-
Notifications
You must be signed in to change notification settings - Fork 546
Commit
This commit does not belong to any branch on this repository, and may belong to a fork outside of the repository.
[AUTO-CHERRYPICK] Added Patch CVE-2022-25255 for qt5-qtbase - branch …
…main (#10835) Co-authored-by: Mykhailo Bykhovtsev <[email protected]>
- Loading branch information
1 parent
4dd3ddf
commit 4401d89
Showing
2 changed files
with
78 additions
and
1 deletion.
There are no files selected for viewing
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
| @@ -0,0 +1,71 @@ | ||
| From 926c72f641cd122e1e8fc9f92f0fea885d3c8ede Mon Sep 17 00:00:00 2001 | ||
| From: Mykhailo Bykhovtsev <[email protected]> | ||
| Date: Wed, 23 Oct 2024 16:13:23 -0700 | ||
| Subject: [PATCH] patch CVE-2022-25255 | ||
| Patch taken from https://download.qt.io/official_releases/qt/5.15/qprocess5-15.diff | ||
|
|
||
| --- | ||
| src/corelib/io/qprocess_unix.cpp | 28 +++++++++++++++------------- | ||
| 1 file changed, 15 insertions(+), 13 deletions(-) | ||
|
|
||
| diff --git a/src/corelib/io/qprocess_unix.cpp b/src/corelib/io/qprocess_unix.cpp | ||
| index 7a2daa2a..29b771a1 100644 | ||
| --- a/src/corelib/io/qprocess_unix.cpp | ||
| +++ b/src/corelib/io/qprocess_unix.cpp | ||
| @@ -1,7 +1,7 @@ | ||
| /**************************************************************************** | ||
| ** | ||
| ** Copyright (C) 2016 The Qt Company Ltd. | ||
| -** Copyright (C) 2016 Intel Corporation. | ||
| +** Copyright (C) 2022 Intel Corporation. | ||
| ** Contact: https://www.qt.io/licensing/ | ||
| ** | ||
| ** This file is part of the QtCore module of the Qt Toolkit. | ||
| @@ -422,14 +422,15 @@ void QProcessPrivate::startProcess() | ||
| // Add the program name to the argument list. | ||
| argv[0] = nullptr; | ||
| if (!program.contains(QLatin1Char('/'))) { | ||
| + // findExecutable() returns its argument if it's an absolute path, | ||
| + // otherwise it searches $PATH; returns empty if not found (we handle | ||
| + // that case much later) | ||
| const QString &exeFilePath = QStandardPaths::findExecutable(program); | ||
| - if (!exeFilePath.isEmpty()) { | ||
| - const QByteArray &tmp = QFile::encodeName(exeFilePath); | ||
| - argv[0] = ::strdup(tmp.constData()); | ||
| - } | ||
| - } | ||
| - if (!argv[0]) | ||
| + const QByteArray &tmp = QFile::encodeName(exeFilePath); | ||
| + argv[0] = ::strdup(tmp.constData()); | ||
| + } else { | ||
| argv[0] = ::strdup(encodedProgramName.constData()); | ||
| + } | ||
|
|
||
| // Add every argument to the list | ||
| for (int i = 0; i < arguments.count(); ++i) | ||
| @@ -975,15 +976,16 @@ bool QProcessPrivate::startDetached(qint64 *pid) | ||
| envp = _q_dupEnvironment(environment.d.constData()->vars, &envc); | ||
| } | ||
|
|
||
| - QByteArray tmp; | ||
| if (!program.contains(QLatin1Char('/'))) { | ||
| + // findExecutable() returns its argument if it's an absolute path, | ||
| + // otherwise it searches $PATH; returns empty if not found (we handle | ||
| + // that case much later) | ||
| const QString &exeFilePath = QStandardPaths::findExecutable(program); | ||
| - if (!exeFilePath.isEmpty()) | ||
| - tmp = QFile::encodeName(exeFilePath); | ||
| + const QByteArray &tmp = QFile::encodeName(exeFilePath); | ||
| + argv[0] = ::strdup(tmp.constData()); | ||
| + } else { | ||
| + argv[0] = ::strdup(QFile::encodeName(program)); | ||
| } | ||
| - if (tmp.isEmpty()) | ||
| - tmp = QFile::encodeName(program); | ||
| - argv[0] = tmp.data(); | ||
|
|
||
| if (envp) | ||
| qt_safe_execve(argv[0], argv, envp); | ||
| -- | ||
| 2.34.1 | ||
|
|
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| Original file line number | Diff line number | Diff line change |
|---|---|---|
|
|
@@ -33,7 +33,7 @@ | |
| Name: qt5-qtbase | ||
| Summary: Qt5 - QtBase components | ||
| Version: 5.12.11 | ||
| Release: 13%{?dist} | ||
| Release: 14%{?dist} | ||
| # See LICENSE.GPL3-EXCEPT.txt, for exception details | ||
| License: GFDL AND LGPLv3 AND GPLv2 AND GPLv3 with exceptions AND QT License Agreement 4.0 | ||
| Vendor: Microsoft Corporation | ||
|
|
@@ -163,6 +163,8 @@ Patch90: CVE-2022-25643.patch | |
| Patch91: qt5-qtbase-5.15-http-encrypted-signal.patch | ||
| Patch92: CVE-2024-39936.patch | ||
|
|
||
| Patch93: CVE-2022-25255.patch | ||
|
|
||
| # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires. | ||
| # Those themes are there for platform integration. If the required libraries are | ||
| # not there, the platform to integrate with isn't either. Then Qt will just | ||
|
|
@@ -276,6 +278,7 @@ Qt5 libraries used for drawing widgets and OpenGL items. | |
| %patch90 -p1 | ||
| %patch91 -p1 | ||
| %patch92 -p1 | ||
| %patch93 -p1 | ||
|
|
||
| ## upstream patches | ||
|
|
||
|
|
@@ -781,6 +784,9 @@ fi | |
| %{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QXdgDesktopPortalThemePlugin.cmake | ||
|
|
||
| %changelog | ||
| * Wed Oct 23 2024 Mykhailo Bykhovtsev <[email protected]> - 5.12.11-14 | ||
| - Add patch to resolve CVE-2022-25255. | ||
|
|
||
| * Wed Aug 07 2024 Sumedh Sharma <[email protected]> - 5.12.11-13 | ||
| - Add patch to resolve CVE-2024-39936. | ||
|
|
||
|
|
||