From nobody Sun Jan  7 22:08:38 2024
X-Original-To: dev-commits-ports-all@mlmmj.nyi.freebsd.org
Received: from mx1.freebsd.org (mx1.freebsd.org [IPv6:2610:1c1:1:606c::19:1])
	by mlmmj.nyi.freebsd.org (Postfix) with ESMTP id 4T7WYM1w5Sz566dN;
	Sun,  7 Jan 2024 22:08:39 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from mxrelay.nyi.freebsd.org (mxrelay.nyi.freebsd.org [IPv6:2610:1c1:1:606c::19:3])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256
	 client-signature RSA-PSS (4096 bits) client-digest SHA256)
	(Client CN "mxrelay.nyi.freebsd.org", Issuer "R3" (verified OK))
	by mx1.freebsd.org (Postfix) with ESMTPS id 4T7WYM1NKdz4Hvv;
	Sun,  7 Jan 2024 22:08:39 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org; s=dkim;
	t=1704665319;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=0zl4vvDWHTU1rvi3VXJg6SXkdG0yb3hQwfxWW3V6P6Q=;
	b=AjfTrLE0N+OjmBbKkoOqrREcI1fesB9giFTsEJGh6QuzVY4sl4/I1qvIJ3DNWXBlb4L6sh
	mVa6ph783+YIRDqdhIEMpbTZyeWD9BrFgg7nOotcbYNlkQKILoplSecU2vwDWclftgXOlj
	s1clq04Y0ZFFtgsLxAwt6XACT2MN/2tTfSRR4HWSKyQIE7pMYY38Yxgfc1V1E/19vArZ5n
	bqh97AjMCDBlPUnCs+FvUHFepTAyFvBVQI9jbKGf4fC2hjHA/GL1WpyAdTeTEYbpaNHynj
	a7dxLkFGCSiVZz1wfMaB0d1451MaCR27traVaR0Q2ZLfG7KkFkMGzjWGAk5krw==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=freebsd.org;
	s=dkim; t=1704665319;
	h=from:from:reply-to:subject:subject:date:date:message-id:message-id:
	 to:to:cc:mime-version:mime-version:content-type:content-type:
	 content-transfer-encoding:content-transfer-encoding;
	bh=0zl4vvDWHTU1rvi3VXJg6SXkdG0yb3hQwfxWW3V6P6Q=;
	b=A1o3ShEbsB33w6jj33iCMz3mfqgSNcj4Znr8P4o1tlSnYIYfeESi3gtBXGBwzVps/JF/hu
	+q6i2CblOka9pPaWP0bhlR/zvwoCntUViNLM7xMN4yAlcuZWe9H/6qLDigfuIOHu2d71Or
	K9DWBUC2UK3bIKS7fzmI8veuF3VGe8lf9gM05tCEZ2II/NPmeLpZ6HD0E/JPPk5h1czlp3
	t90y9Q6RRjEX7Y1Mr/HGb3YWexGEHRNbcQa1t3GRk3QHv5X4yuXBaVJzESLDgbaPLHAGlt
	/zyqESmpvlGB3AuGvTDRmbrMnMh8rNqCHPUY9qDIjnXCVvlY2W4PWR5UNFidFQ==
ARC-Authentication-Results: i=1;
	mx1.freebsd.org;
	none
ARC-Seal: i=1; s=dkim; d=freebsd.org; t=1704665319; a=rsa-sha256; cv=none;
	b=Rjc+Dx//uxI9DzNLwXuSo43Zhj73pEBfdm6XDTU6V66+8Gk3l0xt6+eTPcYhOF60i7QQPP
	LBsD69RvDI4UfLHQCdGeKwlvmbUXXmYo6ioqTCgYJF95HwdrWlZYwGD2EomiW9TvVOPWfh
	13C/234vu0sYRNcCLpYg3wNRFqASlGYHv0Q2rP9XZf1Y+Q2AKg7qGNF0hwVTkbnCTxkx6E
	6cPQ0O5uVqWUVbWZ8ht9mTUwjBStmxQb4N44h2M29xkKLvhy1eIHPQ6VKSjsEO6BVZePdd
	W8BbBqq7H0LmcUV/L8xF9rgkC7WUDVxJlhHiWnvh1QrtEFZxnpiQTA5MnHLqbw==
Received: from gitrepo.freebsd.org (gitrepo.freebsd.org [IPv6:2610:1c1:1:6068::e6a:5])
	(using TLSv1.3 with cipher TLS_AES_256_GCM_SHA384 (256/256 bits)
	 key-exchange X25519 server-signature RSA-PSS (4096 bits) server-digest SHA256)
	(Client did not present a certificate)
	by mxrelay.nyi.freebsd.org (Postfix) with ESMTPS id 4T7WYM0VVdzhmH;
	Sun,  7 Jan 2024 22:08:39 +0000 (UTC)
	(envelope-from git@FreeBSD.org)
Received: from gitrepo.freebsd.org ([127.0.1.44])
	by gitrepo.freebsd.org (8.17.1/8.17.1) with ESMTP id 407M8c79051849;
	Sun, 7 Jan 2024 22:08:38 GMT
	(envelope-from git@gitrepo.freebsd.org)
Received: (from git@localhost)
	by gitrepo.freebsd.org (8.17.1/8.17.1/Submit) id 407M8c9q051846;
	Sun, 7 Jan 2024 22:08:38 GMT
	(envelope-from git)
Date: Sun, 7 Jan 2024 22:08:38 GMT
Message-Id: <202401072208.407M8c9q051846@gitrepo.freebsd.org>
To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org,
        dev-commits-ports-branches@FreeBSD.org
From: "Jason E. Hale" <jhale@FreeBSD.org>
Subject: git: dfda6959a585 - 2024Q1 - devel/qt6-base: Address
  CVE-2023-51714
List-Id: Commit messages for all branches of the ports repository <dev-commits-ports-all.freebsd.org>
List-Archive: https://lists.freebsd.org/archives/dev-commits-ports-all
List-Help: <mailto:dev-commits-ports-all+help@freebsd.org>
List-Post: <mailto:dev-commits-ports-all@freebsd.org>
List-Subscribe: <mailto:dev-commits-ports-all+subscribe@freebsd.org>
List-Unsubscribe: <mailto:dev-commits-ports-all+unsubscribe@freebsd.org>
Sender: owner-dev-commits-ports-all@freebsd.org
X-BeenThere: dev-commits-ports-all@freebsd.org
MIME-Version: 1.0
Content-Type: text/plain; charset=utf-8
Content-Transfer-Encoding: 8bit
X-Git-Committer: jhale
X-Git-Repository: ports
X-Git-Refname: refs/heads/2024Q1
X-Git-Reftype: branch
X-Git-Commit: dfda6959a585c49c3aa2198e57f9b9b65e3d6f7a
Auto-Submitted: auto-generated

The branch 2024Q1 has been updated by jhale:

URL: https://cgit.FreeBSD.org/ports/commit/?id=dfda6959a585c49c3aa2198e57f9b9b65e3d6f7a

commit dfda6959a585c49c3aa2198e57f9b9b65e3d6f7a
Author:     Jason E. Hale <jhale@FreeBSD.org>
AuthorDate: 2024-01-07 21:33:23 +0000
Commit:     Jason E. Hale <jhale@FreeBSD.org>
CommitDate: 2024-01-07 22:08:29 +0000

    devel/qt6-base: Address CVE-2023-51714
    
    A potential integer overflow has been discovered in Qt's HTTP2
    implementation. If the HTTP2 implementation receives more then 4GiB
    in total headers, or more than 2GiB for any given header pair, then
    the internal buffers may overflow.
    
    Reported by:    vvd via #freebsd-desktop
    MFH:            2024Q1
    Security:       e2f981f1-ad9e-11ee-8b55-4ccc6adda413
    
    (cherry picked from commit dff1011899273e61cc67ae705c8f4447f0bfc3b8)
---
 devel/qt6-base/Makefile                    |   2 +-
 devel/qt6-base/files/patch-security-rollup | 145 +++++++++++++++++++++++++++++
 2 files changed, 146 insertions(+), 1 deletion(-)

diff --git a/devel/qt6-base/Makefile b/devel/qt6-base/Makefile
index a13c3131b27f..6b55a7b9f2bc 100644
--- a/devel/qt6-base/Makefile
+++ b/devel/qt6-base/Makefile
@@ -1,6 +1,6 @@
 PORTNAME=	base
 DISTVERSION=	${QT6_VERSION}
-PORTREVISION=	1
+PORTREVISION=	2
 CATEGORIES=	devel
 PKGNAMEPREFIX=	qt6-
 
diff --git a/devel/qt6-base/files/patch-security-rollup b/devel/qt6-base/files/patch-security-rollup
new file mode 100644
index 000000000000..e1b537aa5e1c
--- /dev/null
+++ b/devel/qt6-base/files/patch-security-rollup
@@ -0,0 +1,145 @@
+From 13c16b756900fe524f6d9534e8a07aa003c05e0c Mon Sep 17 00:00:00 2001
+From: Marc Mutz <marc.mutz@qt.io>
+Date: Tue, 12 Dec 2023 20:51:56 +0100
+Subject: [PATCH] HPack: fix a Yoda Condition
+
+Putting the variable on the LHS of a relational operation makes the
+expression easier to read. In this case, we find that the whole
+expression is nonsensical as an overflow protection, because if
+name.size() + value.size() overflows, the result will exactly _not_
+be > max() - 32, because UB will have happened.
+
+To be fixed in a follow-up commit.
+
+As a drive-by, add parentheses around the RHS.
+
+Pick-to: 6.5 6.2 5.15
+Change-Id: I35ce598884c37c51b74756b3bd2734b9aad63c09
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+(cherry picked from commit 658607a34ead214fbacbc2cca44915655c318ea9)
+Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
+(cherry picked from commit 4f7efd41740107f90960116700e3134f5e433867)
+---
+ src/network/access/http2/hpacktable.cpp | 2 +-
+ 1 file changed, 1 insertion(+), 1 deletion(-)
+
+diff --git a/src/network/access/http2/hpacktable.cpp b/src/network/access/http2/hpacktable.cpp
+index 74a09a207ff..c8c5d098c80 100644
+--- src/network/access/http2/hpacktable.cpp.orig
++++ src/network/access/http2/hpacktable.cpp
+@@ -27,7 +27,7 @@ HeaderSize entry_size(QByteArrayView name, QByteArrayView value)
+     // 32 octets of overhead."
+ 
+     const unsigned sum = unsigned(name.size() + value.size());
+-    if (std::numeric_limits<unsigned>::max() - 32 < sum)
++    if (sum > (std::numeric_limits<unsigned>::max() - 32))
+         return HeaderSize();
+     return HeaderSize(true, quint32(sum + 32));
+ }
+From 811b9eef6d08d929af8708adbf2a5effb0eb62d7 Mon Sep 17 00:00:00 2001
+From: Marc Mutz <marc.mutz@qt.io>
+Date: Tue, 12 Dec 2023 22:08:07 +0100
+Subject: [PATCH] HPack: fix incorrect integer overflow check
+
+This code never worked:
+
+For the comparison with max() - 32 to trigger, on 32-bit platforms (or
+Qt 5) signed interger overflow would have had to happen in the
+addition of the two sizes. The compiler can therefore remove the
+overflow check as dead code.
+
+On Qt 6 and 64-bit platforms, the signed integer addition would be
+very unlikely to overflow, but the following truncation to uint32
+would yield the correct result only in a narrow 32-value window just
+below UINT_MAX, if even that.
+
+Fix by using the proper tool, qAddOverflow.
+
+Pick-to: 6.5 6.2 5.15
+Change-Id: I7599f2e75ff7f488077b0c60b81022591005661c
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+(cherry picked from commit ee5da1f2eaf8932aeca02ffea6e4c618585e29e3)
+Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
+(cherry picked from commit debeb8878da2dc706ead04b6072ecbe7e5313860)
+Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
+Reviewed-by: Marc Mutz <marc.mutz@qt.io>
+---
+ src/network/access/http2/hpacktable.cpp | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/network/access/http2/hpacktable.cpp b/src/network/access/http2/hpacktable.cpp
+index c8c5d098c80..2c728b37e3b 100644
+--- src/network/access/http2/hpacktable.cpp.orig
++++ src/network/access/http2/hpacktable.cpp
+@@ -26,7 +26,9 @@ HeaderSize entry_size(QByteArrayView name, QByteArrayView value)
+     // for counting the number of references to the name and value would have
+     // 32 octets of overhead."
+ 
+-    const unsigned sum = unsigned(name.size() + value.size());
++    size_t sum;
++    if (qAddOverflow(size_t(name.size()), size_t(value.size()), &sum))
++        return HeaderSize();
+     if (sum > (std::numeric_limits<unsigned>::max() - 32))
+         return HeaderSize();
+     return HeaderSize(true, quint32(sum + 32));
+From 2e50fbc30a61d69cc2caf6fbd8aca29aa6b8db86 Mon Sep 17 00:00:00 2001
+From: Marc Mutz <marc.mutz@qt.io>
+Date: Tue, 19 Dec 2023 14:22:37 +0100
+Subject: [PATCH] Http2: fix potential overflow in assemble_hpack_block()
+MIME-Version: 1.0
+Content-Type: text/plain; charset=UTF-8
+Content-Transfer-Encoding: 8bit
+
+The function is given a vector of Http2::Frame's and flattens it into
+a vector<uchar>. While each Frame can contain a maximum of 16GiB of
+data (24-bit size field), one "only" needs 257 of them to overflow the
+quint32 variable's range.
+
+So make sure any overflow does not go undetected.
+
+Keep the limited uint32_t range for now, as we don't know whether all
+consumers of the result can deal with more than 4GiB of data.
+
+Since all these frames must be in memory, this cannot overflow in
+practice on 32-bit machines.
+
+Pick-to: 6.5 6.2 5.15
+Change-Id: Iafaa7d1c870cba9100e75065db11d95934f86213
+Reviewed-by: Mårten Nordheim <marten.nordheim@qt.io>
+(cherry picked from commit 1e6bb61af3ae29755f93b92f157df026f934ae61)
+Reviewed-by: Qt Cherry-pick Bot <cherrypick_bot@qt-project.org>
+(cherry picked from commit af8a9874c32c6b1af8998be9487170b6269dbe1f)
+---
+ src/network/access/qhttp2protocolhandler.cpp | 8 ++++++--
+ 1 file changed, 6 insertions(+), 2 deletions(-)
+
+diff --git a/src/network/access/qhttp2protocolhandler.cpp b/src/network/access/qhttp2protocolhandler.cpp
+index 88963f89687..707ef8de54e 100644
+--- src/network/access/qhttp2protocolhandler.cpp.orig
++++ src/network/access/qhttp2protocolhandler.cpp
+@@ -10,10 +10,12 @@
+ #include <private/qnoncontiguousbytedevice_p.h>
+ 
+ #include <QtNetwork/qabstractsocket.h>
++
+ #include <QtCore/qloggingcategory.h>
+ #include <QtCore/qendian.h>
+ #include <QtCore/qdebug.h>
+ #include <QtCore/qlist.h>
++#include <QtCore/qnumeric.h>
+ #include <QtCore/qurl.h>
+ 
+ #include <qhttp2configuration.h>
+@@ -90,8 +92,10 @@ std::vector<uchar> assemble_hpack_block(const std::vector<Http2::Frame> &frames)
+     std::vector<uchar> hpackBlock;
+ 
+     quint32 total = 0;
+-    for (const auto &frame : frames)
+-        total += frame.hpackBlockSize();
++    for (const auto &frame : frames) {
++        if (qAddOverflow(total, frame.hpackBlockSize(), &total))
++            return hpackBlock;
++    }
+ 
+     if (!total)
+         return hpackBlock;