Fix CVE-2023-24607

Forwarded: not-needed

CVE-2023-24607 can trigger a DOS with a specifically crafted string,
see https://bugs.debian.org/cgi-bin/bugreport.cgi?bug=1031871.
This patch https://codereview.qt-project.org/c/qt/qtbase/+/456216,
https://codereview.qt-project.org/c/qt/qtbase/+/457637 and
https://codereview.qt-project.org/c/qt/qtbase/+/457937
See: https://www.qt.io/blog/security-advisory-qt-sql-odbc-driver-plugin

Gbp-Pq: Name cve-2023-24607.patch

[PATCH] Add/enable Alpha detection

- uncomment the Alpha detection defining Q_PROCESSOR_ALPHA, which is
  already used/documented in few places
- set the right machine type in QElfParser for Alpha ELF files

Pick-to: 6.5
Change-Id: I072bdee8b73ad3c86591c764aa7075c114967fd9
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Reviewed-by: Lisandro Damián Nicanor Pérez Meyer <perezmeyer@gmail.com>
Gbp-Pq: Name upstream_Add-enable-Alpha-detection.patch

[PATCH] Add M68k detection

- detect the M68k architecture (Motorola 68000) and define
  Q_PROCESSOR_M68K
- set the right machine type in QElfParser for M68k ELF files

Change-Id: Ie5694abbe1ae2bfeb5692defba0ca6062c1d60ac
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Gbp-Pq: Name upstream_Add-M68k-detection.patch

[PATCH] Add HPPA detection

- detect the HPPA architecture (PA-RISC) and define Q_PROCESSOR_HPPA
- set the right machine type in QElfParser for HPPA ELF files

Change-Id: I5214ce64ef1fdd0ecca3d6c1694c5db9b2852a22
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Gbp-Pq: Name upstream_Add-HPPA-detection.patch

cve-2023-33285

Gbp-Pq: Name cve-2023-33285.diff

cve-2023-32763

Gbp-Pq: Name cve-2023-32763.diff

cve-2023-32762

Gbp-Pq: Name cve-2023-32762.diff

[PATCH] Schannel: Reject certificate not signed by a configured CA certificate

Not entirely clear why, but when building the certificate chain for a
peer the system certificate store is searched for root certificates.
General expectation is that after calling
`sslConfiguration.setCaCertificates()` the system certificates will
not be taken into consideration.

To work around this behavior, we do a manual check that the root of the
chain is part of the configured CA certificates.

Pick-to: 6.5 6.2 5.15
Change-Id: I03666a4d9b0eac39ae97e150b4743120611a11b3
Reviewed-by: Edward Welbourne <edward.welbourne@qt.io>
Reviewed-by: Volker Hilsheimer <volker.hilsheimer@qt.io>
Gbp-Pq: Name cve-2023-34410-ada2c57.diff

[PATCH] Ssl: Copy the on-demand cert loading bool from default config

Otherwise individual sockets will still load system certificates when
a chain doesn't match against the configured CA certificates.
That's not intended behavior, since specifically setting the CA
certificates means you don't want the system certificates to be used.

Follow-up to/amends ada2c573c1a25f8d96577734968fe317ddfa292a

This is potentially a breaking change because now, if you ever add a
CA to the default config, it will disable loading system certificates
on demand for all sockets. And the only way to re-enable it is to
create a null-QSslConfiguration and set it as the new default.

Pick-to: 6.5 6.2 5.15
Change-Id: Ic3b2ab125c0cdd58ad654af1cb36173960ce2d1e
Reviewed-by: Timur Pocheptsov <timur.pocheptsov@qt.io>
Gbp-Pq: Name cve-2023-34410-57ba626.diff

qt6-base (6.4.2+dfsg-18) unstable; urgency=medium

  [ Helmut Grohne ]
  * Fix FTCBFS: Do build sqlbrowser. (Closes: #1042709)
  * Move from deprecated QT_BUILD_TOOLS_WHEN_CROSSCOMPILING to
    QT_FORCE_BUILD_TOOLS.

  [ John Paul Adrian Glaubitz ]
  * Add Add-SH-detection.patch in order to restore SH detection
   (Closes: #1043225).

[dgit import unpatched qt6-base 6.4.2+dfsg-18]

Import qt6-base_6.4.2+dfsg-18.debian.tar.xz

[dgit import tarball qt6-base 6.4.2+dfsg-18 qt6-base_6.4.2+dfsg-18.debian.tar.xz]

Import qt6-base_6.4.2+dfsg.orig.tar.xz

[dgit import orig qt6-base_6.4.2+dfsg.orig.tar.xz]