diff --git a/0001-QAbstractOAuth-fix-data-race-and-poor-seeding-in-gen.patch b/0001-QAbstractOAuth-fix-data-race-and-poor-seeding-in-gen.patch deleted file mode 100644 index 09c65f2..0000000 --- a/0001-QAbstractOAuth-fix-data-race-and-poor-seeding-in-gen.patch +++ /dev/null @@ -1,102 +0,0 @@ -From 5c0c90b6e5c3cdabd6ad41d5b6478250c8877f48 Mon Sep 17 00:00:00 2001 -From: Marc Mutz -Date: Wed, 8 May 2024 16:11:36 +0200 -Subject: [PATCH] QAbstractOAuth: fix data race and poor seeding in - generateRandomString() -MIME-Version: 1.0 -Content-Type: text/plain; charset=UTF-8 -Content-Transfer-Encoding: 8bit - -While not explicitly documented as thread-safe, this function -maintains unprotected global state, and OAuth classes are surely used -outside the main thread, so independent OAuth objects performing this -operation at the same time means data race, iow: UB. - -Protect with a mutex. - -As a drive-by, use Q_GLOBAL_STATIC instead of magic statics, and make -the char array constexpr instead of static const, to statically assert -that it plays no role in thread-safety. - -Also seed the PRNG with QRandomGenerator::system() instead of the -moral equivalent of gettimeoday(). The OAuth1 RFC5849¹ doesn't mention -it, but the OpenID² spec asks for the nonce to be "unguessable to -attackers". A gettimeofday()-seeded PRNG, esp. with only millisecond -resolution, clearly doesn't fulfil that requirement. - -QRandomGenerator::system(), OTOH, is documented to be "securely -seeded", and provides a seed_seq-like interface so the _whole_ mt19937 -state can be seeded, not just a 32-bit fraction of it. - -Keep the local PRNG to not exhaust the kernel's entropy pool through -excessive system() usage. - -¹ https://datatracker.ietf.org/doc/html/rfc5849#section-3.3 -² https://openid.net/specs/openid-connect-core-1_0.html#NonceNotes - -Amends a6dc1c01da723a93e1c174a6950eb4bab8cab3fc. - -Pick-to: 6.7 6.5 6.2 5.15 -Change-Id: Id09b04cc2ae342a7374a9f7a6803c860360d132c -Reviewed-by: Mårten Nordheim -Reviewed-by: Jesus Fernandez ---- - src/oauth/qabstractoauth.cpp | 15 +++++++++++---- - 1 file changed, 11 insertions(+), 4 deletions(-) - -diff --git a/src/oauth/qabstractoauth.cpp b/src/oauth/qabstractoauth.cpp -index a3cbea7..f98fd28 100644 ---- a/src/oauth/qabstractoauth.cpp -+++ b/src/oauth/qabstractoauth.cpp -@@ -11,7 +11,6 @@ - #include - #include - #include --#include - #include - #include - #include -@@ -20,6 +19,9 @@ - #include - #include - -+#include -+#include -+ - #include - - QT_BEGIN_NAMESPACE -@@ -273,15 +275,19 @@ void QAbstractOAuthPrivate::setStatus(QAbstractOAuth::Status newStatus) - } - } - -+Q_CONSTINIT static QBasicMutex prngMutex; -+Q_GLOBAL_STATIC_WITH_ARGS(std::mt19937, prng, (*QRandomGenerator::system())) -+ - QByteArray QAbstractOAuthPrivate::generateRandomString(quint8 length) - { -- const char characters[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; -- static std::mt19937 randomEngine(QDateTime::currentDateTime().toMSecsSinceEpoch()); -+ constexpr char characters[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; - std::uniform_int_distribution distribution(0, sizeof(characters) - 2); - QByteArray data; - data.reserve(length); -+ auto lock = qt_unique_lock(prngMutex); - for (quint8 i = 0; i < length; ++i) -- data.append(characters[distribution(randomEngine)]); -+ data.append(characters[distribution(*prng)]); -+ lock.unlock(); - return data; - } - -@@ -591,6 +597,7 @@ void QAbstractOAuth::resourceOwnerAuthorization(const QUrl &url, const QMultiMap - } - - /*! -+ \threadsafe - Generates a random string which could be used as state or nonce. - The parameter \a length determines the size of the generated - string. --- -2.44.0 - diff --git a/qt6-networkauth.changes b/qt6-networkauth.changes index 4f397ce..a46227e 100644 --- a/qt6-networkauth.changes +++ b/qt6-networkauth.changes @@ -1,8 +1,21 @@ ------------------------------------------------------------------- -Tue May 21 09:14:03 UTC 2024 - Christophe Marin +Wed Jun 19 07:25:50 UTC 2024 - Christophe Marin -- Add security fix (CVE-2024-36048, boo#1224782): - * 0001-QAbstractOAuth-fix-data-race-and-poor-seeding-in-gen.patch +- Update to 6.7.2: + * https://www.qt.io/blog/qt-6.7.2-released + +------------------------------------------------------------------- +Tue May 21 08:31:36 UTC 2024 - Christophe Marin + +- Update to 6.7.1: + * https://www.qt.io/blog/qt-6.7.1-released + * Fixes CVE-2024-36048 (boo#1224782) + +------------------------------------------------------------------- +Tue Apr 2 13:39:47 UTC 2024 - Christophe Marin + +- Update to 6.7.0: + * https://www.qt.io/blog/qt-6.7-released ------------------------------------------------------------------- Tue Mar 26 14:26:08 UTC 2024 - Christophe Marin diff --git a/qt6-networkauth.spec b/qt6-networkauth.spec index b9a574d..136d05b 100644 --- a/qt6-networkauth.spec +++ b/qt6-networkauth.spec @@ -16,8 +16,8 @@ # -%define real_version 6.6.3 -%define short_version 6.6 +%define real_version 6.7.2 +%define short_version 6.7 %define short_name qtnetworkauth %define tar_name qtnetworkauth-everywhere-src %define tar_suffix %{nil} @@ -28,15 +28,13 @@ %endif # Name: qt6-networkauth%{?pkg_suffix} -Version: 6.6.3 +Version: 6.7.2 Release: 0 Summary: Set of APIs to obtain limited access to online accounts and HTTP services License: GPL-3.0-only WITH Qt-GPL-exception-1.0 URL: https://www.qt.io -Source: https://download.qt.io/official_releases/qt/%{short_version}/%{real_version}%{tar_suffix}/submodules/%{tar_name}-%{real_version}%{tar_suffix}.tar.xz +Source0: https://download.qt.io/official_releases/qt/%{short_version}/%{real_version}%{tar_suffix}/submodules/%{tar_name}-%{real_version}%{tar_suffix}.tar.xz Source99: qt6-networkauth-rpmlintrc -# PATCH-FIX-UPSTREAM -Patch0: 0001-QAbstractOAuth-fix-data-race-and-poor-seeding-in-gen.patch BuildRequires: pkgconfig BuildRequires: qt6-core-private-devel BuildRequires: cmake(Qt6Core) = %{real_version} diff --git a/qtnetworkauth-everywhere-src-6.6.3.tar.xz b/qtnetworkauth-everywhere-src-6.6.3.tar.xz deleted file mode 100644 index 839ea4f..0000000 --- a/qtnetworkauth-everywhere-src-6.6.3.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:5db9a30b42d7ff22ce1a0048474c36b3b84e1e55f3af991ba3cc8e0dc9bb7594 -size 143676 diff --git a/qtnetworkauth-everywhere-src-6.7.2.tar.xz b/qtnetworkauth-everywhere-src-6.7.2.tar.xz new file mode 100644 index 0000000..63f7545 --- /dev/null +++ b/qtnetworkauth-everywhere-src-6.7.2.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:7f09824fcfe589eb32260c305ff9a126fe3bf93be218d372e8e9c10e212df470 +size 146892