Fix for CVE-2025-6338#13
Merged
jpek42 merged 2 commits intoautodesk-forks:adsk-contrib/gec/6.8.3from Jan 27, 2026
Merged
Conversation
We already have the alias for it, we just never updated the stored member to use it. (cherry picked from commit f9fbdba)
The key/certificate lifetime management in our Schannel backend is a little lacking. We haven't guaranteed that the original contexts are held alive for the full duration of their usage. Though with default settings they get persisted to disk so it has been mostly fine. One problem with that is that the legacy APIs in Windows for this is not smart enough to figure out that a repeatedly-loaded key is the same one, so it 'persists' a new file to disk every time we set up a credential context for a connection. For a busy server this may end up with creating a ton of small files that don't get deleted (or reused). By using the ncrypt APIs we don't fully stop persisting _all_ data to disk, but from testing we now only have one file per key. Regardless of the amount of connections. Another patch around lifetimes can be done for dev, and dev only, as it's quite a bit more extensive, and not fit for picking back to the LTS branches. Fixes: QTBUG-136055 Fixes: CVE-2025-6338 (cherry picked from commit 94f0ff7)
MattPooleyADSK
approved these changes
Jan 23, 2026
MattPooleyADSK
left a comment
There was a problem hiding this comment.
These changes match the relevant updates in LGPL Qt 6.9.2 and address the reported CVE
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
4 participants
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
These commits implement the fix for CVE-2025-6338 .
The first is is just some code tidies done in preparation for the actual fix (use a smart pointer instead of a raw pointer).
The second is the actual fix. The code in there depends on the usage of the smart pointer.
In order avoid any refactoring around security-sensitive code, I've picked them both.