NetCube-Systems-Austria/kumquat-buildroot
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
f0b208f125
kumquat-buildroot/package/qt5/qt5base/5.12.5/0003-Do-not-load-plugin-from-the-PWD.patch
Peter Seiderer f5e4100c08 package/qt5base: add upstream security patches for latest variant 
Fixed the following security issue:

- CVE-2020-0569: QPluginLoader in Qt versions 5.0.0 through 5.13.2 would
  search for certain plugins first on the current working directory of the
  application, which allows an attacker that can place files in the file
  system and influence the working directory of Qt-based applications to
  load and execute malicious code.  This issue was verified on macOS and
  Linux and probably affects all other Unix operating systems.  This issue
  does not affect Windows.

- CVE-2020-0570: QLibrary in Qt versions 5.12.0 through 5.14.0, on certain
  x86 machines, would search for certain libraries and plugins relative to
  current working directory of the application, which allows an attacker
  that can place files in the file system and influence the working
  directory of Qt-based applications to load and execute malicious code.
  This issue was verified on Linux and probably affects all Unix operating
  systems, other than macOS (Darwin).  This issue does not affect Windows.

For details, see the advisory:
https://www.openwall.com/lists/oss-security/2020/01/30/1

Signed-off-by: Peter Seiderer <ps.report@gmx.net>
[Peter: extend commit message]
Signed-off-by: Peter Korsgaard <peter@korsgaard.com>
2020-02-01 23:45:33 +01:00

33 lines
1.2 KiB
Diff
Raw Blame History

From bf131e8d2181b3404f5293546ed390999f760404 Mon Sep 17 00:00:00 2001
From: Olivier Goffart <ogoffart@woboq.com>
Date: Fri, 8 Nov 2019 11:30:40 +0100
Subject: [PATCH] Do not load plugin from the $PWD
I see no reason why this would make sense to look for plugins in the current
directory. And when there are plugins there, it may actually be wrong
Change-Id: I5f5aa168021fedddafce90effde0d5762cd0c4c5
Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
Upstream: https://code.qt.io/cgit/qt/qtbase.git/commit/?id=bf131e8d2181b3404f5293546ed390999f760404
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
---
src/corelib/plugin/qpluginloader.cpp | 1 -
1 file changed, 1 deletion(-)
diff --git a/src/corelib/plugin/qpluginloader.cpp b/src/corelib/plugin/qpluginloader.cpp
index cadff4f32b..c2443dbdda 100644
--- a/src/corelib/plugin/qpluginloader.cpp
+++ b/src/corelib/plugin/qpluginloader.cpp
@@ -305,7 +305,6 @@ static QString locatePlugin(const QString& fileName)
paths.append(fileName.left(slash)); // don't include the '/'
} else {
paths = QCoreApplication::libraryPaths();
- paths.prepend(QStringLiteral(".")); // search in current dir first
}
for (const QString &path : qAsConst(paths)) {
--
2.25.0
Reference in New Issue View Git Blame Copy Permalink