Package: qtbase-opensource-src / 5.15.8+dfsg-11+deb12u3

CVE-2023-34410.diff Patch series | download
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
Description: Ssl: Copy the on-demand cert loading bool from default config
 Otherwise individual sockets will still load system certificates when
 a chain doesn't match against the configured CA certificates.
 That's not intended behavior, since specifically setting the CA
 certificates means you don't want the system certificates to be used.
 .
 This is potentially a breaking change because now, if you ever add a
 CA to the default config, it will disable loading system certificates
 on demand for all sockets. And the only way to re-enable it is to
 create a null-QSslConfiguration and set it as the new default.
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=57ba6260c0801055
Last-Update: 2023-06-08

--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@@ -2221,6 +2221,10 @@ QSslSocketPrivate::QSslSocketPrivate()
     , flushTriggered(false)
 {
     QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
+    // If the global configuration doesn't allow root certificates to be loaded
+    // on demand then we have to disable it for this socket as well.
+    if (!configuration.allowRootCertOnDemandLoading)
+        allowRootCertOnDemandLoading = false;
 }
 
 /*!
@@ -2470,6 +2474,7 @@ void QSslConfigurationPrivate::deepCopyD
     ptr->sessionProtocol = global->sessionProtocol;
     ptr->ciphers = global->ciphers;
     ptr->caCertificates = global->caCertificates;
+    ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;
     ptr->protocol = global->protocol;
     ptr->peerVerifyMode = global->peerVerifyMode;
     ptr->peerVerifyDepth = global->peerVerifyDepth;