Accepting request 358747 from KDE:Qt5

- Added 0001-Fix-exclusion-of-anonymous-ciphers.patch from upstream
  to disable exp-adh and aecdh ciphers.
- Added disable-rc4-ciphers-bnc865241.diff to disable RC4 based ciphers
  which are now considered insecure (bnc#865241)

- Added Add-option-to-disable-session-management-by-closing-windows.patch
  API adition to QSessionManager as first step in resolving
  kde#354724 and boo#955280

- Update to 5.5.1 (boo#954149)

OBS-URL: https://build.opensuse.org/request/show/358747
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libqt5-qtbase?expand=0&rev=50

0001-Fix-exclusion-of-anonymous-ciphers.patch

@@ -0,0 +1,35 @@
+From 479e84dcbd0d7f1333105c495d7931f1bef3e63b Mon Sep 17 00:00:00 2001
+From: "Richard J. Moore" <rich@kde.org>
+Date: Sat, 18 Apr 2015 12:44:30 +0100
+Subject: [PATCH] Fix exclusion of anonymous ciphers.
+
+Qt attempted to exclude anonymous ciphers since they offer no MITM
+protection, but missed export ADH ciphers and AECDH from the exclude
+list.
+
+Change-Id: Icdfa9b31643a0e9927010885c7c1d02c42460d79
+Reviewed-by: Peter Hartmann <peter-qt@hartmann.tk>
+---
+ src/network/ssl/qsslsocket_openssl.cpp | 6 ++++--
+ 1 file changed, 4 insertions(+), 2 deletions(-)
+
+diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
+index 55762c9..00e13e4 100644
+--- a/src/network/ssl/qsslsocket_openssl.cpp
++++ b/src/network/ssl/qsslsocket_openssl.cpp
+@@ -662,8 +662,10 @@ void QSslSocketPrivate::resetDefaultCiphers()
+         if (SSL_CIPHER *cipher = q_sk_SSL_CIPHER_value(supportedCiphers, i)) {
+             QSslCipher ciph = QSslSocketBackendPrivate::QSslCipher_from_SSL_CIPHER(cipher);
+             if (!ciph.isNull()) {
+-                // Unconditionally exclude ADH ciphers since they offer no MITM protection
+-                if (!ciph.name().toLower().startsWith(QLatin1String("adh")))
++                // Unconditionally exclude ADH and AECDH ciphers since they offer no MITM protection
++                if (!ciph.name().toLower().startsWith(QLatin1String("adh")) &&
++                    !ciph.name().toLower().startsWith(QLatin1String("exp-adh")) &&
++                    !ciph.name().toLower().startsWith(QLatin1String("aecdh")))
+                     ciphers << ciph;
+                 if (ciph.usedBits() >= 128)
+                     defaultCiphers << ciph;
+-- 
+2.6.2
+

Add-option-to-disable-session-management-by-closing-windows.patch

@@ -0,0 +1,180 @@
+From 2722dd7bb544949ff8ca9fe2cfb7b41ceaaddc56 Mon Sep 17 00:00:00 2001
+From: Andreas Hartmetz <ahartmetz@gmail.com>
+Date: Tue, 19 Jan 2016 14:30:18 +0100
+Subject: [PATCH 1/1] Add option to disable "session management by closing
+ windows".
+
+That feature is a poor man's session management for applications
+that do not implement any specific session management features.
+It badly interferes with proper session management support, so
+applications must be able to disable it.
+
+This fixes some KDE applications dying too early, before they are
+enumerated for the list of applications to restart on session
+restore, thus preventing them from being restored. See
+https://bugs.kde.org/show_bug.cgi?id=354724
+
+Task-number: QTBUG-49667
+Change-Id: Ib22e58c9c64351dea8b7e2a74db91d26dd7ab7aa
+---
+ .../code/src_gui_kernel_qguiapplication.cpp        |  1 +
+ src/gui/kernel/qguiapplication.cpp                 | 14 +++++-
+ src/gui/kernel/qsessionmanager.cpp                 | 55 +++++++++++++++++++++-
+ src/gui/kernel/qsessionmanager.h                   |  3 ++
+ src/gui/kernel/qsessionmanager_p.h                 |  1 +
+ 5 files changed, 71 insertions(+), 3 deletions(-)
+
+diff --git a/src/gui/doc/snippets/code/src_gui_kernel_qguiapplication.cpp b/src/gui/doc/snippets/code/src_gui_kernel_qguiapplication.cpp
+index 4ddf8c8..3006d19 100644
+--- a/src/gui/doc/snippets/code/src_gui_kernel_qguiapplication.cpp
++++ b/src/gui/doc/snippets/code/src_gui_kernel_qguiapplication.cpp
+@@ -58,6 +58,7 @@ MyMainWidget::MyMainWidget(QWidget *parent)
+ 
+ void MyMainWidget::commitData(QSessionManager& manager)
+ {
++    manager.setAutoCloseWindowsEnabled(false);
+     if (manager.allowsInteraction()) {
+         int ret = QMessageBox::warning(
+                     mainWindow,
+diff --git a/src/gui/kernel/qguiapplication.cpp b/src/gui/kernel/qguiapplication.cpp
+index 770f847..40f2d5f 100644
+--- a/src/gui/kernel/qguiapplication.cpp
++++ b/src/gui/kernel/qguiapplication.cpp
+@@ -3087,6 +3087,12 @@ void QGuiApplicationPrivate::setApplicationState(Qt::ApplicationState state, boo
+     the session manager may or may not do this afterwards, depending on the
+     context.
+ 
++    When you connect to this signal to ask the user for permission to close
++    the application and / or commit application data, you should also call
++    QSessionManager::setAutoCloseWindowsEnabled(false) on \a manager to disable
++    a feature that helps applications that do not support full session
++    management, but hurts applications that do.
++
+     \warning Within this signal, no user interaction is possible, \e
+     unless you ask the \a manager for explicit permission. See
+     QSessionManager::allowsInteraction() and
+@@ -3095,7 +3101,8 @@ void QGuiApplicationPrivate::setApplicationState(Qt::ApplicationState state, boo
+ 
+     \note You should use Qt::DirectConnection when connecting to this signal.
+ 
+-    \sa isSessionRestored(), sessionId(), saveStateRequest(), {Session Management}
++    \sa QSessionManager::setAutoCloseWindowsEnabled(), isSessionRestored(),
++    sessionId(), saveStateRequest(), {Session Management}
+ */
+ 
+ /*!
+@@ -3225,9 +3232,12 @@ void QGuiApplicationPrivate::commitData()
+ {
+     Q_Q(QGuiApplication);
+     is_saving_session = true;
++
+     emit q->commitDataRequest(*session_manager);
+-    if (session_manager->allowsInteraction() && !tryCloseAllWindows())
++    if (session_manager->autoCloseWindowsEnabled() && session_manager->allowsInteraction()
++        && !tryCloseAllWindows())
+         session_manager->cancel();
++
+     is_saving_session = false;
+ }
+ 
+diff --git a/src/gui/kernel/qsessionmanager.cpp b/src/gui/kernel/qsessionmanager.cpp
+index f4b56fd..4d140f9 100644
+--- a/src/gui/kernel/qsessionmanager.cpp
++++ b/src/gui/kernel/qsessionmanager.cpp
+@@ -116,7 +116,8 @@ QT_BEGIN_NAMESPACE
+ 
+ QSessionManagerPrivate::QSessionManagerPrivate(const QString &id,
+                                                const QString &key)
+-    : QObjectPrivate()
++    : QObjectPrivate(),
++      autoCloseWindowsEnabled(true)
+ {
+     platformSessionManager = QGuiApplicationPrivate::platformIntegration()->createPlatformSessionManager(id, key);
+     Q_ASSERT_X(platformSessionManager, "Platform session management",
+@@ -350,6 +351,58 @@ QStringList QSessionManager::discardCommand() const
+ }
+ 
+ /*!
++    \since 5.6
++
++    Sets whether the session manager will try to close application windows during
++    session exit to \a enabled.
++
++    \sa autoCloseWindowsEnabled()
++*/
++void QSessionManager::setAutoCloseWindowsEnabled(bool enabled)
++{
++    Q_D(QSessionManager);
++    d->autoCloseWindowsEnabled = enabled;
++}
++
++/*!
++   \since 5.6
++
++    Returns whether the session manager will try to close application windows during
++    session exit.
++
++    If this is true immediately after QGuiApplication::commitDataRequest() has been
++    emitted, and allowsInteraction() is true, Qt will send CloseEvent to all
++    windows of the application. If that fails to close all windows, session exit is
++    canceled and the application keeps running.
++
++    The purpose of that is to give applications without explicit session management
++    support a chance to cancel session exit through the common
++    "are you sure you want to close this window?" feature.
++
++    \warning If all windows \e are closed due to this feature,
++    that may quit the application before it is explicitly instructed to quit through
++    the platform's session management protocol - see
++    QGuiApplication::quitOnLastWindowClosed(). That may in turn prevent the platform
++    session manager from saving the application's state correctly because the
++    application broke the protocol.
++
++    If your application implements full session management, you should disable this.
++
++    It is sufficient to set this property once on any instance of QSessionManager
++    to set its value for the lifetime of the application - it acts like a class
++    static variable.
++
++    The default is true.
++
++    \sa setAutoCloseWindowsEnabled()
++*/
++bool QSessionManager::autoCloseWindowsEnabled() const
++{
++    Q_D(const QSessionManager);
++    return d->autoCloseWindowsEnabled;
++}
++
++/*!
+     \overload
+ 
+     Low-level write access to the application's identification and state
+diff --git a/src/gui/kernel/qsessionmanager.h b/src/gui/kernel/qsessionmanager.h
+index 36aa391..696d9d8 100644
+--- a/src/gui/kernel/qsessionmanager.h
++++ b/src/gui/kernel/qsessionmanager.h
+@@ -78,6 +78,9 @@ public:
+     void setDiscardCommand(const QStringList&);
+     QStringList discardCommand() const;
+ 
++    void setAutoCloseWindowsEnabled(bool);
++    bool autoCloseWindowsEnabled() const;
++
+     void setManagerProperty(const QString& name, const QString& value);
+     void setManagerProperty(const QString& name, const QStringList& value);
+ 
+diff --git a/src/gui/kernel/qsessionmanager_p.h b/src/gui/kernel/qsessionmanager_p.h
+index 8949962..0acf865 100644
+--- a/src/gui/kernel/qsessionmanager_p.h
++++ b/src/gui/kernel/qsessionmanager_p.h
+@@ -65,6 +65,7 @@ public:
+     virtual ~QSessionManagerPrivate();
+ 
+     QPlatformSessionManager *platformSessionManager;
++    bool autoCloseWindowsEnabled;
+ };
+ 
+ QT_END_NAMESPACE
+-- 
+2.6.2.2.g1b5ffa3

disable-rc4-ciphers-bnc865241.diff

@@ -0,0 +1,21 @@
+Index: qtbase-opensource-src-5.5.1/src/network/ssl/qsslsocket_openssl.cpp
+===================================================================
+--- qtbase-opensource-src-5.5.1.orig/src/network/ssl/qsslsocket_openssl.cpp
++++ qtbase-opensource-src-5.5.1/src/network/ssl/qsslsocket_openssl.cpp
+@@ -662,10 +662,13 @@ void QSslSocketPrivate::resetDefaultCiph
+                 // Unconditionally exclude ADH and AECDH ciphers since they offer no MITM protection
+                 if (!ciph.name().toLower().startsWith(QLatin1String("adh")) &&
+                     !ciph.name().toLower().startsWith(QLatin1String("exp-adh")) &&
+-                    !ciph.name().toLower().startsWith(QLatin1String("aecdh")))
++                    !ciph.name().toLower().startsWith(QLatin1String("aecdh"))) {
+                     ciphers << ciph;
+-                if (ciph.usedBits() >= 128)
+-                    defaultCiphers << ciph;
++
++                    if (ciph.usedBits() >= 128 &&
++                        !ciph.encryptionMethod().toLower().startsWith(QLatin1String("rc4")))
++                        defaultCiphers << ciph;
++                }
+             }
+         }
+     }

libqt5-qtbase.changes

@@ -1,3 +1,18 @@
+-------------------------------------------------------------------
+Wed Feb 10 12:28:49 UTC 2016 - alarrosa@suse.com
+
+- Added 0001-Fix-exclusion-of-anonymous-ciphers.patch from upstream
+  to disable exp-adh and aecdh ciphers.
+- Added disable-rc4-ciphers-bnc865241.diff to disable RC4 based ciphers
+  which are now considered insecure (bnc#865241)
+
+-------------------------------------------------------------------
+Sat Jan 30 18:14:50 UTC 2016 - hrvoje.senjan@gmail.com
+
+- Added Add-option-to-disable-session-management-by-closing-windows.patch
+  API adition to QSessionManager as first step in resolving
+  kde#354724 and boo#955280
+
 -------------------------------------------------------------------
 Wed Oct 28 19:41:36 UTC 2015 - hrvoje.senjan@gmail.com
 
@@ -7,7 +22,7 @@ Wed Oct 28 19:41:36 UTC 2015 - hrvoje.senjan@gmail.com
 -------------------------------------------------------------------
 Fri Oct 16 20:22:25 UTC 2015 - hrvoje.senjan@gmail.com
 
-- Update to 5.5.1
+- Update to 5.5.1 (boo#954149)
   * For more details please see:
     http://blog.qt.io/blog/2015/10/15/qt-5-5-1-released/
 - Drop patches merged upstream:

libqt5-qtbase.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libqt5-qtbase
 #
-# Copyright (c) 2015 SUSE LINUX GmbH, Nuernberg, Germany.
+# Copyright (c) 2016 SUSE LINUX GmbH, Nuernberg, Germany.
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -51,6 +51,10 @@ Patch3:         libqt5-Fix-Gujarati-font.patch
 Patch4:         protect-geometry-QTBUG-40584.patch
 # Patch-FIX-SUSE libqt5-do-not-use-shm-if-display-name-doesnt-look-local.patch -- bnc#888858
 Patch5:         libqt5-do-not-use-shm-if-display-name-doesnt-look-local.patch
+# PATCH-FIX-UPSTREAM 0001-Fix-exclusion-of-anonymous-ciphers.patch -- Exclude more ciphers from being used by default
+Patch6:         0001-Fix-exclusion-of-anonymous-ciphers.patch
+# PATCH-FIX-OPENSUSE disable-rc4-ciphers-bnc865241.diff bnc#865241-- Exclude rc4 ciphers from being used by default
+Patch7:         disable-rc4-ciphers-bnc865241.diff
 # patches 1000-2000 and above from upstream 5.3 branch #
 # patches 2000-3000 and above from upstream 5.5 branch #
 Patch2010:      0001-Fix-QWidget-setWindowRole.patch
@@ -63,6 +67,7 @@ Patch3004:      Add-an-automatic-use-of-the-ELF-versioned-QtCore-symbol.patch
 Patch3005:      xcb-fix-yet-another-crash-when-screens-are-disconnected.patch
 Patch3006:      xcb-dont-crash-in-mapToNativemapFromNative-if-the-screen-is-null.patch
 Patch3007:      qtwidgets_do_not-hide_show_via_WA_OutsideWSRange_for_native_widgets.patch
+Patch3008:      Add-option-to-disable-session-management-by-closing-windows.patch
 BuildRequires:  alsa-devel
 BuildRequires:  cups-devel
 BuildRequires:  gcc-c++
@@ -145,6 +150,8 @@ handling.
 %patch3 -p1
 %patch4 -p1
 %patch5 -p1
+%patch6 -p1
+%patch7 -p1
 %patch2010 -p1
 %patch2014 -p1
 %patch3000 -p1
@@ -155,6 +162,7 @@ handling.
 %patch3005 -p1
 %patch3006 -p1
 %patch3007 -p1
+%patch3008 -p1
 
 # be sure not to use them
 rm -r src/3rdparty/{libjpeg,freetype,libpng,zlib}