From 12437b28f576414327c96c834f94da97d380a6cb Mon Sep 17 00:00:00 2001 From: Rex Dieter Date: Sep 28 2012 19:08:26 +0000 Subject: upstream disable-SSL-compression patch Conflicts: qt.spec --- diff --git a/0041-Disable-SSL-compression-by-default.patch b/0041-Disable-SSL-compression-by-default.patch new file mode 100644 index 0000000..764ccb9 --- /dev/null +++ b/0041-Disable-SSL-compression-by-default.patch @@ -0,0 +1,68 @@ +From d41dc3e101a694dec98d7bbb582d428d209e5401 Mon Sep 17 00:00:00 2001 +From: Richard Moore +Date: Fri, 14 Sep 2012 00:13:08 +0100 +Subject: [PATCH 41/54] Disable SSL compression by default. + +Disable SSL compression by default since this appears to be the a likely +cause of the currently hyped CRIME attack. + +This is a backport of 5ea896fbc63593f424a7dfbb11387599c0025c74 + +Change-Id: I6eeefb23c6b140a9633b28ed85879459c474348a +Reviewed-by: Thiago Macieira +Reviewed-by: Peter Hartmann +--- + src/network/ssl/qssl.cpp | 5 +++-- + src/network/ssl/qsslconfiguration.cpp | 4 +++- + src/network/ssl/qsslconfiguration_p.h | 4 +++- + 3 files changed, 9 insertions(+), 4 deletions(-) + +diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp +index 49e086f..9578178 100644 +--- a/src/network/ssl/qssl.cpp ++++ b/src/network/ssl/qssl.cpp +@@ -148,8 +148,9 @@ QT_BEGIN_NAMESPACE + + By default, SslOptionDisableEmptyFragments is turned on since this causes + problems with a large number of servers. SslOptionDisableLegacyRenegotiation +- is also turned on, since it introduces a security risk. The other options +- are turned off. ++ is also turned on, since it introduces a security risk. ++ SslOptionDisableCompression is turned on to prevent the attack publicised by ++ CRIME. The other options are turned off. + + Note: Availability of above options depends on the version of the SSL + backend in use. +diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp +index 24c7b77..3a05f54 100644 +--- a/src/network/ssl/qsslconfiguration.cpp ++++ b/src/network/ssl/qsslconfiguration.cpp +@@ -201,7 +201,9 @@ bool QSslConfiguration::isNull() const + d->privateKey.isNull() && + d->peerCertificate.isNull() && + d->peerCertificateChain.count() == 0 && +- d->sslOptions == (QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation)); ++ d->sslOptions == ( QSsl::SslOptionDisableEmptyFragments ++ |QSsl::SslOptionDisableLegacyRenegotiation ++ |QSsl::SslOptionDisableCompression)); + } + + /*! +diff --git a/src/network/ssl/qsslconfiguration_p.h b/src/network/ssl/qsslconfiguration_p.h +index 74f17cd..c36b651 100644 +--- a/src/network/ssl/qsslconfiguration_p.h ++++ b/src/network/ssl/qsslconfiguration_p.h +@@ -83,7 +83,9 @@ public: + : protocol(QSsl::SecureProtocols), + peerVerifyMode(QSslSocket::AutoVerifyPeer), + peerVerifyDepth(0), +- sslOptions(QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation) ++ sslOptions(QSsl::SslOptionDisableEmptyFragments ++ |QSsl::SslOptionDisableLegacyRenegotiation ++ |QSsl::SslOptionDisableCompression) + { } + + QSslCertificate peerCertificate; +-- +1.7.12 + diff --git a/qt.spec b/qt.spec index ff1a672..f40fd88 100644 --- a/qt.spec +++ b/qt.spec @@ -16,7 +16,7 @@ Summary: Qt toolkit Name: qt Epoch: 1 Version: 4.8.2 -Release: 6%{?dist} +Release: 7%{?dist} # See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT @@ -131,6 +131,8 @@ Patch103: qt-Fix-JIT-crash-on-x86-64-avoid-32-bit-branch-offset-o.patch # security patches # CVE-2011-3922 qt: Stack-based buffer overflow in embedded harfbuzz code Patch200: qt-4.8.0-CVE-2011-3922-bz#772125.patch +# disable compression for SSL/TLS to avoid CRIME +Patch201: 0041-Disable-SSL-compression-by-default.patch # desktop files Source20: assistant.desktop @@ -474,6 +476,7 @@ rm -fv mkspecs/linux-g++*/qmake.conf.multilib-optflags # security fixes %patch200 -p1 -b .CVE-2011-3922 +%patch201 -p1 -b .Disable-SSL-compression # drop -fexceptions from $RPM_OPT_FLAGS RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed 's|-fexceptions||g'` @@ -1102,6 +1105,9 @@ fi %changelog +* Thu Sep 27 2012 Rex Dieter 1:4.8.2-7 +- upstream disable-SSL-compression patch + * Tue Sep 04 2012 Rex Dieter 4.8.2-6 - revert "fix QtScript JIT crash" patch, causes frequent segmentation faults (#853587)