From 098a3d057fe3192502c201c45db749fc08b77e12 Mon Sep 17 00:00:00 2001
From: Carsten Grimm
 <97085459+carsten-grimm-at-ipolog@users.noreply.github.com>
Date: Tue, 4 Jun 2024 07:56:30 +0200
Subject: [PATCH] [qtnetworkauth] add patch for CVE-2024-36048 (#39056)

Fixes #38968.

- [x] Changes comply with the [maintainer
guide](https://github.com/microsoft/vcpkg-docs/blob/main/vcpkg/contributing/maintainer-guide.md).
- [x] SHA512s are updated for each updated download.
- [x] The "supports" clause reflects platforms that may be fixed by this
new version.
- [x] Any fixed [CI
baseline](https://github.com/microsoft/vcpkg/blob/master/scripts/ci.baseline.txt)
entries are removed from that file.
- [x] Any patches that are no longer applied are deleted from the port's
directory.
- [x] The version database is fixed by rerunning `./vcpkg x-add-version
--all` and committing the result.
- [x] Only one version is added to each modified port's versions file.

Changes:
* added patch for CVE-2024-36048 to `qtnetworkauth`.
---
 .../CVE-2024-36048-qtnetworkauth-6.7.diff     | 53 +++++++++++++++++++
 ports/qtnetworkauth/portfile.cmake            |  5 +-
 ports/qtnetworkauth/vcpkg.json                |  1 +
 versions/baseline.json                        |  2 +-
 versions/q-/qtnetworkauth.json                |  5 ++
 5 files changed, 64 insertions(+), 2 deletions(-)
 create mode 100644 ports/qtnetworkauth/patches/CVE-2024-36048-qtnetworkauth-6.7.diff

diff --git a/ports/qtnetworkauth/patches/CVE-2024-36048-qtnetworkauth-6.7.diff b/ports/qtnetworkauth/patches/CVE-2024-36048-qtnetworkauth-6.7.diff
new file mode 100644
index 0000000000..a6c781e324
--- /dev/null
+++ b/ports/qtnetworkauth/patches/CVE-2024-36048-qtnetworkauth-6.7.diff
@@ -0,0 +1,53 @@
+diff --git a/src/oauth/qabstractoauth.cpp b/src/oauth/qabstractoauth.cpp
+index a3cbea7..f98fd28 100644
+--- a/src/oauth/qabstractoauth.cpp
++++ b/src/oauth/qabstractoauth.cpp
+@@ -11,7 +11,6 @@
+ #include <QtCore/qurl.h>
+ #include <QtCore/qpair.h>
+ #include <QtCore/qstring.h>
+-#include <QtCore/qdatetime.h>
+ #include <QtCore/qurlquery.h>
+ #include <QtCore/qjsondocument.h>
+ #include <QtCore/qmessageauthenticationcode.h>
+@@ -20,6 +19,9 @@
+ #include <QtNetwork/qnetworkaccessmanager.h>
+ #include <QtNetwork/qnetworkreply.h>
+ 
++#include <QtCore/qrandom.h>
++#include <QtCore/private/qlocking_p.h>
++
+ #include <random>
+ 
+ QT_BEGIN_NAMESPACE
+@@ -273,15 +275,19 @@ void QAbstractOAuthPrivate::setStatus(QAbstractOAuth::Status newStatus)
+     }
+ }
+ 
++Q_CONSTINIT static QBasicMutex prngMutex;
++Q_GLOBAL_STATIC_WITH_ARGS(std::mt19937, prng, (*QRandomGenerator::system()))
++
+ QByteArray QAbstractOAuthPrivate::generateRandomString(quint8 length)
+ {
+-    const char characters[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+-    static std::mt19937 randomEngine(QDateTime::currentDateTime().toMSecsSinceEpoch());
++    constexpr char characters[] = "ABCDEFGHIJKLMNOPQRSTUVWXYZabcdefghijklmnopqrstuvwxyz0123456789";
+     std::uniform_int_distribution<int> distribution(0, sizeof(characters) - 2);
+     QByteArray data;
+     data.reserve(length);
++    auto lock = qt_unique_lock(prngMutex);
+     for (quint8 i = 0; i < length; ++i)
+-        data.append(characters[distribution(randomEngine)]);
++        data.append(characters[distribution(*prng)]);
++    lock.unlock();
+     return data;
+ }
+ 
+@@ -591,6 +597,7 @@ void QAbstractOAuth::resourceOwnerAuthorization(const QUrl &url, const QMultiMap
+ }
+ 
+ /*!
++    \threadsafe
+     Generates a random string which could be used as state or nonce.
+     The parameter \a length determines the size of the generated
+     string.
diff --git a/ports/qtnetworkauth/portfile.cmake b/ports/qtnetworkauth/portfile.cmake
index 1a3a6f1bfe..b0f6119e8d 100644
--- a/ports/qtnetworkauth/portfile.cmake
+++ b/ports/qtnetworkauth/portfile.cmake
@@ -1,7 +1,10 @@
 set(SCRIPT_PATH "${CURRENT_INSTALLED_DIR}/share/qtbase")
 include("${SCRIPT_PATH}/qt_install_submodule.cmake")
 
-set(${PORT}_PATCHES)
+set(${PORT}_PATCHES 
+    # CVE fixes from https://download.qt.io/official_releases/qt/6.7/
+    patches/CVE-2024-36048-qtnetworkauth-6.7.diff # fixed in Qt 6.7.1
+)
 
 qt_install_submodule(PATCHES    ${${PORT}_PATCHES}
                      CONFIGURE_OPTIONS
diff --git a/ports/qtnetworkauth/vcpkg.json b/ports/qtnetworkauth/vcpkg.json
index 3c48bc0b5a..d556b32d0f 100644
--- a/ports/qtnetworkauth/vcpkg.json
+++ b/ports/qtnetworkauth/vcpkg.json
@@ -1,6 +1,7 @@
 {
   "name": "qtnetworkauth",
   "version": "6.7.0",
+  "port-version": 1,
   "description": "Qt Network Authorization provides a set of APIs that enable Qt applications to obtain limited access to online accounts and HTTP services without exposing users' passwords.",
   "homepage": "https://www.qt.io/",
   "license": null,
diff --git a/versions/baseline.json b/versions/baseline.json
index 1f2575e6ad..b239925bab 100644
--- a/versions/baseline.json
+++ b/versions/baseline.json
@@ -7402,7 +7402,7 @@
     },
     "qtnetworkauth": {
       "baseline": "6.7.0",
-      "port-version": 0
+      "port-version": 1
     },
     "qtopcua": {
       "baseline": "6.7.0",
diff --git a/versions/q-/qtnetworkauth.json b/versions/q-/qtnetworkauth.json
index c956d1f50d..28028fb7dc 100644
--- a/versions/q-/qtnetworkauth.json
+++ b/versions/q-/qtnetworkauth.json
@@ -1,5 +1,10 @@
 {
   "versions": [
+    {
+      "git-tree": "1dd3e35ef8221a6e7fa7bafeab299e5fe70beed0",
+      "version": "6.7.0",
+      "port-version": 1
+    },
     {
       "git-tree": "d236629382d95c0e6916d99d736676624b7590fa",
       "version": "6.7.0",