From d7555ade4d37d0c9a772f97b1c381ebb50ef5879 Mon Sep 17 00:00:00 2001
From: Than Ngo <than@redhat.com>
Date: Fri, 9 Jun 2023 15:29:40 +0000
Subject: [PATCH] fix #2212749, CVE-2023-34410

Gbp-Pq: Name CVE-2023-34410.patch
---
 src/network/ssl/qsslsocket.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/network/ssl/qsslsocket.cpp b/src/network/ssl/qsslsocket.cpp
index c262f2214..d868d043f 100644
--- a/src/network/ssl/qsslsocket.cpp
+++ b/src/network/ssl/qsslsocket.cpp
@@ -1863,6 +1863,10 @@ QSslSocketPrivate::QSslSocketPrivate()
     , plainSocket(0)
 {
     QSslConfigurationPrivate::deepCopyDefaultConfiguration(&configuration);
+    // If the global configuration doesn't allow root certificates to be loaded
+    // on demand then we have to disable it for this socket as well.
+    if (!configuration.allowRootCertOnDemandLoading)
+        allowRootCertOnDemandLoading = false;
 }
 
 /*!
@@ -2041,6 +2045,7 @@ void QSslConfigurationPrivate::deepCopyDefaultConfiguration(QSslConfigurationPri
     ptr->sessionCipher = global->sessionCipher;
     ptr->ciphers = global->ciphers;
     ptr->caCertificates = global->caCertificates;
+    ptr->allowRootCertOnDemandLoading = global->allowRootCertOnDemandLoading;
     ptr->protocol = global->protocol;
     ptr->peerVerifyMode = global->peerVerifyMode;
     ptr->peerVerifyDepth = global->peerVerifyDepth;
-- 
2.30.2