bg(inSetAndEmitError, true); + setErrorAndEmit(QAbstractSocket::SslInternalError, +@@ -1309,8 +1316,12 @@ + void QSslSocketBackendPrivate::disconnectFromHost() + { + if (ssl) { +- if (!shutdown) { +- q_SSL_shutdown(ssl); ++ if (!shutdown && !q_SSL_in_init(ssl) && !systemOrSslErrorDetected) { ++ if (q_SSL_shutdown(ssl) != 1) { ++ // Some error may be queued, clear it. ++ const auto errors = getErrorsFromOpenSsl(); ++ Q_UNUSED(errors); ++ } + shutdown = true; + transmit(); + } +diff --git a/src/network/ssl/qsslsocket_openssl11_symbols_p.h b/src/network/ssl/qsslsocket_openssl11_symbols_p.h +index 0c32b0a..c80baa2 100644 +--- a/src/network/ssl/qsslsocket_openssl11_symbols_p.h ++++ b/src/network/ssl/qsslsocket_openssl11_symbols_p.h +@@ -186,4 +186,11 @@ + } + void q_SSL_set_psk_use_session_callback(SSL *s, q_SSL_psk_use_session_cb_func_t); + ++#if OPENSSL_VERSION_NUMBER < 0x10101000L ++// What a mess! ++int q_SSL_in_init(SSL *s); ++#else ++int q_SSL_in_init(const SSL *s); ++#endif // 1.1.1 or 1.1.0 ++ + #endif +diff --git a/src/network/ssl/qsslsocket_openssl_symbols.cpp b/src/network/ssl/qsslsocket_openssl_symbols.cpp +index 62ac228..60ba3a0 100644 +--- a/src/network/ssl/qsslsocket_openssl_symbols.cpp ++++ b/src/network/ssl/qsslsocket_openssl_symbols.cpp +@@ -161,6 +161,11 @@ + DEFINEFUNC2(void *, OPENSSL_sk_value, OPENSSL_STACK *a, a, int b, b, return nullptr, return) + DEFINEFUNC(int, SSL_session_reused, SSL *a, a, return 0, return) + DEFINEFUNC2(unsigned long, SSL_CTX_set_options, SSL_CTX *ctx, ctx, unsigned long op, op, return 0, return) ++#if OPENSSL_VERSION_NUMBER < 0x10101000L ++DEFINEFUNC(int, SSL_in_init, SSL *a, a, return 0, return) ++#else ++DEFINEFUNC(int, SSL_in_init, const SSL *a, a, return 0, return) ++#endif + #ifdef TLS1_3_VERSION + DEFINEFUNC2(int, SSL_CTX_set_ciphersuites, SSL_CTX *ctx, ctx, const char *str, str, return 0, return) + DEFINEFUNC2(void, SSL_set_psk_use_session_callback, SSL *ssl, ssl, q_SSL_psk_use_session_cb_func_t callback, callback, return, DUMMYARG) +@@ -213,6 +218,7 @@ + // Functions below are either deprecated or removed in OpenSSL >= 1.1: + + DEFINEFUNC(unsigned char *, ASN1_STRING_data, ASN1_STRING *a, a, return nullptr, return) ++DEFINEFUNC(int, SSL_state, const SSL *a, a, return 0, return) + + #ifdef SSLEAY_MACROS + DEFINEFUNC3(void *, ASN1_dup, i2d_of_void *a, a, d2i_of_void *b, b, char *c, c, return nullptr, return) +@@ -988,6 +994,7 @@ + #if QT_CONFIG(opensslv11) + + RESOLVEFUNC(OPENSSL_init_ssl) ++ RESOLVEFUNC(SSL_in_init) + RESOLVEFUNC(OPENSSL_init_crypto) + RESOLVEFUNC(ASN1_STRING_get0_data) + RESOLVEFUNC(EVP_CIPHER_CTX_reset) +@@ -1060,6 +1067,7 @@ + #else // !opensslv11 + + RESOLVEFUNC(ASN1_STRING_data) ++ RESOLVEFUNC(SSL_state) + + #ifdef SSLEAY_MACROS + RESOLVEFUNC(ASN1_dup) +diff --git a/src/network/ssl/qsslsocket_opensslpre11_symbols_p.h b/src/network/ssl/qsslsocket_opensslpre11_symbols_p.h +index 48364ce..c139ecb 100644 +--- a/src/network/ssl/qsslsocket_opensslpre11_symbols_p.h ++++ b/src/network/ssl/qsslsocket_opensslpre11_symbols_p.h +@@ -132,6 +132,8 @@ + + int q_SSL_library_init(); + void q_SSL_load_error_strings(); ++int q_SSL_state(const SSL *a); ++#define q_SSL_in_init(a) (q_SSL_state(a) & SSL_ST_INIT) + + #if OPENSSL_VERSION_NUMBER >= 0x10001000L + int q_SSL_get_ex_new_index(long argl, void *argp, CRYPTO_EX_new *new_func, CRYPTO_EX_dup *dup_func, CRYPTO_EX_free *free_func); +diff --git a/src/network/ssl/qsslsocket_p.h b/src/network/ssl/qsslsocket_p.h +index 6f34c6c..e657987 100644 +--- a/src/network/ssl/qsslsocket_p.h ++++ b/src/network/ssl/qsslsocket_p.h +@@ -220,6 +220,7 @@ + bool verifyErrorsHaveBeenIgnored(); + bool paused; + bool flushTriggered; ++ bool systemOrSslErrorDetected = false; + }; + + QT_END_NAMESPACE diff --git a/SOURCES/qtbase-qlibrary-do-not-attempt-to-load-library-relative-to-pwd.patch b/SOURCES/qtbase-qlibrary-do-not-attempt-to-load-library-relative-to-pwd.patch new file mode 100644 index 0000000..824640c --- /dev/null +++ b/SOURCES/qtbase-qlibrary-do-not-attempt-to-load-library-relative-to-pwd.patch @@ -0,0 +1,52 @@ +From e6f1fde24f77f63fb16b2df239f82a89d2bf05dd Mon Sep 17 00:00:00 2001 +From: Thiago Macieira +Date: Fri, 10 Jan 2020 09:26:27 -0800 +Subject: QLibrary/Unix: do not attempt to load a library relative to $PWD + +I added the code in commit 5219c37f7c98f37f078fee00fe8ca35d83ff4f5d to +find libraries in a haswell/ subdir of the main path, but we only need +to do that transformation if the library is contains at least one +directory seprator. That is, if the user asks to load "lib/foo", then we +should try "lib/haswell/foo" (often, the path prefix will be absolute). + +When the library name the user requested has no directory separators, we +let dlopen() do the transformation for us. Testing on Linux confirms +glibc does so: + +$ LD_DEBUG=libs /lib64/ld-linux-x86-64.so.2 --inhibit-cache ./qml -help |& grep Xcursor + 1972475: find library=libXcursor.so.1 [0]; searching + 1972475: trying file=/usr/lib64/haswell/avx512_1/libXcursor.so.1 + 1972475: trying file=/usr/lib64/haswell/libXcursor.so.1 + 1972475: trying file=/usr/lib64/libXcursor.so.1 + 1972475: calling init: /usr/lib64/libXcursor.so.1 + 1972475: calling fini: /usr/lib64/libXcursor.so.1 [0] + +Fixes: QTBUG-81272 +Change-Id: I596aec77785a4e4e84d5fffd15e89689bb91ffbb +Reviewed-by: Thiago Macieira +--- + src/corelib/plugin/qlibrary_unix.cpp | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/corelib/plugin/qlibrary_unix.cpp b/src/corelib/plugin/qlibrary_unix.cpp +index e0381498..7cc7c8e3 100644 +--- a/src/corelib/plugin/qlibrary_unix.cpp ++++ b/src/corelib/plugin/qlibrary_unix.cpp +@@ -1,7 +1,7 @@ + /**************************************************************************** + ** + ** Copyright (C) 2016 The Qt Company Ltd. +-** Copyright (C) 2018 Intel Corporation ++** Copyright (C) 2020 Intel Corporation + ** Contact: https://www.qt.io/licensing/ + ** + ** This file is part of the QtCore module of the Qt Toolkit. +@@ -208,6 +208,8 @@ bool QLibraryPrivate::load_sys() + for(int suffix = 0; retry && !pHnd && suffix < suffixes.size(); suffix++) { + if (!prefixes.at(prefix).isEmpty() && name.startsWith(prefixes.at(prefix))) + continue; ++ if (path.isEmpty() && prefixes.at(prefix).contains(QLatin1Char('/'))) ++ continue; + if (!suffixes.at(suffix).isEmpty() && name.endsWith(suffixes.at(suffix))) + continue; + if (loadHints & QLibrary::LoadArchiveMemberHint) { diff --git a/SPECS/qt5-qtbase.spec b/SPECS/qt5-qtbase.spec index 654a787..d90a23e 100644 --- a/SPECS/qt5-qtbase.spec +++ b/SPECS/qt5-qtbase.spec @@ -42,7 +42,7 @@ BuildRequires: pkgconfig(libsystemd) Name: qt5-qtbase Summary: Qt5 - QtBase components Version: 5.12.5 -Release: 4%{?dist} +Release: 6%{?dist} # See LGPL_EXCEPTIONS.txt, for exception details License: LGPLv2 with exceptions or GPLv3 with exceptions @@ -116,6 +116,21 @@ Patch68: qtbase-ambiguous-python-shebang.patch Patch101: qtbase-allow-dbus-not-running-during-build.patch +# Security fixes + +# CVE-2020-0570 qt5: qt: files placed by attacker can influence the working directory and lead to malicious code execution +Patch200: qtbase-qlibrary-do-not-attempt-to-load-library-relative-to-pwd.patch + +# CVE-2020-0569 qt5-qtbase: qt: files placed by attacker can influence the working directory and lead to malicious code execution +Patch201: qtbase-do-not-load-plugin-from-pwd.patch + +# CVE-2015-9541 qt5: qt: XML entity expansion vulnerability +Patch202: qtbase-add-expansion-limit-for-entities.patch + +# CVE-2020-13962 qt5-qtbase: qt5: incorrectly calls SSL_shutdown() in OpenSSL mid-handshake causing denial of service in TLS applications +Patch203: qtbase-openssl-handle-ssl-shutdown-errors-properly.patch + + # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires. # Those themes are there for platform integration. If the required libraries are # not there, the platform to integrate with isn't either. Then Qt will just @@ -379,6 +394,12 @@ Qt5 libraries used for drawing widgets and OpenGL items. %patch101 -p1 -b .qtbase-allow-dbus-not-running-during-build +# Security fixes +%patch200 -p1 -b .qlibrary-do-not-attempt-to-load-library-relative-to-pwd +%patch201 -p1 -b .do-not-load-plugin-from-pwd +%patch202 -p1 -b .add-expansion-limit-for-entities +%patch203 -p1 -b .openssl-handle-ssl-shutdown-errors-properly + # move some bundled libs to ensure they're not accidentally used pushd src/3rdparty mkdir UNUSED @@ -1013,19 +1034,31 @@ fi %changelog -* Wed Nov 27 2019 Jan Grulich - 5.12-5-4 +* Tue Jul 14 2020 Jan Grulich - 5.12.5-6 +- OpenSSL: handle SSL_shutdown's errors properly + Resolves: bz#1851538 + +* Mon May 11 2020 Jan Grulich - 5.12.5-5 +- Fix: Files placed by attacker can influence the working directory and lead to malicious code execution + Resolves: bz#1814739 + Resolves: bz#1814683 + +- Fix: XML entity expansion vulnerability + Resolves: bz#1822193 + +* Wed Nov 27 2019 Jan Grulich - 5.12.5-4 - Fix build on RHEL 7 kernel Resolves: bz#1733135 -* Thu Nov 07 2019 Jan Grulich - 5.12-5-2 +* Thu Nov 07 2019 Jan Grulich - 5.12.5-2 - Remove Android specific test to avoid unnecessary dependencies Resolves: bz#1733135 -* Tue Oct 29 2019 Jan Grulich - 5.12-5-1 +* Tue Oct 29 2019 Jan Grulich - 5.12.5-1 - 5.12.5 + sync with Fedora Resolves: bz#1733135 -* Wed May 22 2019 Jan Grulich - 5.11-1-7 +* Wed May 22 2019 Jan Grulich - 5.11.1-7 - Move libQt5EglFSDeviceIntegration lib out of the -devel subpkg Resolves: bz#1692970