From 2704daf4975fe94a78e3e50c90a378536670cc7d Mon Sep 17 00:00:00 2001
From: peijiankang <peijiankang@kylinos.cn>
Date: Thu, 2 Nov 2023 15:24:47 +0800
Subject: [PATCH] fix CVE-2023-34410

---
 qt5-qtbase.spec                   |  6 +++++-
 qtbase5.11.1-CVE-2023-34410.patch | 24 ++++++++++++++++++++++++
 2 files changed, 29 insertions(+), 1 deletion(-)
 create mode 100644 qtbase5.11.1-CVE-2023-34410.patch

diff --git a/qt5-qtbase.spec b/qt5-qtbase.spec
index 3952340..b6f698e 100644
--- a/qt5-qtbase.spec
+++ b/qt5-qtbase.spec
@@ -13,7 +13,7 @@
 Name:             qt5-qtbase
 Summary:          Core component of Qt toolkit
 Version:          5.11.1
-Release:          17
+Release:          18
 License:          LGPLv2 with exceptions or GPLv3 with exceptions
 Url:              http://qt-project.org/
 Source0:          https://download.qt.io/new_archive/qt/5.11/%{version}/submodules/qtbase-everywhere-src-%{version}.tar.xz
@@ -51,6 +51,7 @@ Patch6008:        CVE-2023-32763.patch
 Patch6009:        CVE-2023-37369-pre.patch
 Patch6010:        CVE-2023-37369.patch
 Patch6011:        CVE-2023-33285.patch
+Patch6012:        qtbase5.11.1-CVE-2023-34410.patch
 
 BuildRequires:    pkgconfig(libsystemd) cups-devel desktop-file-utils findutils
 BuildRequires:    libjpeg-devel libmng-devel libtiff-devel pkgconfig(alsa)
@@ -418,6 +419,9 @@ fi
 
 
 %changelog
+* Thu Nov 02 2023 peijiankang <peijiankang@kylinos.cn> - 5.11.1-18
+- Fix CVE-2023-34410
+
 * Wed Nov 01 2023 peijiankang <peijiankang@kylinos.cn> - 5.11.1-17
 - Fix CVE-2023-33285.patch
 
diff --git a/qtbase5.11.1-CVE-2023-34410.patch b/qtbase5.11.1-CVE-2023-34410.patch
new file mode 100644
index 0000000..23049c8
--- /dev/null
+++ b/qtbase5.11.1-CVE-2023-34410.patch
@@ -0,0 +1,24 @@
+diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
+index 4273904c..8d064ba0 100644
+--- a/src/network/ssl/qsslsocket.cpp
++++ b/src/network/ssl/qsslsocket.cpp
+@@ -2053,6 +2053,10 @@ QSslSocketPrivate::QSslSocketPrivate()
+     , flushTriggered(false)
+ {
+     QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
++    // If the global configuration doesn't allow root certificates to be loaded
++    // on demand then we have to disable it for this socket as well.
++    if (!configuration.allowRootCertOnDemandLoading)
++        allowRootCertOnDemandLoading = false;
+ }
+ 
+ /*!
+@@ -2252,6 +2256,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri
+     ptr->sessionProtocol = global->sessionProtocol;
+     ptr->ciphers = global->ciphers;
+     ptr->caCertificates = global->caCertificates;
++    ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;
+     ptr->protocol = global->protocol;
+     ptr->peerVerifyMode = global->peerVerifyMode;
+     ptr->peerVerifyDepth = global->peerVerifyDepth;
+
-- 
Gitee