dev-qt/qtbase: add patch for CVE-2023-32762

See also: https://www.qt.io/blog/security-advisory-qt-network

Signed-off-by: Jimi Huotari <chiitoo@gentoo.org>

2 files changed, 246 insertions, 0 deletions

diff --git a/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-32762.patch b/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-32762.patch
new file mode 100644
index 000000000000..3574706fcd85
--- /dev/null
+++ b/dev-qt/qtbase/files/qtbase-6.5.0-CVE-2023-32762.patch
@@ -0,0 +1,54 @@
+From eae7c36d681acfb82572b56e24bbb2cd42242e57 Mon Sep 17 00:00:00 2001
+From: =?utf8?q?M=C3=A5rten=20Nordheim?= <marten.nordheim@qt.io>
+Date: Fri, 5 May 2023 11:07:26 +0200
+Subject: [PATCH] Hsts: match header names case insensitively
+
+Header field names are always considered to be case-insensitive.
+
+Fixes: QTBUG-113392
+Change-Id: Ifb4def4bb7f2ac070416cdc76581a769f1e52b43
+Reviewed-by: Qt CI Bot <qt_ci_bot@qt-project.org>
+Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
+Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
+(cherry picked from commit 1b736a815be0222f4b24289cf17575fc15707305)
+Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
+---
+ src/network/access/qhsts.cpp                 | 4 ++--
+ tests/auto/network/access/hsts/tst_qhsts.cpp | 6 ++++++
+ 2 files changed, 8 insertions(+), 2 deletions(-)
+
+diff --git a/src/network/access/qhsts.cpp b/src/network/access/qhsts.cpp
+index 39905f354807..82deede17298 100644
+--- a/src/network/access/qhsts.cpp
++++ b/src/network/access/qhsts.cpp
+@@ -327,8 +327,8 @@ quoted-pair    = "\" CHAR
+ bool QHstsHeaderParser::parse(const QList<QPair<QByteArray, QByteArray>> &headers)
+ {
+     for (const auto &h : headers) {
+-        // We use '==' since header name was already 'trimmed' for us:
+-        if (h.first == "Strict-Transport-Security") {
++        // We compare directly because header name was already 'trimmed' for us:
++        if (h.first.compare("Strict-Transport-Security", Qt::CaseInsensitive) == 0) {
+             header = h.second;
+             // RFC6797, 8.1:
+             //
+diff --git a/tests/auto/network/access/hsts/tst_qhsts.cpp b/tests/auto/network/access/hsts/tst_qhsts.cpp
+index 252f5e8f5792..97a2d2889e57 100644
+--- a/tests/auto/network/access/hsts/tst_qhsts.cpp
++++ b/tests/auto/network/access/hsts/tst_qhsts.cpp
+@@ -216,6 +216,12 @@ void tst_QHsts::testSTSHeaderParser()
+     QVERIFY(parser.expirationDate() > QDateTime::currentDateTimeUtc());
+     QVERIFY(parser.includeSubDomains());
+ 
++    list.pop_back();
++    list << Header("strict-transport-security", "includeSubDomains;max-age=1000");
++    QVERIFY(parser.parse(list));
++    QVERIFY(parser.expirationDate() > QDateTime::currentDateTimeUtc());
++    QVERIFY(parser.includeSubDomains());
++
+     list.pop_back();
+     // Invalid (includeSubDomains twice):
+     list << Header("Strict-Transport-Security", "max-age = 1000 ; includeSubDomains;includeSubDomains");
+-- 
+2.16.3
+
diff --git a/dev-qt/qtbase/qtbase-6.5.0-r2.ebuild b/dev-qt/qtbase/qtbase-6.5.0-r2.ebuild
new file mode 100644
index 000000000000..afcd30dfe9f6
--- /dev/null
+++ b/dev-qt/qtbase/qtbase-6.5.0-r2.ebuild
@@ -0,0 +1,192 @@
+# Copyright 2021-2023 Gentoo Authors
+# Distributed under the terms of the GNU General Public License v2
+
+EAPI=8
+
+inherit qt6-build
+
+DESCRIPTION="Cross-platform application development framework"
+
+if [[ ${QT6_BUILD_TYPE} == release ]]; then
+	KEYWORDS="~amd64"
+fi
+
+# Qt Modules
+IUSE="+concurrent +dbus +gui +network +sql opengl +widgets +xml zstd"
+REQUIRED_USE="
+	opengl? ( gui )
+	widgets? ( gui )
+	X? ( || ( evdev libinput ) )
+"
+
+QTGUI_IUSE="accessibility egl eglfs evdev gles2-only +jpeg +libinput tslib tuio vulkan +X"
+QTNETWORK_IUSE="brotli gssapi libproxy sctp +ssl vnc"
+QTSQL_IUSE="freetds mysql oci8 odbc postgres +sqlite"
+IUSE+=" ${QTGUI_IUSE} ${QTNETWORK_IUSE} ${QTSQL_IUSE} cups gtk icu systemd +udev"
+# QtPrintSupport = QtGui + QtWidgets enabled.
+# ibus = xkbcommon + dbus, and xkbcommon needs either libinput or X
+REQUIRED_USE+="
+	$(printf '%s? ( gui ) ' ${QTGUI_IUSE//+/})
+	$(printf '%s? ( network ) ' ${QTNETWORK_IUSE//+/})
+	$(printf '%s? ( sql ) ' ${QTSQL_IUSE//+/})
+	accessibility? ( dbus X )
+	cups? ( gui widgets )
+	eglfs? ( egl )
+	gtk? ( widgets )
+	gui? ( || ( eglfs X ) || ( libinput X ) )
+	libinput? ( udev )
+	sql? ( || ( freetds mysql oci8 odbc postgres sqlite ) )
+	vnc? ( gui )
+	X? ( gles2-only? ( egl ) )
+"
+
+# TODO:
+# qtimageformats: mng not done yet, qtimageformats.git upstream commit 9443239c
+# qtnetwork: connman, networkmanager
+DEPEND="
+	app-crypt/libb2
+	dev-libs/double-conversion:=
+	dev-libs/glib:2
+	dev-libs/libpcre2:=[pcre16,unicode]
+	dev-util/gtk-update-icon-cache
+	media-libs/fontconfig
+	>=media-libs/freetype-2.6.1:2
+	>=media-libs/harfbuzz-1.6.0:=
+	media-libs/tiff:=
+	>=sys-apps/dbus-1.4.20
+	sys-libs/zlib:=
+	brotli? ( app-arch/brotli:= )
+	evdev? ( sys-libs/mtdev )
+	freetds? ( dev-db/freetds )
+	gles2-only? ( media-libs/libglvnd )
+	!gles2-only? ( media-libs/libglvnd[X] )
+	gssapi? ( virtual/krb5 )
+	gtk? (
+		x11-libs/gtk+:3
+		x11-libs/libX11
+		x11-libs/pango
+	)
+	gui? ( media-libs/libpng:= )
+	icu? ( dev-libs/icu:= )
+	!icu? ( virtual/libiconv )
+	jpeg? ( media-libs/libjpeg-turbo:= )
+	libinput? (
+		dev-libs/libinput:=
+		>=x11-libs/libxkbcommon-0.5.0
+	)
+	libproxy? ( net-libs/libproxy )
+	mysql? ( dev-db/mysql-connector-c:= )
+	oci8? ( dev-db/oracle-instantclient:=[sdk] )
+	odbc? ( dev-db/unixODBC )
+	postgres? ( dev-db/postgresql:* )
+	sctp? ( kernel_linux? ( net-misc/lksctp-tools ) )
+	sqlite? ( dev-db/sqlite:3 )
+	ssl? ( dev-libs/openssl:= )
+	systemd? ( sys-apps/systemd:= )
+	tslib? ( >=x11-libs/tslib-1.21 )
+	udev? ( virtual/libudev:= )
+	vulkan? ( dev-util/vulkan-headers )
+	X? (
+		x11-libs/libdrm
+		x11-libs/libICE
+		x11-libs/libSM
+		x11-libs/libX11
+		>=x11-libs/libxcb-1.12:=
+		>=x11-libs/libxkbcommon-0.5.0[X]
+		x11-libs/xcb-util-cursor
+		x11-libs/xcb-util-image
+		x11-libs/xcb-util-keysyms
+		x11-libs/xcb-util-renderutil
+		x11-libs/xcb-util-wm
+	)
+	zstd? ( app-arch/zstd:= )
+"
+RDEPEND="${DEPEND}"
+
+PATCHES=(
+	"${FILESDIR}/${PN}-6.5.0-setActiveWindow-deprecated-version.patch"
+	"${FILESDIR}/${PN}-6.5.0-CVE-2023-32762.patch"
+)
+
+src_configure() {
+	local mycmakeargs=(
+		-DINSTALL_ARCHDATADIR=${QT6_ARCHDATADIR}
+		-DINSTALL_BINDIR=${QT6_BINDIR}
+		-DINSTALL_DATADIR=${QT6_DATADIR}
+		-DINSTALL_DOCDIR=${QT6_DOCDIR}
+		-DINSTALL_EXAMPLESDIR=${QT6_EXAMPLESDIR}
+		-DINSTALL_INCLUDEDIR=${QT6_HEADERDIR}
+		-DINSTALL_LIBDIR=${QT6_LIBDIR}
+		-DINSTALL_LIBEXECDIR=${QT6_LIBEXECDIR}
+		-DINSTALL_MKSPECSDIR=${QT6_ARCHDATADIR}/mkspecs
+		-DINSTALL_PLUGINSDIR=${QT6_PLUGINDIR}
+		-DINSTALL_QMLDIR=${QT6_QMLDIR}
+		-DINSTALL_SYSCONFDIR=${QT6_SYSCONFDIR}
+		-DINSTALL_TRANSLATIONSDIR=${QT6_TRANSLATIONDIR}
+		-DQT_FEATURE_androiddeployqt=OFF
+		$(qt_feature concurrent)
+		$(qt_feature dbus)
+		$(qt_feature gui)
+		$(qt_feature gui testlib)
+		$(qt_feature icu)
+		$(qt_feature network)
+		$(qt_feature sql)
+		$(qt_feature systemd journald)
+		$(qt_feature udev libudev)
+		$(qt_feature xml)
+		$(qt_feature zstd)
+	)
+	use gui && mycmakeargs+=(
+		$(qt_feature accessibility accessibility_atspi_bridge)
+		$(qt_feature egl)
+		$(qt_feature egl xcb_egl_plugin)
+		$(qt_feature eglfs eglfs_egldevice)
+		$(qt_feature eglfs eglfs_gbm)
+		$(qt_feature evdev)
+		$(qt_feature evdev mtdev)
+		-DQT_FEATURE_gif=ON
+		$(qt_feature jpeg)
+		$(qt_feature opengl)
+		$(qt_feature gles2-only opengles2)
+		$(qt_feature libinput)
+		$(qt_feature tslib)
+		$(qt_feature tuio tuiotouch)
+		$(qt_feature vulkan)
+		$(qt_feature widgets)
+		$(qt_feature X xcb)
+		$(qt_feature X xcb_xlib)
+	)
+	use widgets && mycmakeargs+=(
+		$(qt_feature cups)
+		$(qt_feature gtk gtk3)
+	)
+	if use libinput || use X; then
+		mycmakeargs+=( -DQT_FEATURE_xkbcommon=ON )
+	fi
+	use network && mycmakeargs+=(
+		$(qt_feature brotli)
+		$(qt_feature gssapi)
+		$(qt_feature libproxy)
+		$(qt_feature sctp)
+		$(qt_feature ssl openssl)
+		$(qt_feature vnc)
+	)
+	use sql && mycmakeargs+=(
+		$(qt_feature freetds sql_tds)
+		$(qt_feature mysql sql_mysql)
+		$(qt_feature oci8 sql_oci)
+		$(qt_feature odbc sql_odbc)
+		$(qt_feature postgres sql_psql)
+		$(qt_feature sqlite sql_sqlite)
+		$(qt_feature sqlite system_sqlite)
+	)
+
+	qt6-build_src_configure
+}
+
+src_install() {
+	qt6-build_src_install
+
+	# https://bugs.gentoo.org/863395
+	qt6_symlink_binary_to_path qmake 6
+}