packages/qt6-qtnetworkauth
1
0
Fork 0
Code Issues Pull Requests Packages Projects Releases Wiki Activity

!9 [sync] PR-6: fix CVE-2024-36048

Browse Source 
From: @openeuler-sync-bot 
Reviewed-by: @peijiankang 
Signed-off-by: @peijiankang
This commit is contained in:
openeuler-ci-bot 2025-02-19 00:21:44 +00:00 committed by Gitee
commit 2899a69692
No known key found for this signature in database
GPG Key ID: 173E9B9CA92EEF8F
2 changed files with 58 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
CVE-2024-36048-qtnetworkauth-6.5.diff Normal file
View File

@ -0,0 +1,53 @@
diff --git a/src/oauth/qabstractoauth.cpp b/src/oauth/qabstractoauth.cpp
index 8e29d36..de6f4ab 100644
--- a/src/oauth/qabstractoauth.cpp
+++ b/src/oauth/qabstractoauth.cpp
@@ -11,7 +11,6 @@
#include <QtCore/qurl.h>
#include <QtCore/qpair.h>
#include <QtCore/qstring.h>
-#include <QtCore/qdatetime.h>
#include <QtCore/qurlquery.h>
#include <QtCore/qjsondocument.h>
#include <QtCore/qmessageauthenticationcode.h>
@@ -20,6 +19,9 @@
#include <QtNetwork/qnetworkaccessmanager.h>
#include <QtNetwork/qnetworkreply.h>
+#include <QtCore/qrandom.h>
+#include <QtCore/private/qlocking_p.h>
+
#include <random>
QT_BEGIN_NAMESPACE
@@ -262,15 +264,19 @@ void QAbstractOAuthPrivate::setStatus(QAbstractOAuth::Status newStatus)
}
}
+Q_CONSTINIT static QBasicMutex prngMutex;
+Q_GLOBAL_STATIC_WITH_ARGS(std::mt19937, prng, (*QRandomGenerator::system()))
+
QByteArray QAbstractOAuthPrivate::generateRandomString(quint8 length)
{
- const char characters[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
- static std::mt19937 randomEngine(QDateTime::currentDateTime().toMSecsSinceEpoch());
+ constexpr char characters[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
std::uniform_int_distribution<int> distribution(0, sizeof(characters) - 2);
QByteArray data;
data.reserve(length);
+ auto lock = qt_unique_lock(prngMutex);
for (quint8 i = 0; i < length; ++i)
- data.append(characters[distribution(randomEngine)]);
+ data.append(characters[distribution(*prng)]);
+ lock.unlock();
return data;
}
@@ -580,6 +586,7 @@ void QAbstractOAuth::resourceOwnerAuthorization(const QUrl &url, const QMultiMap
}
/*!
+ \threadsafe
Generates a random string which could be used as state or nonce.
The parameter \a length determines the size of the generated
string.

6
qt6-qtnetworkauth.spec
View File

@ -6,7 +6,7 @@
Summary: Qt6 - NetworkAuth component Summary: Qt6 - NetworkAuth component
Name: qt6-%{qt_module} Name: qt6-%{qt_module}
Version: 6.5.2 Version: 6.5.2
Release: 1 Release: 2
# See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details # See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
License: LGPLv2 with exceptions or GPLv3 with exceptions License: LGPLv2 with exceptions or GPLv3 with exceptions
@ -15,6 +15,7 @@ Url: http://www.qt.io
%global qt_version %(echo %{version} | cut -d~ -f1) %global qt_version %(echo %{version} | cut -d~ -f1)
Source0: https://download.qt.io/official_releases/qt/%{short_version}/%{version}/submodules/%{qt_module}-everywhere-src-%{version}.tar.xz Source0: https://download.qt.io/official_releases/qt/%{short_version}/%{version}/submodules/%{qt_module}-everywhere-src-%{version}.tar.xz
Patch0: CVE-2024-36048-qtnetworkauth-6.5.diff
# filter plugin/qml provides # filter plugin/qml provides
%global __provides_exclude_from ^(%{_qt6_archdatadir}/qml/.*\\.so|%{_qt6_plugindir}/.*\\.so)$ %global __provides_exclude_from ^(%{_qt6_archdatadir}/qml/.*\\.so|%{_qt6_plugindir}/.*\\.so)$
@ -93,6 +94,9 @@ popd
%changelog %changelog
* Sat Feb 01 2025 Funda Wang <fundawang@yeah.net> - 6.5.2-2
- fix CVE-2024-36048
* Thu Nov 30 2023 houhongxun <houhongxun@kylinos.cn> - 6.5.2-1 * Thu Nov 30 2023 houhongxun <houhongxun@kylinos.cn> - 6.5.2-1
- update to version 6.5.2 - update to version 6.5.2