diff --git a/CVE-2024-36048-qtnetworkauth-5.15.diff b/0001-fix-CVE-2024-36048.patch similarity index 64% rename from CVE-2024-36048-qtnetworkauth-5.15.diff rename to 0001-fix-CVE-2024-36048.patch index 63252bbe89e44691867162446f8efdbb130a45cd..43609867d673a6c8e838683ab29612d376d5e761 100644 --- a/CVE-2024-36048-qtnetworkauth-5.15.diff +++ b/0001-fix-CVE-2024-36048.patch @@ -1,5 +1,15 @@ +From d185b65e0ab20089199ec9d30f8cbc2df4a73e18 Mon Sep 17 00:00:00 2001 +From: Marc Mutz +Date: Wed, 8 May 2024 16:11:36 +0200 +Subject: [PATCH] fix CVE-2024-36048 + +Signed-off-by: lichenguang +--- + src/oauth/qabstractoauth.cpp | 14 ++++++++------ + 1 file changed, 8 insertions(+), 6 deletions(-) + diff --git a/src/oauth/qabstractoauth.cpp b/src/oauth/qabstractoauth.cpp -index f1ed2af..05b189a 100644 +index 46985d6..a8b9ec5 100644 --- a/src/oauth/qabstractoauth.cpp +++ b/src/oauth/qabstractoauth.cpp @@ -37,7 +37,6 @@ @@ -10,40 +20,36 @@ index f1ed2af..05b189a 100644 #include #include #include -@@ -46,6 +45,9 @@ +@@ -46,7 +45,9 @@ #include #include +-#include +#include +#include + - #include Q_DECLARE_METATYPE(QAbstractOAuth::Error) -@@ -290,15 +292,19 @@ void QAbstractOAuthPrivate::setStatus(QAbstractOAuth::Status newStatus) - } - } -+static QBasicMutex prngMutex; -+Q_GLOBAL_STATIC_WITH_ARGS(std::mt19937, prng, (*QRandomGenerator::system())) -+ +@@ -292,13 +293,13 @@ void QAbstractOAuthPrivate::setStatus(QAbstractOAuth::Status newStatus) + QByteArray QAbstractOAuthPrivate::generateRandomString(quint8 length) { - const char characters[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; - static std::mt19937 randomEngine(QDateTime::currentDateTime().toMSecsSinceEpoch()); +- std::uniform_int_distribution distribution(0, sizeof(characters) - 2); + constexpr char characters[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789"; - std::uniform_int_distribution distribution(0, sizeof(characters) - 2); ++ const int len = strlen(characters); QByteArray data; data.reserve(length); -+ auto lock = qt_unique_lock(prngMutex); ++ QRandomGenerator *prng = QRandomGenerator::system(); for (quint8 i = 0; i < length; ++i) - data.append(characters[distribution(randomEngine)]); -+ data.append(characters[distribution(*prng)]); -+ lock.unlock(); ++ data.append(characters[prng->bounded(len)]); return data; } -@@ -614,6 +620,7 @@ void QAbstractOAuth::resourceOwnerAuthorization(const QUrl &url, const QVariantM +@@ -614,6 +615,7 @@ void QAbstractOAuth::resourceOwnerAuthorization(const QUrl &url, const QVariantM } /*! @@ -51,3 +57,6 @@ index f1ed2af..05b189a 100644 Generates a random string which could be used as state or nonce. The parameter \a length determines the size of the generated string. +-- +2.50.1 + diff --git a/qt5-qtnetworkauth.spec b/qt5-qtnetworkauth.spec index c97e019a0beb087b18d32cb3800888b932dc6ac6..b70044b51658f0794c10d1b637f4c87752d59497 100644 --- a/qt5-qtnetworkauth.spec +++ b/qt5-qtnetworkauth.spec @@ -3,14 +3,14 @@ Summary: Qt5 - NetworkAuth component Name: qt5-%{qt_module} Version: 5.15.10 -Release: 2 +Release: 3 # See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details License: LGPL-3.0-only OR GPL-3.0-only WITH Qt-GPL-exception-1.0 Url: http://www.qt.io %global majmin %(echo %{version} | cut -d. -f1-2) Source0: https://download.qt.io/official_releases/qt/%{majmin}/%{version}/submodules/%{qt_module}-everywhere-opensource-src-%{version}.tar.xz -Patch0: CVE-2024-36048-qtnetworkauth-5.15.diff +Patch0: 0001-fix-CVE-2024-36048.patch # filter plugin/qml provides %global __provides_exclude_from ^(%{_qt5_archdatadir}/qml/.*\\.so|%{_qt5_plugindir}/.*\\.so)$ @@ -74,6 +74,9 @@ popd %{_qt5_examplesdir}/ %changelog +* Thu Oct 30 2025 lichenguang - 5.15.10-3 +- Update the CVE-2024-36048 patch + * Sat Feb 01 2025 Funda Wang - 5.15.10-2 - fix CVE-2024-36048