Added security fix for CVE-2021-34825

2021-06-17 22:46:17 -04:00 · 2021-06-17 22:46:17 -04:00 · 83d9f52120
parent 0f54b9715e
commit 83d9f52120
2 changed files with 19 additions and 0 deletions
--- a/quassel.spec
+++ b/quassel.spec
@ -9,6 +9,7 @@ URL:     http://quassel-irc.org/
 Source0: http://quassel-irc.org/pub/quassel-%{version}.tar.bz2

 BuildRoot: %(mktemp -ud %{_tmppath}/%{name}-%{version}-%{release}-XXXXXX)
+Patch0: quassel_0.12.5_CVE-2021-34825.patch

 Buildrequires: cmake
 BuildRequires: desktop-file-utils
--- a/quassel_0.12.5_CVE-2021-34825.patch
+++ b/quassel_0.12.5_CVE-2021-34825.patch
@ -0,0 +1,18 @@
+diff --git a/src/core/sslserver.cpp b/src/core/sslserver.cpp
+index 9c3c7edc..1c1f05cd 100644
+--- a/src/core/sslserver.cpp
+++ b/src/core/sslserver.cpp
+@@ -49,6 +49,13 @@ SslServer::SslServer(QObject* parent)
+ 
+     // Initialize the certificates for first-time usage
+     if (!loadCerts()) {
+        // If the core is unable to load a certificate, and "--require-ssl" is specified,
+        // do not proceed, throw an exception and quit. This prevents the core from falling
+        // back to a plaintext-only core when they should be expecting SSL/TLS only.
+        if (Quassel::isOptionSet("require-ssl")) {
+            throw ExitException{EXIT_FAILURE, tr("--require-ssl is set, but no SSL certificate is available. Exiting.\n"
+                                                 "Please see https://quassel-irc.org/faq/cert to learn how to enable SSL support.")};
+        }
+         if (!sslWarningShown) {
+             qWarning() << "SslServer: Unable to set certificate file\n"
+                        << "          Quassel Core will still work, but cannot provide SSL for client connections.\n"