From 4401d89fad15d52076bec86ab50f60f34eb1507d Mon Sep 17 00:00:00 2001
From: CBL-Mariner-Bot <75509084+CBL-Mariner-Bot@users.noreply.github.com>
Date: Fri, 25 Oct 2024 14:41:25 -0400
Subject: [PATCH] [AUTO-CHERRYPICK] Added Patch CVE-2022-25255 for qt5-qtbase -
 branch main (#10835)

Co-authored-by: Mykhailo Bykhovtsev <108374904+mbykhovtsev-ms@users.noreply.github.com>
---
 SPECS/qt5-qtbase/CVE-2022-25255.patch | 71 +++++++++++++++++++++++++++
 SPECS/qt5-qtbase/qt5-qtbase.spec      |  8 ++-
 2 files changed, 78 insertions(+), 1 deletion(-)
 create mode 100644 SPECS/qt5-qtbase/CVE-2022-25255.patch

diff --git a/SPECS/qt5-qtbase/CVE-2022-25255.patch b/SPECS/qt5-qtbase/CVE-2022-25255.patch
new file mode 100644
index 00000000000..0aebb8feab2
--- /dev/null
+++ b/SPECS/qt5-qtbase/CVE-2022-25255.patch
@@ -0,0 +1,71 @@
+From 926c72f641cd122e1e8fc9f92f0fea885d3c8ede Mon Sep 17 00:00:00 2001
+From: Mykhailo Bykhovtsev <mbykhovtsev@microsoft.com>
+Date: Wed, 23 Oct 2024 16:13:23 -0700
+Subject: [PATCH] patch CVE-2022-25255
+Patch taken from https://download.qt.io/official_releases/qt/5.15/qprocess5-15.diff
+
+---
+ src/corelib/io/qprocess_unix.cpp | 28 +++++++++++++++-------------
+ 1 file changed, 15 insertions(+), 13 deletions(-)
+
+diff --git a/src/corelib/io/qprocess_unix.cpp b/src/corelib/io/qprocess_unix.cpp
+index 7a2daa2a..29b771a1 100644
+--- a/src/corelib/io/qprocess_unix.cpp
++++ b/src/corelib/io/qprocess_unix.cpp
+@@ -1,7 +1,7 @@
+ /****************************************************************************
+ **
+ ** Copyright (C) 2016 The Qt Company Ltd.
+-** Copyright (C) 2016 Intel Corporation.
++** Copyright (C) 2022 Intel Corporation.
+ ** Contact: https://www.qt.io/licensing/
+ **
+ ** This file is part of the QtCore module of the Qt Toolkit.
+@@ -422,14 +422,15 @@ void QProcessPrivate::startProcess()
+     // Add the program name to the argument list.
+     argv[0] = nullptr;
+     if (!program.contains(QLatin1Char('/'))) {
++        // findExecutable() returns its argument if it's an absolute path,
++        // otherwise it searches $PATH; returns empty if not found (we handle
++        // that case much later)
+         const QString &exeFilePath = QStandardPaths::findExecutable(program);
+-        if (!exeFilePath.isEmpty()) {
+-            const QByteArray &tmp = QFile::encodeName(exeFilePath);
+-            argv[0] = ::strdup(tmp.constData());
+-        }
+-    }
+-    if (!argv[0])
++        const QByteArray &tmp = QFile::encodeName(exeFilePath);
++        argv[0] = ::strdup(tmp.constData());
++    } else {
+         argv[0] = ::strdup(encodedProgramName.constData());
++    }
+ 
+     // Add every argument to the list
+     for (int i = 0; i < arguments.count(); ++i)
+@@ -975,15 +976,16 @@ bool QProcessPrivate::startDetached(qint64 *pid)
+                 envp = _q_dupEnvironment(environment.d.constData()->vars, &envc);
+             }
+ 
+-            QByteArray tmp;
+             if (!program.contains(QLatin1Char('/'))) {
++                // findExecutable() returns its argument if it's an absolute path,
++                // otherwise it searches $PATH; returns empty if not found (we handle
++                // that case much later)
+                 const QString &exeFilePath = QStandardPaths::findExecutable(program);
+-                if (!exeFilePath.isEmpty())
+-                    tmp = QFile::encodeName(exeFilePath);
++                const QByteArray &tmp = QFile::encodeName(exeFilePath);
++                argv[0] = ::strdup(tmp.constData());
++            } else {
++                argv[0] = ::strdup(QFile::encodeName(program));
+             }
+-            if (tmp.isEmpty())
+-                tmp = QFile::encodeName(program);
+-            argv[0] = tmp.data();
+ 
+             if (envp)
+                 qt_safe_execve(argv[0], argv, envp);
+-- 
+2.34.1
+
diff --git a/SPECS/qt5-qtbase/qt5-qtbase.spec b/SPECS/qt5-qtbase/qt5-qtbase.spec
index 858d8648543..92bbd923e49 100644
--- a/SPECS/qt5-qtbase/qt5-qtbase.spec
+++ b/SPECS/qt5-qtbase/qt5-qtbase.spec
@@ -33,7 +33,7 @@
 Name:         qt5-qtbase
 Summary:      Qt5 - QtBase components
 Version:      5.12.11
-Release:      13%{?dist}
+Release:      14%{?dist}
 # See LICENSE.GPL3-EXCEPT.txt, for exception details
 License:      GFDL AND LGPLv3 AND GPLv2 AND GPLv3 with exceptions AND QT License Agreement 4.0
 Vendor:       Microsoft Corporation
@@ -163,6 +163,8 @@ Patch90: CVE-2022-25643.patch
 Patch91: qt5-qtbase-5.15-http-encrypted-signal.patch
 Patch92: CVE-2024-39936.patch
 
+Patch93: CVE-2022-25255.patch
+
 # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires.
 # Those themes are there for platform integration. If the required libraries are
 # not there, the platform to integrate with isn't either. Then Qt will just
@@ -276,6 +278,7 @@ Qt5 libraries used for drawing widgets and OpenGL items.
 %patch90 -p1
 %patch91 -p1
 %patch92 -p1
+%patch93 -p1
 
 ## upstream patches
 
@@ -781,6 +784,9 @@ fi
 %{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QXdgDesktopPortalThemePlugin.cmake
 
 %changelog
+* Wed Oct 23 2024 Mykhailo Bykhovtsev <mbykhovtsev@microsoft.com> - 5.12.11-14
+- Add patch to resolve CVE-2022-25255.
+
 * Wed Aug 07 2024 Sumedh Sharma <sumsharma@microsoft.com> - 5.12.11-13
 - Add patch to resolve CVE-2024-39936.