[arch-commits] Commit in qt/trunk (PKGBUILD disable-ssl-compression.patch)

Andrea Scarpino andrea at archlinux.org
Thu Sep 27 11:08:23 UTC 2012 

    Date: Thursday, September 27, 2012 @ 07:08:23
  Author: andrea
Revision: 167190

Security fix, see http://lists.qt-project.org/pipermail/announce/2012-September/000009.html

Added:
  qt/trunk/disable-ssl-compression.patch
Modified:
  qt/trunk/PKGBUILD

-------------------------------+
 PKGBUILD                      |   11 ++++--
 disable-ssl-compression.patch |   68 ++++++++++++++++++++++++++++++++++++++++
 2 files changed, 76 insertions(+), 3 deletions(-)

Modified: PKGBUILD
===================================================================
--- PKGBUILD	2012-09-27 01:16:55 UTC (rev 167189)
+++ PKGBUILD	2012-09-27 11:08:23 UTC (rev 167190)
@@ -5,7 +5,7 @@
 pkgbase=qt
 pkgname=('qt' 'qt-private-headers')
 pkgver=4.8.3
-pkgrel=3
+pkgrel=4
 arch=('i686' 'x86_64')
 url='http://qt-project.org/'
 license=('GPL3' 'LGPL')
@@ -20,7 +20,8 @@
         'qtconfig.desktop'
         'improve-cups-support.patch'
         'fix-crash-in-assistant.patch'
-        'undo-fix-jit-crash-on-x86_64.patch')
+        'undo-fix-jit-crash-on-x86_64.patch'
+        'disable-ssl-compression.patch')
 md5sums=('a663b6c875f8d7caa8ac9c30e4a4ec3b'
          'fc211414130ab2764132e7370f8e5caa'
          '85179f5e0437514f8639957e1d8baf62'
@@ -28,7 +29,8 @@
          '6b771c8a81dd90b45e8a79afa0e5bbfd'
          'c439c7731c25387352d8453ca7574971'
          '57590084078b6379f0501f7728b02ae2'
-         '094e5a4e30e52423c77daa4a9c782df5')
+         '094e5a4e30e52423c77daa4a9c782df5'
+         '94e9e433342018bf35e8d6d968b7432c')
 
 build() {
   cd "${srcdir}"/${_pkgfqn}
@@ -41,6 +43,9 @@
 
   # (FS#31654)
   patch -Rp1 -i "${srcdir}"/undo-fix-jit-crash-on-x86_64.patch
+
+  # Security fix
+  patch -p1 -i "${srcdir}"/disable-ssl-compression.patch
   
   export QT4DIR="${srcdir}"/${_pkgfqn}
   export LD_LIBRARY_PATH=${QT4DIR}/lib:${LD_LIBRARY_PATH}

Added: disable-ssl-compression.patch
===================================================================
--- disable-ssl-compression.patch	                        (rev 0)
+++ disable-ssl-compression.patch	2012-09-27 11:08:23 UTC (rev 167190)
@@ -0,0 +1,68 @@
+From d41dc3e101a694dec98d7bbb582d428d209e5401 Mon Sep 17 00:00:00 2001
+From: Richard Moore <rich at kde.org>
+Date: Fri, 14 Sep 2012 00:13:08 +0100
+Subject: [PATCH] Disable SSL compression by default.
+
+Disable SSL compression by default since this appears to be the a likely
+cause of the currently hyped CRIME attack.
+
+This is a backport of 5ea896fbc63593f424a7dfbb11387599c0025c74
+
+Change-Id: I6eeefb23c6b140a9633b28ed85879459c474348a
+Reviewed-by: Thiago Macieira <thiago.macieira at intel.com>
+Reviewed-by: Peter Hartmann <phartmann at rim.com>
+---
+ src/network/ssl/qssl.cpp              |    5 +++--
+ src/network/ssl/qsslconfiguration.cpp |    4 +++-
+ src/network/ssl/qsslconfiguration_p.h |    4 +++-
+ 3 files changed, 9 insertions(+), 4 deletions(-)
+
+diff --git a/src/network/ssl/qssl.cpp b/src/network/ssl/qssl.cpp
+index 49e086f..9578178 100644
+--- a/src/network/ssl/qssl.cpp
++++ b/src/network/ssl/qssl.cpp
+@@ -148,8 +148,9 @@ QT_BEGIN_NAMESPACE
+ 
+     By default, SslOptionDisableEmptyFragments is turned on since this causes
+     problems with a large number of servers. SslOptionDisableLegacyRenegotiation
+-    is also turned on, since it introduces a security risk. The other options
+-    are turned off.
++    is also turned on, since it introduces a security risk.
++    SslOptionDisableCompression is turned on to prevent the attack publicised by
++    CRIME. The other options are turned off.
+ 
+     Note: Availability of above options depends on the version of the SSL
+     backend in use.
+diff --git a/src/network/ssl/qsslconfiguration.cpp b/src/network/ssl/qsslconfiguration.cpp
+index 24c7b77..3a05f54 100644
+--- a/src/network/ssl/qsslconfiguration.cpp
++++ b/src/network/ssl/qsslconfiguration.cpp
+@@ -201,7 +201,9 @@ bool QSslConfiguration::isNull() const
+             d->privateKey.isNull() &&
+             d->peerCertificate.isNull() &&
+             d->peerCertificateChain.count() == 0 &&
+-            d->sslOptions == (QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation));
++            d->sslOptions == ( QSsl::SslOptionDisableEmptyFragments
++                              |QSsl::SslOptionDisableLegacyRenegotiation
++                              |QSsl::SslOptionDisableCompression));
+ }
+ 
+ /*!
+diff --git a/src/network/ssl/qsslconfiguration_p.h b/src/network/ssl/qsslconfiguration_p.h
+index 74f17cd..c36b651 100644
+--- a/src/network/ssl/qsslconfiguration_p.h
++++ b/src/network/ssl/qsslconfiguration_p.h
+@@ -83,7 +83,9 @@ public:
+         : protocol(QSsl::SecureProtocols),
+           peerVerifyMode(QSslSocket::AutoVerifyPeer),
+           peerVerifyDepth(0),
+-          sslOptions(QSsl::SslOptionDisableEmptyFragments|QSsl::SslOptionDisableLegacyRenegotiation)
++          sslOptions(QSsl::SslOptionDisableEmptyFragments
++                     |QSsl::SslOptionDisableLegacyRenegotiation
++                     |QSsl::SslOptionDisableCompression)
+     { }
+ 
+     QSslCertificate peerCertificate;
+-- 
+1.7.10
+

More information about the arch-commits mailing list