From 3c894f226a6a053fcf0c6fc626320afc69045990 Mon Sep 17 00:00:00 2001 From: Raul Metsma Date: Mon, 28 Aug 2023 07:53:15 +0300 Subject: [PATCH] Update Qt 6.5.2, OpenSSL 3.0.10, OpenLDAP 2.6.6 (#1200) IB-7779, IB-7803, IB-7804 Signed-off-by: Raul Metsma --- .github/workflows/build.yml | 6 +- prepare_osx_build_environment.sh | 231 ++++++++++++++++++++++++++++++- 2 files changed, 230 insertions(+), 7 deletions(-) diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index 59e2dd6dc..97ed8d4f5 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -10,7 +10,7 @@ jobs: name: Build on macOS runs-on: macos-latest env: - MACOSX_DEPLOYMENT_TARGET: 10.15 + MACOSX_DEPLOYMENT_TARGET: 11.0 steps: - name: Checkout uses: actions/checkout@v3 @@ -175,7 +175,7 @@ jobs: - name: Install Qt uses: jurplel/install-qt-action@v3 with: - version: 6.5.1 + version: 6.5.2 arch: win64_msvc2019_64 modules: qt5compat - name: Setup dev env @@ -213,7 +213,7 @@ jobs: with: submodules: recursive - name: Install dependencies - run: sudo apt update -qq && sudo apt install --no-install-recommends -y cmake libldap2-dev gettext libpcsclite-dev libminizip-dev libxml-security-c-dev libgl-dev libqt6svg6-dev qt6-tools-dev qt6-tools-dev-tools qt6-l10n-tools libqt6core5compat6-dev + run: sudo apt update -qq && sudo apt install --no-install-recommends -y cmake libldap2-dev gettext libpcsclite-dev libminizip-dev libxml-security-c-dev libgl-dev libqt6svg6-dev qt6-tools-dev qt6-tools-dev-tools qt6-l10n-tools libqt6core5compat6-dev libflatbuffers-dev zlib1g-dev - name: Download artifact uses: dawidd6/action-download-artifact@v2 with: diff --git a/prepare_osx_build_environment.sh b/prepare_osx_build_environment.sh index a3ca098eb..2b00177c2 100755 --- a/prepare_osx_build_environment.sh +++ b/prepare_osx_build_environment.sh @@ -4,12 +4,12 @@ set -e ######### Versions of libraries/frameworks to be compiled -QT_VER="6.5.1" -OPENSSL_VER="3.0.8" -OPENLDAP_VER="2.6.4" +QT_VER="6.5.2" +OPENSSL_VER="3.0.10" +OPENLDAP_VER="2.6.6" REBUILD=false BUILD_PATH=~/cmake_builds -: ${MACOSX_DEPLOYMENT_TARGET:="10.15"} +: ${MACOSX_DEPLOYMENT_TARGET:="11.0"} export MACOSX_DEPLOYMENT_TARGET while [[ $# -gt 0 ]] @@ -108,6 +108,229 @@ if [[ "$REBUILD" = true || ! -d ${QT_PATH} ]] ; then tar xf ${PACKAGE}.tar.xz pushd ${PACKAGE} if [[ "${PACKAGE}" == *"qtbase"* ]] ; then + # CVE-2023-34410-qtbase-6.5.diff + patch -Np1 <<'EOF' +diff --git a/src/corelib/serialization/qxmlstream.cpp b/src/corelib/serialization/qxmlstream.cpp +index 6e34d4d..cf46d69 100644 +--- a/src/corelib/serialization/qxmlstream.cpp ++++ b/src/corelib/serialization/qxmlstream.cpp +@@ -185,7 +185,7 @@ + addData() or by waiting for it to arrive on the device(). + + \value UnexpectedElementError The parser encountered an element +- that was different to those it expected. ++ or token that was different to those it expected. + + */ + +@@ -322,13 +322,34 @@ + + QXmlStreamReader is a well-formed XML 1.0 parser that does \e not + include external parsed entities. As long as no error occurs, the +- application code can thus be assured that the data provided by the +- stream reader satisfies the W3C's criteria for well-formed XML. For +- example, you can be certain that all tags are indeed nested and +- closed properly, that references to internal entities have been +- replaced with the correct replacement text, and that attributes have +- been normalized or added according to the internal subset of the +- DTD. ++ application code can thus be assured, that ++ \list ++ \li the data provided by the stream reader satisfies the W3C's ++ criteria for well-formed XML, ++ \li tokens are provided in a valid order. ++ \endlist ++ ++ Unless QXmlStreamReader raises an error, it guarantees the following: ++ \list ++ \li All tags are nested and closed properly. ++ \li References to internal entities have been replaced with the ++ correct replacement text. ++ \li Attributes have been normalized or added according to the ++ internal subset of the \l DTD. ++ \li Tokens of type \l StartDocument happen before all others, ++ aside from comments and processing instructions. ++ \li At most one DOCTYPE element (a token of type \l DTD) is present. ++ \li If present, the DOCTYPE appears before all other elements, ++ aside from StartDocument, comments and processing instructions. ++ \endlist ++ ++ In particular, once any token of type \l StartElement, \l EndElement, ++ \l Characters, \l EntityReference or \l EndDocument is seen, no ++ tokens of type StartDocument or DTD will be seen. If one is present in ++ the input stream, out of order, an error is raised. ++ ++ \note The token types \l Comment and \l ProcessingInstruction may appear ++ anywhere in the stream. + + If an error occurs while parsing, atEnd() and hasError() return + true, and error() returns the error that occurred. The functions +@@ -659,6 +680,7 @@ + d->token = -1; + return readNext(); + } ++ d->checkToken(); + return d->type; + } + +@@ -743,6 +765,11 @@ + "ProcessingInstruction" + ); + ++static constexpr auto QXmlStreamReader_XmlContextString = qOffsetStringArray( ++ "Prolog", ++ "Body" ++); ++ + /*! + \property QXmlStreamReader::namespaceProcessing + \brief the namespace-processing flag of the stream reader. +@@ -777,6 +804,15 @@ + return QLatin1StringView(QXmlStreamReader_tokenTypeString.at(d->type)); + } + ++/*! ++ \internal ++ \return \param loc (Prolog/Body) as a string. ++ */ ++static constexpr QLatin1StringView contextString(QXmlStreamReaderPrivate::XmlContext ctxt) ++{ ++ return QLatin1StringView(QXmlStreamReader_XmlContextString.at(static_cast(ctxt))); ++} ++ + #endif // QT_NO_XMLSTREAMREADER + + QXmlStreamPrivateTagStack::QXmlStreamPrivateTagStack() +@@ -864,6 +900,8 @@ + + type = QXmlStreamReader::NoToken; + error = QXmlStreamReader::NoError; ++ currentContext = XmlContext::Prolog; ++ foundDTD = false; + } + + /* +@@ -3838,6 +3876,97 @@ + } + } + ++static constexpr bool isTokenAllowedInContext(QXmlStreamReader::TokenType type, ++ QXmlStreamReaderPrivate::XmlContext loc) ++{ ++ switch (type) { ++ case QXmlStreamReader::StartDocument: ++ case QXmlStreamReader::DTD: ++ return loc == QXmlStreamReaderPrivate::XmlContext::Prolog; ++ ++ case QXmlStreamReader::StartElement: ++ case QXmlStreamReader::EndElement: ++ case QXmlStreamReader::Characters: ++ case QXmlStreamReader::EntityReference: ++ case QXmlStreamReader::EndDocument: ++ return loc == QXmlStreamReaderPrivate::XmlContext::Body; ++ ++ case QXmlStreamReader::Comment: ++ case QXmlStreamReader::ProcessingInstruction: ++ return true; ++ ++ case QXmlStreamReader::NoToken: ++ case QXmlStreamReader::Invalid: ++ return false; ++ } ++ ++ // GCC 8.x does not treat __builtin_unreachable() as constexpr ++#if !defined(Q_CC_GNU_ONLY) || (Q_CC_GNU >= 900) ++ Q_UNREACHABLE_RETURN(false); ++#else ++ return false; ++#endif ++} ++ ++/*! ++ \internal ++ \brief QXmlStreamReader::isValidToken ++ \return \c true if \param type is a valid token type. ++ \return \c false if \param type is an unexpected token, ++ which indicates a non-well-formed or invalid XML stream. ++ */ ++bool QXmlStreamReaderPrivate::isValidToken(QXmlStreamReader::TokenType type) ++{ ++ // Don't change currentContext, if Invalid or NoToken occur in the prolog ++ if (type == QXmlStreamReader::Invalid || type == QXmlStreamReader::NoToken) ++ return false; ++ ++ // If a token type gets rejected in the body, there is no recovery ++ const bool result = isTokenAllowedInContext(type, currentContext); ++ if (result || currentContext == XmlContext::Body) ++ return result; ++ ++ // First non-Prolog token observed => switch context to body and check again. ++ currentContext = XmlContext::Body; ++ return isTokenAllowedInContext(type, currentContext); ++} ++ ++/*! ++ \internal ++ Checks token type and raises an error, if it is invalid ++ in the current context (prolog/body). ++ */ ++void QXmlStreamReaderPrivate::checkToken() ++{ ++ Q_Q(QXmlStreamReader); ++ ++ // The token type must be consumed, to keep track if the body has been reached. ++ const XmlContext context = currentContext; ++ const bool ok = isValidToken(type); ++ ++ // Do nothing if an error has been raised already (going along with an unexpected token) ++ if (error != QXmlStreamReader::Error::NoError) ++ return; ++ ++ if (!ok) { ++ raiseError(QXmlStreamReader::UnexpectedElementError, ++ QObject::tr("Unexpected token type %1 in %2.") ++ .arg(q->tokenString(), contextString(context))); ++ return; ++ } ++ ++ if (type != QXmlStreamReader::DTD) ++ return; ++ ++ // Raise error on multiple DTD tokens ++ if (foundDTD) { ++ raiseError(QXmlStreamReader::UnexpectedElementError, ++ QObject::tr("Found second DTD token in %1.").arg(contextString(context))); ++ } else { ++ foundDTD = true; ++ } ++} ++ + /*! + \fn bool QXmlStreamAttributes::hasAttribute(QAnyStringView qualifiedName) const + +diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h +index 070424a..f09adaa 100644 +--- a/src/corelib/serialization/qxmlstream_p.h ++++ b/src/corelib/serialization/qxmlstream_p.h +@@ -297,6 +297,17 @@ + QStringDecoder decoder; + bool atEnd; + ++ enum class XmlContext ++ { ++ Prolog, ++ Body, ++ }; ++ ++ XmlContext currentContext = XmlContext::Prolog; ++ bool foundDTD = false; ++ bool isValidToken(QXmlStreamReader::TokenType type); ++ void checkToken(); ++ + /*! + \sa setType() + */ +EOF ./configure -prefix ${QT_PATH} -opensource -nomake tests -nomake examples -no-securetransport -openssl-linked -confirm-license -appstore-compliant -- -DOPENSSL_ROOT_DIR=${OPENSSL_PATH} -DCMAKE_OSX_ARCHITECTURES="x86_64;arm64" else ${QT_PATH}/bin/qt-configure-module .