git: 48f4a9b7c9ba - main - net/qt5-networkauth: Address CVE-2024-36048

From: Jason E. Hale <jhale_at_FreeBSD.org>
Date: Sat, 25 May 2024 01:55:30 UTC 
The branch main has been updated by jhale:

URL: https://cgit.FreeBSD.org/ports/commit/?id=48f4a9b7c9ba5e2fb1d48c08c438efa5fe2b5565

commit 48f4a9b7c9ba5e2fb1d48c08c438efa5fe2b5565
Author:     Jason E. Hale <jhale@FreeBSD.org>
AuthorDate: 2024-05-25 01:21:10 +0000
Commit:     Jason E. Hale <jhale@FreeBSD.org>
CommitDate: 2024-05-25 01:55:21 +0000

    net/qt5-networkauth: Address CVE-2024-36048
    
    https://www.qt.io/blog/security-advisory-qstringconverter-0
    
    MFH:            2024Q2
    Security:       f5fa174d-19de-11ef-83d8-4ccc6adda413
---
 net/qt5-networkauth/Makefile                       |  1 +
 .../files/patch-src_oauth_qabstractoauth.cpp       | 55 ++++++++++++++++++++++
 2 files changed, 56 insertions(+)

diff --git a/net/qt5-networkauth/Makefile b/net/qt5-networkauth/Makefile
index 2255dfdc9dbf..de0a0948bc2d 100644
--- a/net/qt5-networkauth/Makefile
+++ b/net/qt5-networkauth/Makefile
@@ -1,5 +1,6 @@
 PORTNAME=	networkauth
 PORTVERSION=	${QT5_VERSION}${QT5_KDE_PATCH}
+PORTREVISION=	1
 CATEGORIES=	net
 PKGNAMEPREFIX=	qt5-
 
diff --git a/net/qt5-networkauth/files/patch-src_oauth_qabstractoauth.cpp b/net/qt5-networkauth/files/patch-src_oauth_qabstractoauth.cpp
new file mode 100644
index 000000000000..7bcad530ec0f
--- /dev/null
+++ b/net/qt5-networkauth/files/patch-src_oauth_qabstractoauth.cpp
@@ -0,0 +1,55 @@
+Address CVE-2024-36048.
+
+https://www.qt.io/blog/security-advisory-qstringconverter-0
+
+--- src/oauth/qabstractoauth.cpp.orig	2024-01-04 19:21:59 UTC
++++ src/oauth/qabstractoauth.cpp
+@@ -37,7 +37,6 @@
+ #include <QtCore/qurl.h>
+ #include <QtCore/qpair.h>
+ #include <QtCore/qstring.h>
+-#include <QtCore/qdatetime.h>
+ #include <QtCore/qurlquery.h>
+ #include <QtCore/qjsondocument.h>
+ #include <QtCore/qmessageauthenticationcode.h>
+@@ -46,6 +45,9 @@
+ #include <QtNetwork/qnetworkaccessmanager.h>
+ #include <QtNetwork/qnetworkreply.h>
+ 
++#include <QtCore/qrandom.h>
++#include <QtCore/private/qlocking_p.h>
++
+ #include <random>
+ 
+ Q_DECLARE_METATYPE(QAbstractOAuth::Error)
+@@ -290,15 +292,19 @@ void QAbstractOAuthPrivate::setStatus(QAbstractOAuth::
+     }
+ }
+ 
++static QBasicMutex prngMutex;
++Q_GLOBAL_STATIC_WITH_ARGS(std::mt19937, prng, (*QRandomGenerator::system()))
++
+ QByteArray QAbstractOAuthPrivate::generateRandomString(quint8 length)
+ {
+-    const char characters[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+-    static std::mt19937 randomEngine(QDateTime::currentDateTime().toMSecsSinceEpoch());
++    constexpr char characters[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+     std::uniform_int_distribution<int> distribution(0, sizeof(characters) - 2);
+     QByteArray data;
+     data.reserve(length);
++    auto lock = qt_unique_lock(prngMutex);
+     for (quint8 i = 0; i < length; ++i)
+-        data.append(characters[distribution(randomEngine)]);
++        data.append(characters[distribution(*prng)]);
++    lock.unlock();
+     return data;
+ }
+ 
+@@ -614,6 +620,7 @@ void QAbstractOAuth::resourceOwnerAuthorization(const 
+ }
+ 
+ /*!
++    \threadsafe
+     Generates a random string which could be used as state or nonce.
+     The parameter \a length determines the size of the generated
+     string.