Merge branch 'f17' into f16

2012-09-28 14:09:02 -05:00 · 2012-09-28 14:09:02 -05:00 · 22e5ecb69a
parent 6662fae879 12437b28f5
commit 22e5ecb69a
2 changed files with 80 additions and 2 deletions
--- a/0041-Disable-SSL-compression-by-default.patch
+++ b/0041-Disable-SSL-compression-by-default.patch
@ -0,0 +1,68 @@
+From d41dc3e101a694dec98d7bbb582d428d209e5401 Mon Sep 17 00:00:00 2001
+From: Richard Moore <rich@kde.org>
+Date: Fri, 14 Sep 2012 00:13:08 +0100
+Subject: [PATCH 41/54] Disable SSL compression by default.
+
+Disable SSL compression by default since this appears to be the a likely
+cause of the currently hyped CRIME attack.
+
+This is a backport of 5ea896fbc63593f424a7dfbb11387599c0025c74
+
+Change-Id: I6eeefb23c6b140a9633b28ed85879459c474348a
+Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
+Reviewed-by: Peter Hartmann <phartmann@rim.com>
+---
+ src/network/ssl/qssl.cpp              | 5 +++--
+ src/network/ssl/qsslconfiguration.cpp | 4 +++-
+ src/network/ssl/qsslconfiguration_p.h | 4 +++-
+ 3 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp
+index 49e086f..9578178 100644
+--- a/src/network/ssl/qssl.cpp
+++ b/src/network/ssl/qssl.cpp
+@@ -148,8 +148,9 @@ QT_BEGIN_NAMESPACE
+ 
+     By default, SslOptionDisableEmptyFragments is turned on since this causes
+     problems with a large number of servers. SslOptionDisableLegacyRenegotiation
+-    is also turned on, since it introduces a security risk. The other options
+-    are turned off.
+    is also turned on, since it introduces a security risk.
+    SslOptionDisableCompression is turned on to prevent the attack publicised by
+    CRIME. The other options are turned off.
+ 
+     Note: Availability of above options depends on the version of the SSL
+     backend in use.
+diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp
+index 24c7b77..3a05f54 100644
+--- a/src/network/ssl/qsslconfiguration.cpp
+++ b/src/network/ssl/qsslconfiguration.cpp
+@@ -201,7 +201,9 @@ bool QSslConfiguration::isNull() const
+             d->privateKey.isNull() &&
+             d->peerCertificate.isNull() &&
+             d->peerCertificateChain.count() == 0 &&
+-            d->sslOptions == (QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation));
+            d->sslOptions == ( QSsl::SslOptionDisableEmptyFragments
+                              |QSsl::SslOptionDisableLegacyRenegotiation
+                              |QSsl::SslOptionDisableCompression));
+ }
+ 
+ /*!
+diff --git a/src/network/ssl/qsslconfiguration_p.h b/src/network/ssl/qsslconfiguration_p.h
+index 74f17cd..c36b651 100644
+--- a/src/network/ssl/qsslconfiguration_p.h
+++ b/src/network/ssl/qsslconfiguration_p.h
+@@ -83,7 +83,9 @@ public:
+         : protocol(QSsl::SecureProtocols),
+           peerVerifyMode(QSslSocket::AutoVerifyPeer),
+           peerVerifyDepth(0),
+-          sslOptions(QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation)
+          sslOptions(QSsl::SslOptionDisableEmptyFragments
+                     |QSsl::SslOptionDisableLegacyRenegotiation
+                     |QSsl::SslOptionDisableCompression)
+     { }
+ 
+     QSslCertificate peerCertificate;
+-- 
+1.7.12
+
--- a/qt.spec
+++ b/qt.spec
@ -16,7 +16,7 @@ Summary: Qt toolkit
 Name:    qt
 Epoch:   1
 Version: 4.8.2
-Release: 5%{?dist}
+Release: 7%{?dist}

 # See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
 License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
@ -125,11 +125,14 @@ Patch102: qt-everywhere-opensource-src-4.8.1-type.patch
 # fix JIT crash
 # https://bugreports.qt-project.org/browse/QTBUG-23871
 # https://bugs.kde.org/show_bug.cgi?id=297661
+# REVERT for now, http://bugzilla.redhat.com/853587
 Patch103: qt-Fix-JIT-crash-on-x86-64-avoid-32-bit-branch-offset-o.patch

 # security patches
 # CVE-2011-3922 qt: Stack-based buffer overflow in embedded harfbuzz code
 Patch200: qt-4.8.0-CVE-2011-3922-bz#772125.patch
+# disable compression for SSL/TLS to avoid CRIME
+Patch201: 0041-Disable-SSL-compression-by-default.patch

 # desktop files
 Source20: assistant.desktop
@ -469,10 +472,11 @@ rm -fv mkspecs/linux-g++*/qmake.conf.multilib-optflags
 %patch100 -p1 -b .QTgaHandler
 %patch101 -p1 -b .fix_cursor_blink
 %patch102 -p1 -b .bigendian
-%patch103 -p1 -b .QtScript_JIT
+#patch103 -p1 -b .QtScript_JIT

 # security fixes
 %patch200 -p1 -b .CVE-2011-3922
+%patch201 -p1 -b .Disable-SSL-compression

 # drop -fexceptions from $RPM_OPT_FLAGS
 RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed 's|-fexceptions||g'`
@ -1101,6 +1105,12 @@ fi


 %changelog
+* Thu Sep 27 2012 Rex Dieter <rdieter@fedoraproject.org> 1:4.8.2-7
+- upstream disable-SSL-compression patch
+
+* Tue Sep 04 2012 Rex Dieter <rdieter@fedoraproject.org> 4.8.2-6
+- revert "fix QtScript JIT crash" patch, causes frequent segmentation faults (#853587)
+
 * Mon Aug 13 2012 Rex Dieter <rdieter@fedoraproject.org> 4.8.2-5
 - fix QtScript JIT crash (QTBUG-23871, kde#297661)