From nobody Sun Jan  7 22:06:49 2024
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4T7WWG1QNyz566Z8;
	Sun,  7 Jan 2024 22:06:50 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4T7WWG0d5Yz4HbP;
	Sun,  7 Jan 2024 22:06:50 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1704665210;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=hq2QSy7ZIAl0LCynENj3B2QoO7dsqcvPdfdfntrBVLc=;
	b=KmrlkRA22xl2UKLtKtThSTZvAziUCWhFWrgUBS+bwseqKoAzVzW6Zn7rui0rOkuK/KQ2t3
	G6HGMpurmXsdJWSR+aKMBYRPsUzBe9cldaJTYiQ3h6VUhs3EkBnzP3iHCpWAlZ/HoPgW+g
	uZLKwZh9q0VBdtqLYXTzBV4tLuskdvgiRJqzsvGYBgxcHu03C4YFB3Nxx9sLIzM/BzTcIY
	EpJ7Zg0JqobQYylGulPCb99ILZ11T2RGidlBex+oecj9aEC0zDgloOme+OX+uYiLZcGie1
	1xmbvkvQv05Jet3NyTTcCn70meXnsZk+3XpbVnNQyWpV0mv8bGBkdheXSc9JzQ==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1704665210;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=hq2QSy7ZIAl0LCynENj3B2QoO7dsqcvPdfdfntrBVLc=;
	b=cav8tS7hjXgQi7sHzEx2PCsUDtpp+70BpsfTz1X5nJj0PEK2TiS96PFr64TRwLz4zN6e8d
	vcKwuhpUpR7beCeIZHMjc7Lki4OQtjtKDD+OPN88Ba9mWq9u8jjzahWdWR/yYTBBNtLgiH
	QPhF4fFm4kVskphftgrjHDBXSiBQiklnlGhU/s/w7KvvR2E82C1LVapwlnGKedeRzm/IBf
	z0w6f3wTVY3Yk2vQBoR7M8heFmKn9xSTfdYNXsrxwEOOT6/HLMSQamIGyw60x37iQrDAXa
	CCtFIlspEG15ZXgL2y+Mjk/LaV2C3lJS5knL+hORWuNeVRhXF9s1D76o+xl48w==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1704665210; a=rsa-sha256; cv=none;
	b=X34wW+P7SNUunv0cJ1dFSMy7D+HAq/w57N9Yhsjtm8ZC922HrxO3VGEZu6I0o1/gA2PcTU
	C/z9rUVkkivz8bID2jmBsEYopsCcIhFiYtOXSHKeTK20E6TUTPrNJ1slWN167hd7vZNyoZ
	f+EAjB7aNHAakfz6uRb9pbSfLCx2T5k8RI08mnuomMeeSuhCOPErt4u5RGFdkP500FJfM4
	p5em/PdAPUEDW1ALr/kGCvgLCx7UFj4Rkivwy0vP2TcU/pOMavJMI3QAWmGTf+cmXPtZaE
	c7x4xkU3eevQsc445BIfNcaV2x1vKMXMBezhU7G1ZH0ehpxNvUag9qTbXxc7hA==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4T7WWF6pgBzhrR;
	Sun,  7 Jan 2024 22:06:49 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 407M6nxY051381;
	Sun, 7 Jan 2024 22:06:49 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 407M6ns8051378;
	Sun, 7 Jan 2024 22:06:49 GMT
	(envelope-from git)
Date: Sun, 7 Jan 2024 22:06:49 GMT
Message-Id: <202401072206.407M6ns8051378@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-main@FreeBSD.org
From: "Jason E. Hale" <jhale@FreeBSD.org>
Subject: git: 205177c8320e - main - net/qt5-network: Address
  CVE-2023-51714
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-all@freebsd.org
X-BeenThere: dev-commits-ports-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: jhale
X-Git-Repository: ports
X-Git-Refname: refs/heads/main
X-Git-Reftype: branch
X-Git-Commit: 205177c8320e5b5ab241deda273f860866b62218
Auto-Submitted: auto-generated

The branch main has been updated by jhale:

URL: https://cgit.FreeBSD.org/ports/commit/?id=205177c8320e5b5ab241deda273f860866b62218

commit 205177c8320e5b5ab241deda273f860866b62218
Author:     Jason E. Hale <jhale@FreeBSD.org>
AuthorDate: 2024-01-07 21:27:24 +0000
Commit:     Jason E. Hale <jhale@FreeBSD.org>
CommitDate: 2024-01-07 22:03:34 +0000

    net/qt5-network: Address CVE-2023-51714
    
    A potential integer overflow has been discovered in Qt's HTTP2
    implementation. If the HTTP2 implementation receives more then 4GiB
    in total headers, or more than 2GiB for any given header pair, then
    the internal buffers may overflow.
    
    Reported by:    vvd via #freebsd-desktop
    MFH:            2024Q1
    Security:       e2f981f1-ad9e-11ee-8b55-4ccc6adda413
---
 net/qt5-network/Makefile                    |   1 +
 net/qt5-network/files/patch-security-rollup | 165 ++++++++++++++++++++++++++++
 2 files changed, 166 insertions(+)

diff --git a/net/qt5-network/Makefile b/net/qt5-network/Makefile
index c92c8074b1f0..c0ec67874b8c 100644
--- a/net/qt5-network/Makefile
+++ b/net/qt5-network/Makefile
@@ -1,5 +1,6 @@
 PORTNAME=	network
 PORTVERSION=	${QT5_VERSION}${QT5_KDE_PATCH}
+PORTREVISION=	1
 CATEGORIES=	net
 PKGNAMEPREFIX=	qt5-
 
diff --git a/net/qt5-network/files/patch-security-rollup b/net/qt5-network/files/patch-security-rollup
new file mode 100644
index 000000000000..09cf34ef8b34
--- /dev/null
+++ b/net/qt5-network/files/patch-security-rollup
@@ -0,0 +1,165 @@
+From a4d20b51de320a5da2d5f1bf277af8293adc5398 Mon Sep 17 00:00:00 2001
+From: Marc Mutz <marc.mutz@qt.io>
+Date: Tue, 12 Dec 2023 20:51:56 +0100
+Subject: [PATCH] HPack: fix a Yoda Condition
+
+Putting the variable on the LHS of a relational operation makes the
+expression easier to read. In this case, we find that the whole
+expression is nonsensical as an overflow protection, because if
+name.size() + value.size() overflows, the result will exactly _not_
+be > max() - 32, because UB will have happened.
+
+To be fixed in a follow-up commit.
+
+As a drive-by, add parentheses around the RHS.
+
+Change-Id: I35ce598884c37c51b74756b3bd2734b9aad63c09
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+(cherry picked from commit 658607a34ead214fbacbc2cca44915655c318ea9)
+Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
+(cherry picked from commit 4f7efd41740107f90960116700e3134f5e433867)
+(cherry picked from commit 13c16b756900fe524f6d9534e8a07aa003c05e0c)
+(cherry picked from commit 1d4788a39668fb2dc5912a8d9c4272dc40e99f92)
+(cherry picked from commit 87de75b5cc946d196decaa6aef4792a6cac0b6db)
+---
+ src/network/access/http2/hpacktable.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/network/access/http2/hpacktable.cpp b/src/network/access/http2/hpacktable.cpp
+index fddb5feca56..3d88cb66f51 100644
+--- src/network/access/http2/hpacktable.cpp.orig
++++ src/network/access/http2/hpacktable.cpp
+@@ -63,7 +63,7 @@ HeaderSize entry_size(const QByteArray &name, const QByteArray &value)
+     // 32 octets of overhead."
+ 
+     const unsigned sum = unsigned(name.size() + value.size());
+-    if (std::numeric_limits<unsigned>::max() - 32 < sum)
++    if (sum > (std::numeric_limits<unsigned>::max() - 32))
+         return HeaderSize();
+     return HeaderSize(true, quint32(sum + 32));
+ }
+From c379f4ef587d61c9a5b61b5ada57fdadcc8145eb Mon Sep 17 00:00:00 2001
+From: Marc Mutz <marc.mutz@qt.io>
+Date: Tue, 12 Dec 2023 22:08:07 +0100
+Subject: [PATCH] HPack: fix incorrect integer overflow check
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+This code never worked:
+
+For the comparison with max() - 32 to trigger, on 32-bit platforms (or
+Qt 5) signed interger overflow would have had to happen in the
+addition of the two sizes. The compiler can therefore remove the
+overflow check as dead code.
+
+On Qt 6 and 64-bit platforms, the signed integer addition would be
+very unlikely to overflow, but the following truncation to uint32
+would yield the correct result only in a narrow 32-value window just
+below UINT_MAX, if even that.
+
+Fix by using the proper tool, qAddOverflow.
+
+Manual conflict resolutions:
+ - qAddOverflow doesn't exist in Qt 5, use private add_overflow
+   predecessor API instead
+
+Change-Id: I7599f2e75ff7f488077b0c60b81022591005661c
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+(cherry picked from commit ee5da1f2eaf8932aeca02ffea6e4c618585e29e3)
+Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
+(cherry picked from commit debeb8878da2dc706ead04b6072ecbe7e5313860)
+Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
+Reviewed-by: Marc Mutz <marc.mutz@qt.io>
+(cherry picked from commit 811b9eef6d08d929af8708adbf2a5effb0eb62d7)
+(cherry picked from commit f931facd077ce945f1e42eaa3bead208822d3e00)
+(cherry picked from commit 9ef4ca5ecfed771dab890856130e93ef5ceabef5)
+Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
+---
+ src/network/access/http2/hpacktable.cpp | 5 ++++-
+ 1 file changed, 4 insertions(+), 1 deletion(-)
+
+diff --git a/src/network/access/http2/hpacktable.cpp b/src/network/access/http2/hpacktable.cpp
+index 3d88cb66f51..315f3e23440 100644
+--- src/network/access/http2/hpacktable.cpp.orig
++++ src/network/access/http2/hpacktable.cpp
+@@ -40,6 +40,7 @@
+ #include "hpacktable_p.h"
+ 
+ #include <QtCore/qdebug.h>
++#include <QtCore/private/qnumeric_p.h>
+ 
+ #include <algorithm>
+ #include <cstddef>
+@@ -62,7 +63,9 @@ HeaderSize entry_size(const QByteArray &name, const QByteArray &value)
+     // for counting the number of references to the name and value would have
+     // 32 octets of overhead."
+ 
+-    const unsigned sum = unsigned(name.size() + value.size());
++    size_t sum;
++    if (add_overflow(size_t(name.size()), size_t(value.size()), &sum))
++        return HeaderSize();
+     if (sum > (std::numeric_limits<unsigned>::max() - 32))
+         return HeaderSize();
+     return HeaderSize(true, quint32(sum + 32));
+From 8907dedc858cc344d770a2e826d6acc516429540 Mon Sep 17 00:00:00 2001
+From: Marc Mutz <marc.mutz@qt.io>
+Date: Tue, 19 Dec 2023 14:22:37 +0100
+Subject: [PATCH] Http2: fix potential overflow in assemble_hpack_block()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The function is given a vector of Http2::Frame's and flattens it into
+a vector<uchar>. While each Frame can contain a maximum of 16GiB of
+data (24-bit size field), one "only" needs 257 of them to overflow the
+quint32 variable's range.
+
+So make sure any overflow does not go undetected.
+
+Keep the limited uint32_t range for now, as we don't know whether all
+consumers of the result can deal with more than 4GiB of data.
+
+Since all these frames must be in memory, this cannot overflow in
+practice on 32-bit machines.
+
+Pick-to: 6.7 6.6 6.5 6.2 5.15
+Change-Id: Iafaa7d1c870cba9100e75065db11d95934f86213
+Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
+(cherry picked from commit 1e6bb61af3ae29755f93b92f157df026f934ae61)
+
+* asturmlechner 2024-01-02: Use correct include for 5.15
+---
+ src/network/access/qhttp2protocolhandler.cpp | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/network/access/qhttp2protocolhandler.cpp b/src/network/access/qhttp2protocolhandler.cpp
+index 39dd460881a..ead88d781ae 100644
+--- src/network/access/qhttp2protocolhandler.cpp.orig
++++ src/network/access/qhttp2protocolhandler.cpp
+@@ -46,10 +46,12 @@
+ #include <private/qnoncontiguousbytedevice_p.h>
+ 
+ #include <QtNetwork/qabstractsocket.h>
++
+ #include <QtCore/qloggingcategory.h>
+ #include <QtCore/qendian.h>
+ #include <QtCore/qdebug.h>
+ #include <QtCore/qlist.h>
++#include <QtCore/private/qnumeric_p.h>
+ #include <QtCore/qurl.h>
+ 
+ #include <qhttp2configuration.h>
+@@ -124,8 +126,10 @@ std::vector<uchar> assemble_hpack_block(const std::vector<Http2::Frame> &frames)
+     std::vector<uchar> hpackBlock;
+ 
+     quint32 total = 0;
+-    for (const auto &frame : frames)
+-        total += frame.hpackBlockSize();
++    for (const auto &frame : frames) {
++        if (add_overflow(total, frame.hpackBlockSize(), &total))
++            return hpackBlock;
++    }
+ 
+     if (!total)
+         return hpackBlock;