Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 935869 (CVE-2024-39936) - <dev-qt/qtbase-6.7.2-r1:6, <dev-qt/qtnetwork-5.15.14-r1:5: HTTP/2 security may be compromised
Summary: <dev-qt/qtbase-6.7.2-r1:6, <dev-qt/qtnetwork-5.15.14-r1:5: HTTP/2 security ma...
Status: CONFIRMED
Alias: CVE-2024-39936
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal
Assignee: Gentoo Security
URL: https://www.qt.io/blog/recently-disco...
Whiteboard: A3 [glsa?]
Keywords:
Depends on: 936171
Blocks:
  Show dependency tree
 
Reported: 2024-07-11 16:33 UTC by xoip
Modified: 2024-07-22 05:24 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description xoip 2024-07-11 16:33:26 UTC
CVE-2024-39936

An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..
Comment 1 Andreas Sturmlechner gentoo-dev 2024-07-11 16:39:59 UTC
No patch available upstream for 5.15.
Comment 2 Andreas Sturmlechner gentoo-dev 2024-07-11 17:14:11 UTC
Presumably it's this one, but does not apply cleanly over kde/5.15

https://invent.kde.org/qt/qt/qtbase/-/commit/b1e75376cc3adfc7da5502a277dfe9711f3e0536
Comment 3 Andreas Sturmlechner gentoo-dev 2024-07-11 17:25:04 UTC
Plus https://invent.kde.org/qt/qt/qtbase/-/commit/14a61026216d20eb3a2893420b7d51374e820b44 but upstream's 5.15 patch likely won't care about tests.
Comment 4 Ionen Wolkens gentoo-dev 2024-07-11 17:49:02 UTC
May wait till Qt does a blog post w/ patches, I assume these two commits is all we need but I'd rather not be assuming (and QTBUG-126610 is private, so not sure what went on in there).
Comment 5 Ionen Wolkens gentoo-dev 2024-07-11 18:09:07 UTC
Well, wrt test I guess we don't really have to worry about it unless someone runs the test suite on a macos prefix or something, otherwise securetransport is never set (CONDITION APPLE).
Comment 6 Larry the Git Cow gentoo-dev 2024-07-16 21:41:57 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=69cfa9cc226d2c4195132da0c4a0373a080b7d9d

commit 69cfa9cc226d2c4195132da0c4a0373a080b7d9d
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2024-07-16 21:39:56 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2024-07-16 21:40:22 +0000

    dev-qt/qtnetwork: Fix CVE-2024-39936
    
    Bug: https://bugs.gentoo.org/935869
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 .../files/qtnetwork-5.15.14-CVE-2024-39936.patch   | 178 +++++++++++++++++++++
 dev-qt/qtnetwork/qtnetwork-5.15.14-r1.ebuild       |  64 ++++++++
 2 files changed, 242 insertions(+)
Comment 7 Larry the Git Cow gentoo-dev 2024-07-16 23:52:25 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b0845fa8c13b564c6d0b26891c0b043afe0e6bc

commit 6b0845fa8c13b564c6d0b26891c0b043afe0e6bc
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2024-07-16 23:28:03 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2024-07-16 23:28:05 +0000

    dev-qt/qtbase: backport fix for CVE-2024-39936
    
    Still no update from Qt's blog, but given been handled for
    Qt5 may as well do it here too at this point.
    
    Bug: https://bugs.gentoo.org/935869
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 .../qtbase/files/qtbase-6.7.2-CVE-2024-39936.patch | 200 ++++++++++++
 dev-qt/qtbase/qtbase-6.7.2-r1.ebuild               | 350 +++++++++++++++++++++
 2 files changed, 550 insertions(+)
Comment 8 Ionen Wolkens gentoo-dev 2024-07-17 12:56:26 UTC
Well, blog post just been published. Patch is the same (beside skipping adding a new test for it), so should be nothing to change.
Comment 9 Larry the Git Cow gentoo-dev 2024-07-21 12:54:10 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82e647db0aad2ea52f63a2d1babb681a5c02f909

commit 82e647db0aad2ea52f63a2d1babb681a5c02f909
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2024-07-21 12:51:37 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2024-07-21 12:53:38 +0000

    dev-qt/qtbase: drop vulnerable 6.7.2
    
    Bug: https://bugs.gentoo.org/935869
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 dev-qt/qtbase/qtbase-6.7.2.ebuild | 349 --------------------------------------
 1 file changed, 349 deletions(-)

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8abb6224e29aae4f7c1591f24f5a93ceac067c5

commit c8abb6224e29aae4f7c1591f24f5a93ceac067c5
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2024-07-21 12:53:23 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2024-07-21 12:53:38 +0000

    dev-qt/qtnetwork: drop vulnerable 5.15.14
    
    Bug: https://bugs.gentoo.org/935869
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 dev-qt/qtnetwork/qtnetwork-5.15.14.ebuild | 62 -------------------------------
 1 file changed, 62 deletions(-)