Sync from SUSE:SLFO:Main qt6-networkauth revision 274704f70d79899d9771ba7e61038e2f

This commit is contained in:
Adrian Schröter 2024-09-11 10:42:09 +02:00
parent be70a08df5
commit 04aa199677
5 changed files with 23 additions and 114 deletions

View File

@ -1,102 +0,0 @@
From 5c0c90b6e5c3cdabd6ad41d5b6478250c8877f48 Mon Sep 17 00:00:00 2001
From: Marc Mutz <marc.mutz@qt.io>
Date: Wed, 8 May 2024 16:11:36 +0200
Subject: [PATCH] QAbstractOAuth: fix data race and poor seeding in
generateRandomString()
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit
While not explicitly documented as thread-safe, this function
maintains unprotected global state, and OAuth classes are surely used
outside the main thread, so independent OAuth objects performing this
operation at the same time means data race, iow: UB.
Protect with a mutex.
As a drive-by, use Q_GLOBAL_STATIC instead of magic statics, and make
the char array constexpr instead of static const, to statically assert
that it plays no role in thread-safety.
Also seed the PRNG with QRandomGenerator::system() instead of the
moral equivalent of gettimeoday(). The OAuth1 RFC5849¹ doesn't mention
it, but the OpenID² spec asks for the nonce to be "unguessable to
attackers". A gettimeofday()-seeded PRNG, esp. with only millisecond
resolution, clearly doesn't fulfil that requirement.
QRandomGenerator::system(), OTOH, is documented to be "securely
seeded", and provides a seed_seq-like interface so the _whole_ mt19937
state can be seeded, not just a 32-bit fraction of it.
Keep the local PRNG to not exhaust the kernel's entropy pool through
excessive system() usage.
¹ https://datatracker.ietf.org/doc/html/rfc5849#section-3.3
² https://openid.net/specs/openid-connect-core-1_0.html#NonceNotes
Amends a6dc1c01da723a93e1c174a6950eb4bab8cab3fc.
Pick-to: 6.7 6.5 6.2 5.15
Change-Id: Id09b04cc2ae342a7374a9f7a6803c860360d132c
Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
Reviewed-by: Jesus Fernandez <jsfdez@gmail.com>
---
src/oauth/qabstractoauth.cpp | 15 +++++++++++----
1 file changed, 11 insertions(+), 4 deletions(-)
diff --git a/src/oauth/qabstractoauth.cpp b/src/oauth/qabstractoauth.cpp
index a3cbea7..f98fd28 100644
--- a/src/oauth/qabstractoauth.cpp
+++ b/src/oauth/qabstractoauth.cpp
@@ -11,7 +11,6 @@
#include <QtCore/qurl.h>
#include <QtCore/qpair.h>
#include <QtCore/qstring.h>
-#include <QtCore/qdatetime.h>
#include <QtCore/qurlquery.h>
#include <QtCore/qjsondocument.h>
#include <QtCore/qmessageauthenticationcode.h>
@@ -20,6 +19,9 @@
#include <QtNetwork/qnetworkaccessmanager.h>
#include <QtNetwork/qnetworkreply.h>
+#include <QtCore/qrandom.h>
+#include <QtCore/private/qlocking_p.h>
+
#include <random>
QT_BEGIN_NAMESPACE
@@ -273,15 +275,19 @@ void QAbstractOAuthPrivate::setStatus(QAbstractOAuth::Status newStatus)
}
}
+Q_CONSTINIT static QBasicMutex prngMutex;
+Q_GLOBAL_STATIC_WITH_ARGS(std::mt19937, prng, (*QRandomGenerator::system()))
+
QByteArray QAbstractOAuthPrivate::generateRandomString(quint8 length)
{
- const char characters[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
- static std::mt19937 randomEngine(QDateTime::currentDateTime().toMSecsSinceEpoch());
+ constexpr char characters[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
std::uniform_int_distribution<int> distribution(0, sizeof(characters) - 2);
QByteArray data;
data.reserve(length);
+ auto lock = qt_unique_lock(prngMutex);
for (quint8 i = 0; i < length; ++i)
- data.append(characters[distribution(randomEngine)]);
+ data.append(characters[distribution(*prng)]);
+ lock.unlock();
return data;
}
@@ -591,6 +597,7 @@ void QAbstractOAuth::resourceOwnerAuthorization(const QUrl &url, const QMultiMap
}
/*!
+ \threadsafe
Generates a random string which could be used as state or nonce.
The parameter \a length determines the size of the generated
string.
--
2.44.0

View File

@ -1,8 +1,21 @@
-------------------------------------------------------------------
Tue May 21 09:14:03 UTC 2024 - Christophe Marin <christophe@krop.fr>
Wed Jun 19 07:25:50 UTC 2024 - Christophe Marin <christophe@krop.fr>
- Add security fix (CVE-2024-36048, boo#1224782):
* 0001-QAbstractOAuth-fix-data-race-and-poor-seeding-in-gen.patch
- Update to 6.7.2:
* https://www.qt.io/blog/qt-6.7.2-released
-------------------------------------------------------------------
Tue May 21 08:31:36 UTC 2024 - Christophe Marin <christophe@krop.fr>
- Update to 6.7.1:
* https://www.qt.io/blog/qt-6.7.1-released
* Fixes CVE-2024-36048 (boo#1224782)
-------------------------------------------------------------------
Tue Apr 2 13:39:47 UTC 2024 - Christophe Marin <christophe@krop.fr>
- Update to 6.7.0:
* https://www.qt.io/blog/qt-6.7-released
-------------------------------------------------------------------
Tue Mar 26 14:26:08 UTC 2024 - Christophe Marin <christophe@krop.fr>

View File

@ -16,8 +16,8 @@
#
%define real_version 6.6.3
%define short_version 6.6
%define real_version 6.7.2
%define short_version 6.7
%define short_name qtnetworkauth
%define tar_name qtnetworkauth-everywhere-src
%define tar_suffix %{nil}
@ -28,15 +28,13 @@
%endif
#
Name: qt6-networkauth%{?pkg_suffix}
Version: 6.6.3
Version: 6.7.2
Release: 0
Summary: Set of APIs to obtain limited access to online accounts and HTTP services
License: GPL-3.0-only WITH Qt-GPL-exception-1.0
URL: https://www.qt.io
Source: https://download.qt.io/official_releases/qt/%{short_version}/%{real_version}%{tar_suffix}/submodules/%{tar_name}-%{real_version}%{tar_suffix}.tar.xz
Source0: https://download.qt.io/official_releases/qt/%{short_version}/%{real_version}%{tar_suffix}/submodules/%{tar_name}-%{real_version}%{tar_suffix}.tar.xz
Source99: qt6-networkauth-rpmlintrc
# PATCH-FIX-UPSTREAM
Patch0: 0001-QAbstractOAuth-fix-data-race-and-poor-seeding-in-gen.patch
BuildRequires: pkgconfig
BuildRequires: qt6-core-private-devel
BuildRequires: cmake(Qt6Core) = %{real_version}

BIN
qtnetworkauth-everywhere-src-6.6.3.tar.xz (Stored with Git LFS)

Binary file not shown.

BIN
qtnetworkauth-everywhere-src-6.7.2.tar.xz (Stored with Git LFS) Normal file

Binary file not shown.