upstream disable-SSL-compression patch
This commit is contained in:
parent
9315bd6aa6
commit
edf87b1ec8
68
0041-Disable-SSL-compression-by-default.patch
Normal file
68
0041-Disable-SSL-compression-by-default.patch
Normal file
@ -0,0 +1,68 @@
|
||||
From d41dc3e101a694dec98d7bbb582d428d209e5401 Mon Sep 17 00:00:00 2001
|
||||
From: Richard Moore <rich@kde.org>
|
||||
Date: Fri, 14 Sep 2012 00:13:08 +0100
|
||||
Subject: [PATCH 41/54] Disable SSL compression by default.
|
||||
|
||||
Disable SSL compression by default since this appears to be the a likely
|
||||
cause of the currently hyped CRIME attack.
|
||||
|
||||
This is a backport of 5ea896fbc63593f424a7dfbb11387599c0025c74
|
||||
|
||||
Change-Id: I6eeefb23c6b140a9633b28ed85879459c474348a
|
||||
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
|
||||
Reviewed-by: Peter Hartmann <phartmann@rim.com>
|
||||
---
|
||||
src/network/ssl/qssl.cpp | 5 +++--
|
||||
src/network/ssl/qsslconfiguration.cpp | 4 +++-
|
||||
src/network/ssl/qsslconfiguration_p.h | 4 +++-
|
||||
3 files changed, 9 insertions(+), 4 deletions(-)
|
||||
|
||||
diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp
|
||||
index 49e086f..9578178 100644
|
||||
--- a/src/network/ssl/qssl.cpp
|
||||
+++ b/src/network/ssl/qssl.cpp
|
||||
@@ -148,8 +148,9 @@ QT_BEGIN_NAMESPACE
|
||||
|
||||
By default, SslOptionDisableEmptyFragments is turned on since this causes
|
||||
problems with a large number of servers. SslOptionDisableLegacyRenegotiation
|
||||
- is also turned on, since it introduces a security risk. The other options
|
||||
- are turned off.
|
||||
+ is also turned on, since it introduces a security risk.
|
||||
+ SslOptionDisableCompression is turned on to prevent the attack publicised by
|
||||
+ CRIME. The other options are turned off.
|
||||
|
||||
Note: Availability of above options depends on the version of the SSL
|
||||
backend in use.
|
||||
diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp
|
||||
index 24c7b77..3a05f54 100644
|
||||
--- a/src/network/ssl/qsslconfiguration.cpp
|
||||
+++ b/src/network/ssl/qsslconfiguration.cpp
|
||||
@@ -201,7 +201,9 @@ bool QSslConfiguration::isNull() const
|
||||
d->privateKey.isNull() &&
|
||||
d->peerCertificate.isNull() &&
|
||||
d->peerCertificateChain.count() == 0 &&
|
||||
- d->sslOptions == (QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation));
|
||||
+ d->sslOptions == ( QSsl::SslOptionDisableEmptyFragments
|
||||
+ |QSsl::SslOptionDisableLegacyRenegotiation
|
||||
+ |QSsl::SslOptionDisableCompression));
|
||||
}
|
||||
|
||||
/*!
|
||||
diff --git a/src/network/ssl/qsslconfiguration_p.h b/src/network/ssl/qsslconfiguration_p.h
|
||||
index 74f17cd..c36b651 100644
|
||||
--- a/src/network/ssl/qsslconfiguration_p.h
|
||||
+++ b/src/network/ssl/qsslconfiguration_p.h
|
||||
@@ -83,7 +83,9 @@ public:
|
||||
: protocol(QSsl::SecureProtocols),
|
||||
peerVerifyMode(QSslSocket::AutoVerifyPeer),
|
||||
peerVerifyDepth(0),
|
||||
- sslOptions(QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation)
|
||||
+ sslOptions(QSsl::SslOptionDisableEmptyFragments
|
||||
+ |QSsl::SslOptionDisableLegacyRenegotiation
|
||||
+ |QSsl::SslOptionDisableCompression)
|
||||
{ }
|
||||
|
||||
QSslCertificate peerCertificate;
|
||||
--
|
||||
1.7.12
|
||||
|
8
qt.spec
8
qt.spec
@ -16,7 +16,7 @@ Summary: Qt toolkit
|
||||
Name: qt
|
||||
Epoch: 1
|
||||
Version: 4.8.3
|
||||
Release: 1%{?dist}
|
||||
Release: 2%{?dist}
|
||||
|
||||
# See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
|
||||
License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
|
||||
@ -122,6 +122,8 @@ Patch103: qt-Fix-JIT-crash-on-x86-64-avoid-32-bit-branch-offset-o.patch
|
||||
# security patches
|
||||
# CVE-2011-3922 qt: Stack-based buffer overflow in embedded harfbuzz code
|
||||
Patch200: qt-4.8.0-CVE-2011-3922-bz#772125.patch
|
||||
# disable compression for SSL/TLS to avoid CRIME
|
||||
Patch201: 0041-Disable-SSL-compression-by-default.patch
|
||||
|
||||
# desktop files
|
||||
Source20: assistant.desktop
|
||||
@ -459,6 +461,7 @@ rm -fv mkspecs/linux-g++*/qmake.conf.multilib-optflags
|
||||
|
||||
# security fixes
|
||||
%patch200 -p1 -b .CVE-2011-3922
|
||||
%patch201 -p1 -b .Disable-SSL-compression
|
||||
|
||||
# drop -fexceptions from $RPM_OPT_FLAGS
|
||||
RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed 's|-fexceptions||g'`
|
||||
@ -1087,6 +1090,9 @@ fi
|
||||
|
||||
|
||||
%changelog
|
||||
* Thu Sep 27 2012 Rex Dieter <rdieter@fedoraproject.org> 1:4.8.3-2
|
||||
- upstream disable-SSL-compression patch
|
||||
|
||||
* Thu Sep 13 2012 Rex Dieter <rdieter@fedoraproject.org> - 1:4.8.3-1
|
||||
- qt-4.8.3 final
|
||||
- revert QtScript-JIT commit
|
||||
|
Loading…
Reference in New Issue
Block a user