diff options
author | Jason E. Hale <jhale@FreeBSD.org> | 2024-05-25 01:21:10 +0000 |
---|---|---|
committer | Jason E. Hale <jhale@FreeBSD.org> | 2024-05-25 01:55:21 +0000 |
commit | 48f4a9b7c9ba5e2fb1d48c08c438efa5fe2b5565 (patch) | |
tree | 326081494c1039ed0a7a56d35ab134fdf2e87392 | |
parent | 14975759cb44ae535778daaee3c46538532506fb (diff) | |
download | ports-48f4a9b7c9ba5e2fb1d48c08c438efa5fe2b5565.tar.gz ports-48f4a9b7c9ba5e2fb1d48c08c438efa5fe2b5565.zip |
net/qt5-networkauth: Address CVE-2024-36048
https://www.qt.io/blog/security-advisory-qstringconverter-0
MFH: 2024Q2
Security: f5fa174d-19de-11ef-83d8-4ccc6adda413
-rw-r--r-- | net/qt5-networkauth/Makefile | 1 | ||||
-rw-r--r-- | net/qt5-networkauth/files/patch-src_oauth_qabstractoauth.cpp | 55 |
2 files changed, 56 insertions, 0 deletions
diff --git a/net/qt5-networkauth/Makefile b/net/qt5-networkauth/Makefile index 2255dfdc9dbf..de0a0948bc2d 100644 --- a/net/qt5-networkauth/Makefile +++ b/net/qt5-networkauth/Makefile @@ -1,5 +1,6 @@ PORTNAME= networkauth PORTVERSION= ${QT5_VERSION}${QT5_KDE_PATCH} +PORTREVISION= 1 CATEGORIES= net PKGNAMEPREFIX= qt5- diff --git a/net/qt5-networkauth/files/patch-src_oauth_qabstractoauth.cpp b/net/qt5-networkauth/files/patch-src_oauth_qabstractoauth.cpp new file mode 100644 index 000000000000..7bcad530ec0f --- /dev/null +++ b/net/qt5-networkauth/files/patch-src_oauth_qabstractoauth.cpp @@ -0,0 +1,55 @@ +Address CVE-2024-36048. + +https://www.qt.io/blog/security-advisory-qstringconverter-0 + +--- src/oauth/qabstractoauth.cpp.orig 2024-01-04 19:21:59 UTC ++++ src/oauth/qabstractoauth.cpp +@@ -37,7 +37,6 @@ + #include <QtCore/qurl.h> + #include <QtCore/qpair.h> + #include <QtCore/qstring.h> +-#include <QtCore/qdatetime.h> + #include <QtCore/qurlquery.h> + #include <QtCore/qjsondocument.h> + #include <QtCore/qmessageauthenticationcode.h> +@@ -46,6 +45,9 @@ + #include <QtNetwork/qnetworkaccessmanager.h> + #include <QtNetwork/qnetworkreply.h> + ++#include <QtCore/qrandom.h> ++#include <QtCore/private/qlocking_p.h> ++ + #include <random> + + Q_DECLARE_METATYPE(QAbstractOAuth::Error) +@@ -290,15 +292,19 @@ void QAbstractOAuthPrivate::setStatus(QAbstractOAuth:: + } + } + ++static QBasicMutex prngMutex; ++Q_GLOBAL_STATIC_WITH_ARGS(std::mt19937, prng, (*QRandomGenerator::system())) ++ + QByteArray QAbstractOAuthPrivate::generateRandomString(quint8 length) + { +- const char characters[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; +- static std::mt19937 randomEngine(QDateTime::currentDateTime().toMSecsSinceEpoch()); ++ constexpr char characters[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; + std::uniform_int_distribution<int> distribution(0, sizeof(characters) - 2); + QByteArray data; + data.reserve(length); ++ auto lock = qt_unique_lock(prngMutex); + for (quint8 i = 0; i < length; ++i) +- data.append(characters[distribution(randomEngine)]); ++ data.append(characters[distribution(*prng)]); ++ lock.unlock(); + return data; + } + +@@ -614,6 +620,7 @@ void QAbstractOAuth::resourceOwnerAuthorization(const + } + + /*! ++ \threadsafe + Generates a random string which could be used as state or nonce. + The parameter \a length determines the size of the generated + string. |