CVE-2024-39936 An issue was discovered in HTTP2 in Qt before 5.15.18, 6.x before 6.2.13, 6.3.x through 6.5.x before 6.5.7, and 6.6.x through 6.7.x before 6.7.3. Code to make security-relevant decisions about an established connection may execute too early, because the encrypted() signal has not yet been emitted and processed..
No patch available upstream for 5.15.
Presumably it's this one, but does not apply cleanly over kde/5.15 https://invent.kde.org/qt/qt/qtbase/-/commit/b1e75376cc3adfc7da5502a277dfe9711f3e0536
Plus https://invent.kde.org/qt/qt/qtbase/-/commit/14a61026216d20eb3a2893420b7d51374e820b44 but upstream's 5.15 patch likely won't care about tests.
May wait till Qt does a blog post w/ patches, I assume these two commits is all we need but I'd rather not be assuming (and QTBUG-126610 is private, so not sure what went on in there).
Well, wrt test I guess we don't really have to worry about it unless someone runs the test suite on a macos prefix or something, otherwise securetransport is never set (CONDITION APPLE).
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=69cfa9cc226d2c4195132da0c4a0373a080b7d9d commit 69cfa9cc226d2c4195132da0c4a0373a080b7d9d Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2024-07-16 21:39:56 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2024-07-16 21:40:22 +0000 dev-qt/qtnetwork: Fix CVE-2024-39936 Bug: https://bugs.gentoo.org/935869 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> .../files/qtnetwork-5.15.14-CVE-2024-39936.patch | 178 +++++++++++++++++++++ dev-qt/qtnetwork/qtnetwork-5.15.14-r1.ebuild | 64 ++++++++ 2 files changed, 242 insertions(+)
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6b0845fa8c13b564c6d0b26891c0b043afe0e6bc commit 6b0845fa8c13b564c6d0b26891c0b043afe0e6bc Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2024-07-16 23:28:03 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2024-07-16 23:28:05 +0000 dev-qt/qtbase: backport fix for CVE-2024-39936 Still no update from Qt's blog, but given been handled for Qt5 may as well do it here too at this point. Bug: https://bugs.gentoo.org/935869 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> .../qtbase/files/qtbase-6.7.2-CVE-2024-39936.patch | 200 ++++++++++++ dev-qt/qtbase/qtbase-6.7.2-r1.ebuild | 350 +++++++++++++++++++++ 2 files changed, 550 insertions(+)
Well, blog post just been published. Patch is the same (beside skipping adding a new test for it), so should be nothing to change.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=82e647db0aad2ea52f63a2d1babb681a5c02f909 commit 82e647db0aad2ea52f63a2d1babb681a5c02f909 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2024-07-21 12:51:37 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2024-07-21 12:53:38 +0000 dev-qt/qtbase: drop vulnerable 6.7.2 Bug: https://bugs.gentoo.org/935869 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> dev-qt/qtbase/qtbase-6.7.2.ebuild | 349 -------------------------------------- 1 file changed, 349 deletions(-) https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=c8abb6224e29aae4f7c1591f24f5a93ceac067c5 commit c8abb6224e29aae4f7c1591f24f5a93ceac067c5 Author: Ionen Wolkens <ionen@gentoo.org> AuthorDate: 2024-07-21 12:53:23 +0000 Commit: Ionen Wolkens <ionen@gentoo.org> CommitDate: 2024-07-21 12:53:38 +0000 dev-qt/qtnetwork: drop vulnerable 5.15.14 Bug: https://bugs.gentoo.org/935869 Signed-off-by: Ionen Wolkens <ionen@gentoo.org> dev-qt/qtnetwork/qtnetwork-5.15.14.ebuild | 62 ------------------------------- 1 file changed, 62 deletions(-)
