[77577] trunk/dports/aqua/qt4-mac

michaelld at macports.org michaelld at macports.org
Mon Apr 4 16:43:11 PDT 2011 

Revision: 77577
          http://trac.macports.org/changeset/77577
Author:   michaelld at macports.org
Date:     2011-04-04 16:43:11 -0700 (Mon, 04 Apr 2011)
Log Message:
-----------
qt4-mac: add patches to fix (1) PluginView use of carbon on PPC64 (and others); (2) blocklist for of bad Comodo certs (see comment in Portfile).  Fixes ticket #28993.  Rev bump for (2).

Modified Paths:
--------------
    trunk/dports/aqua/qt4-mac/Portfile

Added Paths:
-----------
    trunk/dports/aqua/qt4-mac/files/patch-PluginView-no-carbon.diff
    trunk/dports/aqua/qt4-mac/files/patch-add-comodo-cert-blocklist.diff

Modified: trunk/dports/aqua/qt4-mac/Portfile
===================================================================
--- trunk/dports/aqua/qt4-mac/Portfile	2011-04-04 19:14:37 UTC (rev 77576)
+++ trunk/dports/aqua/qt4-mac/Portfile	2011-04-04 23:43:11 UTC (rev 77577)
@@ -11,6 +11,7 @@
 name                qt4-mac
 conflicts           qt4-mac-devel
 version             4.7.2
+revision            1
 categories          aqua
 platforms           macosx
 maintainers         michaelld
@@ -79,6 +80,14 @@
 # OSX.  This patch does not change behavior for 10.4 or 10.5.
 patchfiles-append   patch-src-plugins-bearer-corewlan-corewlan.pro.diff
 
+# (6) fix use of CARBON, found on PPC64, but will work on any system
+patchfiles-append   patch-PluginView-no-carbon.diff
+
+# (7) patch for 4.7.2 only; will be incorporated into 4.7.3+
+# See: < http://labs.qt.nokia.com/2011/03/29/security-advisory-fraudulent-certificates/ >
+# the original did not work for me, but this version does.
+patchfiles-append   patch-add-comodo-cert-blocklist.diff
+
 global TARGET
 set TARGET ""
 

Added: trunk/dports/aqua/qt4-mac/files/patch-PluginView-no-carbon.diff
===================================================================
--- trunk/dports/aqua/qt4-mac/files/patch-PluginView-no-carbon.diff	                        (rev 0)
+++ trunk/dports/aqua/qt4-mac/files/patch-PluginView-no-carbon.diff	2011-04-04 23:43:11 UTC (rev 77577)
@@ -0,0 +1,24 @@
+--- src/3rdparty/webkit/WebCore/plugins/PluginView.h.orig	2011-04-02 12:26:20.000000000 -0400
++++ src/3rdparty/webkit/WebCore/plugins/PluginView.h	2011-04-02 12:26:42.000000000 -0400
+@@ -360,7 +360,9 @@
+ 
+         Point m_lastMousePos;
+         void setNPWindowIfNeeded();
++#ifndef NP_NO_CARBON
+         void nullEventTimerFired(Timer<PluginView>*);
++#endif
+         Point globalMousePosForPlugin() const;
+         Point mousePosForPlugin(MouseEvent* event = 0) const;
+ #endif
+--- src/3rdparty/webkit/WebCore/plugins/mac/PluginViewMac.mm.orig	2011-04-02 12:26:06.000000000 -0400
++++ src/3rdparty/webkit/WebCore/plugins/mac/PluginViewMac.mm	2011-04-02 12:30:07.000000000 -0400
+@@ -233,7 +233,9 @@
+         setNPWindowIfNeeded();
+ 
+     // TODO: Implement null timer throttling depending on plugin activation
++#ifndef NP_NO_CARBON
+     m_nullEventTimer.set(new Timer<PluginView>(this, &PluginView::nullEventTimerFired));
++#endif
+     m_nullEventTimer->startRepeating(0.02);
+ 
+     m_lastMousePos.h = m_lastMousePos.v = 0;

Added: trunk/dports/aqua/qt4-mac/files/patch-add-comodo-cert-blocklist.diff
===================================================================
--- trunk/dports/aqua/qt4-mac/files/patch-add-comodo-cert-blocklist.diff	                        (rev 0)
+++ trunk/dports/aqua/qt4-mac/files/patch-add-comodo-cert-blocklist.diff	2011-04-04 23:43:11 UTC (rev 77577)
@@ -0,0 +1,85 @@
+--- src/network/ssl/qsslcertificate.cpp.orig	2011-04-02 15:06:01.000000000 -0400
++++ src/network/ssl/qsslcertificate.cpp	2011-04-02 15:15:19.000000000 -0400
+@@ -219,17 +219,18 @@
+     Returns true if this certificate is valid; otherwise returns
+     false.
+ 
+-    Note: Currently, this function only checks that the current
+-    data-time is within the date-time range during which the
+-    certificate is considered valid. No other checks are
+-    currently performed.
++    Note: Currently, this function checks that the current
++    certificate is considered valid, and checks that the
++    certificate is not in a blocklist of fraudulent certificates.
+ 
+     \sa isNull()
+ */
+ bool QSslCertificate::isValid() const
+ {
+     const QDateTime currentTime = QDateTime::currentDateTime();
+-    return currentTime >= d->notValidBefore && currentTime <= d->notValidAfter;
++    return currentTime >= d->notValidBefore &&
++      currentTime <= d->notValidAfter &&
++      ! QSslCertificatePrivate::isBlocklisted(*this);
+ }
+ 
+ /*!
+@@ -798,6 +799,31 @@
+     return certificates;
+ }
+ 
++// These certificates are known to be fraudulent and were created
++// during the comodo compromise. See
++// http://www.comodo.com/Comodo-Fraud-Incident-2011-03-23.html
++static const char *certificate_blocklist[] = {
++  "04:7e:cb:e9:fc:a5:5f:7b:d0:9e:ae:36:e1:0c:ae:1e",
++  "f5:c8:6a:f3:61:62:f1:3a:64:f5:4f:6d:c9:58:7c:06",
++  "d7:55:8f:da:f5:f1:10:5b:b2:13:28:2b:70:77:29:a3",
++  "39:2a:43:4f:0e:07:df:1f:8a:a3:05:de:34:e0:c2:29",
++  "3e:75:ce:d4:6b:69:30:21:21:88:30:ae:86:a8:2a:71",
++  "e9:02:8b:95:78:e4:15:dc:1a:71:0a:2b:88:15:44:47",
++  "92:39:d5:34:8f:40:d1:69:5a:74:54:70:e1:f2:3f:43",
++  "b0:b7:13:3e:d0:96:f9:b5:6f:ae:91:c8:74:bd:3a:c0",
++  "d8:f3:5f:4e:b7:87:2b:2d:ab:06:92:e3:15:38:2f:b0",
++  0
++};
++
++bool QSslCertificatePrivate::isBlocklisted(const QSslCertificate &certificate)
++{
++  for (int a = 0; certificate_blocklist[a] != 0; a++) {
++    if (certificate.serialNumber() == certificate_blocklist[a])
++      return true;
++  }
++  return false;
++}
++
+ #ifndef QT_NO_DEBUG_STREAM
+ QDebug operator<<(QDebug debug, const QSslCertificate &certificate)
+ {
+--- src/network/ssl/qsslcertificate_p.h.orig	2011-04-02 15:06:20.000000000 -0400
++++ src/network/ssl/qsslcertificate_p.h	2011-04-02 15:14:55.000000000 -0400
+@@ -96,6 +96,7 @@
+     static QSslCertificate QSslCertificate_from_X509(X509 *x509);
+     static QList<QSslCertificate> certificatesFromPem(const QByteArray &pem, int count = -1);
+     static QList<QSslCertificate> certificatesFromDer(const QByteArray &der, int count = -1);
++    static bool isBlocklisted(const QSslCertificate &certificate);
+ 
+     friend class QSslSocketBackendPrivate;
+ 
+--- src/network/ssl/qsslsocket_openssl.cpp.orig	2011-04-02 15:06:39.000000000 -0400
++++ src/network/ssl/qsslsocket_openssl.cpp	2011-04-02 15:14:50.000000000 -0400
+@@ -1184,6 +1184,14 @@
+     configuration.peerCertificate = QSslCertificatePrivate::QSslCertificate_from_X509(x509);
+     q_X509_free(x509);
+ 
++    if (QSslCertificatePrivate::isBlocklisted(configuration.peerCertificate)) {
++      q->setErrorString(QSslSocket::tr("The peer certificate is blocklisted"));
++      q->setSocketError(QAbstractSocket::SslHandshakeFailedError);
++      emit q->error(QAbstractSocket::SslHandshakeFailedError);
++      plainSocket->disconnectFromHost();
++      return false;
++    }
++
+     // Start translating errors.
+     QList<QSslError> errors;
+     bool doVerifyPeer = configuration.peerVerifyMode == QSslSocket::VerifyPeer
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.macosforge.org/pipermail/macports-changes/attachments/20110404/eb740c16/attachment.html>

More information about the macports-changes mailing list