From 7bb24cd4465f7889af9ce3903d7816d66b8e5eda Mon Sep 17 00:00:00 2001
From: Rex Dieter <rdieter@fedoraproject.org>
Date: Mar 25 2011 19:12:33 +0000
Subject: followup patch for QTBUG-18338, blacklist fraudulent SSL certifcates


---

diff --git a/qt-ssl-QTBUG-18338-2.patch b/qt-ssl-QTBUG-18338-2.patch
new file mode 100644
index 0000000..b8bb1e4
--- /dev/null
+++ b/qt-ssl-QTBUG-18338-2.patch
@@ -0,0 +1,35 @@
+From b87528a71b66e786c11804d7b79e408aae612748 Mon Sep 17 00:00:00 2001
+From: Peter Hartmann <peter.hartmann@nokia.com>
+Date: Fri, 25 Mar 2011 13:45:24 +0100
+Subject: [PATCH] QSslSocket internals: abort on encountering blacklisted certificates
+
+tested manually with "openssl s_server -cert blacklisted.pem -key
+key.pem" and connecting a QSslSocket.
+
+Reviewed-by: Markus Goetz
+Task-number: QTBUG-18338
+---
+ src/network/ssl/qsslsocket_openssl.cpp |    7 +++++++
+ 1 files changed, 7 insertions(+), 0 deletions(-)
+
+diff --git a/src/network/ssl/qsslsocket_openssl.cpp b/src/network/ssl/qsslsocket_openssl.cpp
+index 0866534..2427193 100644
+--- a/src/network/ssl/qsslsocket_openssl.cpp
++++ b/src/network/ssl/qsslsocket_openssl.cpp
+@@ -1193,6 +1193,13 @@ bool QSslSocketBackendPrivate::startHandshake()
+     X509 *x509 = q_SSL_get_peer_certificate(ssl);
+     configuration.peerCertificate = QSslCertificatePrivate::QSslCertificate_from_X509(x509);
+     q_X509_free(x509);
++    if (QSslCertificatePrivate::isBlacklisted(configuration.peerCertificate)) {
++        q->setErrorString(QSslSocket::tr("The peer certificate is blacklisted"));
++        q->setSocketError(QAbstractSocket::SslHandshakeFailedError);
++        emit q->error(QAbstractSocket::SslHandshakeFailedError);
++        plainSocket->disconnectFromHost();
++        return false;
++    }
+ 
+     // Start translating errors.
+     QList<QSslError> errors;
+-- 
+1.6.1
+
diff --git a/qt.spec b/qt.spec
index b31797b..61d26d1 100644
--- a/qt.spec
+++ b/qt.spec
@@ -18,7 +18,7 @@ Summary: Qt toolkit
 Name:    qt
 Epoch:   1
 Version: 4.7.2
-Release: 6%{?dist}
+Release: 7%{?dist}
 
 # See LGPL_EXCEPTIONS.txt, LICENSE.GPL3, respectively, for exception details
 License: (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
@@ -106,6 +106,9 @@ Patch212: 0012-Add-context-to-tr-calls-in-QShortcut.patch
 # security patches
 Patch300: qt-everywhere-opensource-src-4.7.0-CVE-2010-1822-crash-svg-image.patch
 Patch301: qt-ssl-QTBUG-18338.patch
+# http://qt.gitorious.org/+qt-developers/qt/staging/commit/b87528a71b66e786c11804d7b79e408aae612748
+# followup to 301
+Patch302: qt-ssl-QTBUG-18338-2.patch
 
 # gstreamer logos
 Source10: http://gstreamer.freedesktop.org/data/images/artwork/gstreamer-logo.svg
@@ -509,6 +512,7 @@ Qt libraries used for drawing widgets and OpenGL items.
 # security fixes
 %patch300 -p1 -b .CVE-2010-1822-crash-svg-image
 %patch301 -p1 -b .ssl-QTBUG-18338
+%patch302 -p1 -b .ssl-QTBUG-18338-2
 
 # drop -fexceptions from $RPM_OPT_FLAGS
 RPM_OPT_FLAGS=`echo $RPM_OPT_FLAGS | sed 's|-fexceptions||g'`
@@ -1189,6 +1193,9 @@ fi
 
 
 %changelog
+* Fri Mar 25 2011 Rex Dieter <rdieter@fedoraproject.org> 1:4.7.2-7
+- followup patch for QTBUG-18338, blacklist fraudulent SSL certifcates
+
 * Fri Mar 25 2011 Rex Dieter <rdieter@fedoraproject.org> 1:4.7.2-6
 - drop qt-designer-plugin-phonon