From: Than Ngo <than@redhat.com>
Date: Fri, 9 Jun 2023 15:29:40 +0000 (+0000)
Subject: fix #2212749, CVE-2023-34410
X-Git-Tag: archive/raspbian/4%4.8.7+dfsg-18+rpi1+deb10u2^2~53
X-Git-Url: https://dgit.raspbian.org/?a=commitdiff_plain;h=d7555ade4d37d0c9a772f97b1c381ebb50ef5879;p=qt4-x11.git

fix #2212749, CVE-2023-34410


Gbp-Pq: Name CVE-2023-34410.patch
---

diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
index c262f2214..d868d043f 100644
--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@@ -1863,6 +1863,10 @@ QSslSocketPrivate::QSslSocketPrivate()
     , plainSocket(0)
 {
     QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
+    // If the global configuration doesn't allow root certificates to be loaded
+    // on demand then we have to disable it for this socket as well.
+    if (!configuration.allowRootCertOnDemandLoading)
+        allowRootCertOnDemandLoading = false;
 }
 
 /*!
@@ -2041,6 +2045,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri
     ptr->sessionCipher = global->sessionCipher;
     ptr->ciphers = global->ciphers;
     ptr->caCertificates = global->caCertificates;
+    ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;
     ptr->protocol = global->protocol;
     ptr->peerVerifyMode = global->peerVerifyMode;
     ptr->peerVerifyDepth = global->peerVerifyDepth;