Debian Patches
Status for qtnetworkauth-everywhere-src/5.15.15-3
| Patch | Description | Author | Forwarded | Bugs | Origin | Last update |
|---|---|---|---|---|---|---|
| disable_tests_network.diff | skip parts of OAuth1 autotests | no | upstream, https://code.qt.io/cgit/qt/qtnetworkauth.git/commit/?id=201a224441c2dc83 | 2025-01-13 | ||
| CVE-2024-36048.diff | QAbstractOAuth: fix data race and poor seeding in generateRandomString() While not explicitly documented as thread-safe, this function maintains unprotected global state, and OAuth classes are surely used outside the main thread, so independent OAuth objects performing this operation at the same time means data race, iow: UB. . Protect with a mutex. . As a drive-by, use Q_GLOBAL_STATIC instead of magic statics, and make the char array constexpr instead of static const, to statically assert that it plays no role in thread-safety. . Also seed the PRNG with QRandomGenerator::system() instead of the moral equivalent of gettimeoday(). The OAuth1 RFC5849¹ doesn't mention it, but the OpenID² spec asks for the nonce to be "unguessable to attackers". A gettimeofday()-seeded PRNG, esp. with only millisecond resolution, clearly doesn't fulfil that requirement. . QRandomGenerator::system(), OTOH, is documented to be "securely seeded", and provides a seed_seq-like interface so the _whole_ mt19937 state can be seeded, not just a 32-bit fraction of it. . Keep the local PRNG to not exhaust the kernel's entropy pool through excessive system() usage. . ¹ https://datatracker.ietf.org/doc/html/rfc5849#section-3.3 ² https://openid.net/specs/openid-connect-core-1_0.html#NonceNotes |
no | upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2024-36048-qtnetworkauth-5.15.diff | 2024-05-27 |