[AUTO-CHERRYPICK] qt5-qtbase: Add patch to resolve CVE-2024-39936. - branch main (#10129)

CBL-Mariner-Bot · Sumynwa · web-flow · commit a58b51846fa4 · 2024-08-19T11:39:02.000-07:00
Co-authored-by: Sumynwa &lt;sumsharma@microsoft.com&gt;
diff --git a/SPECS/qt5-qtbase/CVE-2024-39936.patch b/SPECS/qt5-qtbase/CVE-2024-39936.patch
@@ -0,0 +1,136 @@
+diff --git a/src/network/access/qhttp2protocolhandler.cpp b/src/network/access/qhttp2protocolhandler.cpp
+index d1b5dfda2e2..ee04a1856c6 100644
+--- a/src/network/access/qhttp2protocolhandler.cpp
++++ b/src/network/access/qhttp2protocolhandler.cpp
+@@ -375,12 +375,12 @@ bool QHttp2ProtocolHandler::sendRequest()
+         }
+     }
+ 
+-    if (!prefaceSent && !sendClientPreface())
+-        return false;
+-
+     if (!requests.size())
+         return true;
+ 
++    if (!prefaceSent && !sendClientPreface())
++        return false;
++
+     m_channel->state = QHttpNetworkConnectionChannel::WritingState;
+     // Check what was promised/pushed, maybe we do not have to send a request
+     // and have a response already?
+diff --git a/src/network/access/qhttpnetworkconnectionchannel.cpp b/src/network/access/qhttpnetworkconnectionchannel.cpp
+index bd2f32e3528..6f3bd807a09 100644
+--- a/src/network/access/qhttpnetworkconnectionchannel.cpp
++++ b/src/network/access/qhttpnetworkconnectionchannel.cpp
+@@ -255,6 +255,10 @@ void QHttpNetworkConnectionChannel::abort()
+ bool QHttpNetworkConnectionChannel::sendRequest()
+ {
+     Q_ASSERT(!protocolHandler.isNull());
++    if (waitingForPotentialAbort) {
++        needInvokeSendRequest = true;
++        return false; // this return value is unused
++    }
+     return protocolHandler->sendRequest();
+ }
+ 
+@@ -267,21 +271,28 @@ bool QHttpNetworkConnectionChannel::sendRequest()
+ void QHttpNetworkConnectionChannel::sendRequestDelayed()
+ {
+     QMetaObject::invokeMethod(this, [this] {
+-        Q_ASSERT(!protocolHandler.isNull());
+         if (reply)
+-            protocolHandler->sendRequest();
++            sendRequest();
+     }, Qt::ConnectionType::QueuedConnection);
+ }
+ 
+ void QHttpNetworkConnectionChannel::_q_receiveReply()
+ {
+     Q_ASSERT(!protocolHandler.isNull());
++    if (waitingForPotentialAbort) {
++        needInvokeReceiveReply = true;
++        return;
++    }
+     protocolHandler->_q_receiveReply();
+ }
+ 
+ void QHttpNetworkConnectionChannel::_q_readyRead()
+ {
+     Q_ASSERT(!protocolHandler.isNull());
++    if (waitingForPotentialAbort) {
++        needInvokeReadyRead = true;
++        return;
++    }
+     protocolHandler->_q_readyRead();
+ }
+ 
+@@ -1289,7 +1300,18 @@ void QHttpNetworkConnectionChannel::_q_encrypted()
+             // Similar to HTTP/1.1 counterpart below:
+             const auto &pairs = spdyRequestsToSend.values(); // (request, reply)
+             const auto &pair = pairs.first();
++            waitingForPotentialAbort = true;
+             emit pair.second->encrypted();
++
++            // We don't send or handle any received data until any effects from
++            // emitting encrypted() have been processed. This is necessary
++            // because the user may have called abort(). We may also abort the
++            // whole connection if the request has been aborted and there is
++            // no more requests to send.
++            QMetaObject::invokeMethod(this,
++                                      &QHttpNetworkConnectionChannel::checkAndResumeCommunication,
++                                      Qt::QueuedConnection);
++
+             // In case our peer has sent us its settings (window size, max concurrent streams etc.)
+             // let's give _q_receiveReply a chance to read them first ('invokeMethod', QueuedConnection).
+             QMetaObject::invokeMethod(connection, "_q_startNextRequest", Qt::QueuedConnection);
+@@ -1307,6 +1329,26 @@ void QHttpNetworkConnectionChannel::_q_encrypted()
+     }
+ }
+ 
++void QHttpNetworkConnectionChannel::checkAndResumeCommunication()
++{
++    Q_ASSERT(connection->connectionType() > QHttpNetworkConnection::ConnectionTypeHTTP);
++
++    // Because HTTP/2 requires that we send a SETTINGS frame as the first thing we do, and respond
++    // to a SETTINGS frame with an ACK, we need to delay any handling until we can ensure that any
++    // effects from emitting encrypted() have been processed.
++    // This function is called after encrypted() was emitted, so check for changes.
++
++    if (!reply && spdyRequestsToSend.isEmpty())
++        abort();
++    waitingForPotentialAbort = false;
++    if (needInvokeReadyRead)
++        _q_readyRead();
++    if (needInvokeReceiveReply)
++        _q_receiveReply();
++    if (needInvokeSendRequest)
++        sendRequest();
++}
++
+ void QHttpNetworkConnectionChannel::requeueSpdyRequests()
+ {
+     QList<HttpMessagePair> spdyPairs = spdyRequestsToSend.values();
+diff --git a/src/network/access/qhttpnetworkconnectionchannel_p.h b/src/network/access/qhttpnetworkconnectionchannel_p.h
+index 6be0c51f9fe..613fda7bc31 100644
+--- a/src/network/access/qhttpnetworkconnectionchannel_p.h
++++ b/src/network/access/qhttpnetworkconnectionchannel_p.h
+@@ -107,6 +107,10 @@ public:
+     QAbstractSocket *socket;
+     bool ssl;
+     bool isInitialized;
++    bool waitingForPotentialAbort = false;
++    bool needInvokeReceiveReply = false;
++    bool needInvokeReadyRead = false;
++    bool needInvokeSendRequest = false;
+     ChannelState state;
+     QHttpNetworkRequest request; // current request, only used for HTTP
+     QHttpNetworkReply *reply; // current reply for this request, only used for HTTP
+@@ -187,6 +191,8 @@ public:
+     void closeAndResendCurrentRequest();
+     void resendCurrentRequest();
+ 
++    void checkAndResumeCommunication();
++
+     bool isSocketBusy() const;
+     bool isSocketWriting() const;
+     bool isSocketWaiting() const;
diff --git a/SPECS/qt5-qtbase/qt5-qtbase-5.15-http-encrypted-signal.patch b/SPECS/qt5-qtbase/qt5-qtbase-5.15-http-encrypted-signal.patch
@@ -0,0 +1,105 @@
+From 09e22c6c3280d4187b1ed2d979ceea478b7bed75 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= <marten.nordheim@qt.io>
+Date: Tue, 11 Aug 2020 17:20:03 +0200
+Subject: [PATCH] QNAM: Don't error out if the server doesn't support any ALPN
+ we request
+
+If we ask for HTTP/2 or 1.1 and the server doesn't list either then we
+should still try to connect using HTTP/1(.1) just in case, to keep
+compatibility.
+
+Task-number: QTBUG-85902
+Change-Id: I6ff2e38ac9d767e482a19ee4c81d101be37d3fab
+Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
+---
+From 62d85389a4a3ef22db80e721bf7c646a50874452 Mon Sep 17 00:00:00 2001
+From: =?UTF-8?q?M=C3=A5rten=20Nordheim?= <marten.nordheim@qt.io>
+Date: Tue, 18 Aug 2020 12:10:16 +0200
+Subject: [PATCH] http: When falling back to http/1 use the socket's ssl config
+
+And not the ssl configuration we have on the reply since it's missing
+e.g. the newly received session ticket.
+
+Change-Id: Idfeb09012a847605a76d1fe4fb881c663d019b4a
+Reviewed-by: Peter Hartmann <peter@edelhirsch.io>
+Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
+---
+From 95064c35826793c5d6a4edff9fa08ad308b047bb Mon Sep 17 00:00:00 2001
+From: Timur Pocheptsov <timur.pocheptsov@qt.io>
+Date: Tue, 20 Jul 2021 08:16:28 +0200
+Subject: [PATCH] H2: emit encrypted for at least the first reply, similar to
+ H1
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+Fixes: QTBUG-95277
+Change-Id: I1fe01503376c0d6278e366d7bd31b412b7cc3a69
+Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
+(cherry picked from commit c23b7886348dc313ccec1a131850a7cce1b429de)
+---
+
+ src/network/access/qhttpnetworkconnectionchannel.cpp  | 22 +++++++++----------
+ 1 file changed, 10 insertions(+), 12 deletions(-)
+
+diff --git a/src/network/access/qhttpnetworkconnectionchannel.cpp b/src/network/access/qhttpnetworkconnectionchannel.cpp
+index 1fac24ab..d078b194 100644
+--- a/src/network/access/qhttpnetworkconnectionchannel.cpp
++++ b/src/network/access/qhttpnetworkconnectionchannel.cpp
+@@ -1176,8 +1176,7 @@ void QHttpNetworkConnectionChannel::_q_encrypted()
+         // after establishing a secure connection we immediately start sending
+         // HTTP/2 frames.
+         switch (sslSocket->sslConfiguration().nextProtocolNegotiationStatus()) {
+-        case QSslConfiguration::NextProtocolNegotiationNegotiated:
+-        case QSslConfiguration::NextProtocolNegotiationUnsupported: {
++        case QSslConfiguration::NextProtocolNegotiationNegotiated: {
+             QByteArray nextProtocol = sslSocket->sslConfiguration().nextNegotiatedProtocol();
+             if (nextProtocol == QSslConfiguration::NextProtocolHttp1_1) {
+                 // fall through to create a QHttpProtocolHandler
+@@ -1199,17 +1198,12 @@ void QHttpNetworkConnectionChannel::_q_encrypted()
+             }
+         }
+             Q_FALLTHROUGH();
++        case QSslConfiguration::NextProtocolNegotiationUnsupported: // No agreement, try HTTP/1(.1)
+         case QSslConfiguration::NextProtocolNegotiationNone: {
+             protocolHandler.reset(new QHttpProtocolHandler(this));
+-            if (!sslConfiguration.data()) {
+-                // Our own auto-tests bypass the normal initialization (done by
+-                // QHttpThreadDelegate), this means in the past we'd have here
+-                // the default constructed QSslConfiguration without any protocols
+-                // to negotiate. Let's create it now:
+-                sslConfiguration.reset(new QSslConfiguration);
+-            }
+ 
+-            QList<QByteArray> protocols = sslConfiguration->allowedNextProtocols();
++            QSslConfiguration newConfiguration = sslSocket->sslConfiguration();
++            QList<QByteArray> protocols = newConfiguration.allowedNextProtocols();
+             const int nProtocols = protocols.size();
+             // Clear the protocol that we failed to negotiate, so we do not try
+             // it again on other channels that our connection can create/open.
+@@ -1219,10 +1213,10 @@ void QHttpNetworkConnectionChannel::_q_encrypted()
+                 protocols.removeAll(QSslConfiguration::NextProtocolSpdy3_0);
+ 
+             if (nProtocols > protocols.size()) {
+-                sslConfiguration->setAllowedNextProtocols(protocols);
++                newConfiguration.setAllowedNextProtocols(protocols);
+                 const int channelCount = connection->d_func()->channelCount;
+                 for (int i = 0; i < channelCount; ++i)
+-                    connection->d_func()->channels[i].setSslConfiguration(*sslConfiguration);
++                    connection->d_func()->channels[i].setSslConfiguration(newConfiguration);
+             }
+ 
+             connection->setConnectionType(QHttpNetworkConnection::ConnectionTypeHTTP);
+@@ -1257,6 +1251,10 @@ void QHttpNetworkConnectionChannel::_q_encrypted()
+         connection->connectionType() == QHttpNetworkConnection::ConnectionTypeHTTP2Direct) {
+         // we call setSpdyWasUsed(true) on the replies in the SPDY handler when the request is sent
+         if (spdyRequestsToSend.count() > 0) {
++            // Similar to HTTP/1.1 counterpart below:
++            const auto &pairs = spdyRequestsToSend.values(); // (request, reply)
++            const auto &pair = pairs.first();
++            emit pair.second->encrypted();
+             // In case our peer has sent us its settings (window size, max concurrent streams etc.)
+             // let's give _q_receiveReply a chance to read them first ('invokeMethod', QueuedConnection).
+             QMetaObject::invokeMethod(connection, "_q_startNextRequest", Qt::QueuedConnection);
+-- 
+2.25.1
diff --git a/SPECS/qt5-qtbase/qt5-qtbase.spec b/SPECS/qt5-qtbase/qt5-qtbase.spec
@@ -33,7 +33,7 @@
 Name:         qt5-qtbase
 Summary:      Qt5 - QtBase components
 Version:      5.12.11
-Release:      12%{?dist}
+Release:      13%{?dist}
 # See LICENSE.GPL3-EXCEPT.txt, for exception details
 License:      GFDL AND LGPLv3 AND GPLv2 AND GPLv3 with exceptions AND QT License Agreement 4.0
 Vendor:       Microsoft Corporation
@@ -159,6 +159,10 @@ Patch89: CVE-2021-38593.patch
 # Fix CVE-2022-25643
 Patch90: CVE-2022-25643.patch
 
+# Fix CVE-2024-39936
+Patch91: qt5-qtbase-5.15-http-encrypted-signal.patch
+Patch92: CVE-2024-39936.patch
+
 # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires.
 # Those themes are there for platform integration. If the required libraries are
 # not there, the platform to integrate with isn't either. Then Qt will just
@@ -270,6 +274,8 @@ Qt5 libraries used for drawing widgets and OpenGL items.
 %patch88 -p1
 %patch89 -p1
 %patch90 -p1
+%patch91 -p1
+%patch92 -p1
 
 ## upstream patches
 
@@ -775,6 +781,9 @@ fi
 %{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QXdgDesktopPortalThemePlugin.cmake
 
 %changelog
+* Wed Aug 07 2024 Sumedh Sharma <sumsharma@microsoft.com> - 5.12.11-13
+- Add patch to resolve CVE-2024-39936.
+
 * Wed Mar 27 2024 Alberto David Perez Guevara <aperezguevar@microsoft.com> - 5.12.11-12
 - Add patch to resolve CVE-2022-25643.
 
