- fixed bz#1348507 - Arbitrary code execution due to insecure loading

of Python module from CWD

pylupdate5.sh

@@ -1,8 +1,8 @@
 #!/bin/sh
-@PYTHON3@ -c "import PyQt5.pylupdate_main" &> /dev/null
+@PYTHON3@ -Ic "import PyQt5.pylupdate_main" &> /dev/null
 if [ $? -eq 0 ]; then
-  exec @PYTHON3@ -m PyQt5.pylupdate_main ${1+"$@"}
+  exec @PYTHON3@ -Im PyQt5.pylupdate_main ${1+"$@"}
 else
-  exec @PYTHON2@ -m PyQt5.pylupdate_main ${1+"$@"}
+  exec @PYTHON2@ -Esm PyQt5.pylupdate_main ${1+"$@"}
 
 fi

pyrcc5.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
-@PYTHON3@ -c "import PyQt5.pyrcc_main" &> /dev/null
+@PYTHON3@ -Ic "import PyQt5.pyrcc_main" &> /dev/null
 if [ $? -eq 0 ]; then
-  exec @PYTHON3@ -m PyQt5.pyrcc_main ${1+"$@"}
+  exec @PYTHON3@ -Im PyQt5.pyrcc_main ${1+"$@"}
 else
-  exec @PYTHON2@ -m PyQt5.pyrcc_main ${1+"$@"}
+  exec @PYTHON2@ -Esm PyQt5.pyrcc_main ${1+"$@"}
 fi

python-qt5.spec

@@ -18,9 +18,9 @@
 %global rpm_macros_dir %(d=%{_rpmconfigdir}/macros.d; [ -d $d ] || d=%{_sysconfdir}/rpm; echo $d)
 
 Summary: PyQt5 is Python bindings for Qt5
-Name: 	 python-qt5 
+Name:    python-qt5 
 Version: 5.9
-Release: 2%{?dist}
+Release: 3%{?dist}
 
 # all BSD, except for GPLv2+ dbus bindings and examples
 License: BSD and GPLv2+
@@ -456,6 +456,10 @@ sed -i \
 
 
 %changelog
+* Wed Jul 26 2017 Than Ngo <than@redhat.com> - 5.9-3
+- fixed bz#1348507 - Arbitrary code execution due to insecure loading
+  of Python module from CWD
+
 * Wed Jul 19 2017 Rex Dieter <rdieter@fedoraproject.org> - 5.9-2
 - rebuild (qt5)
 

pyuic5.sh

@@ -1,7 +1,7 @@
 #!/bin/sh
-@PYTHON3@ -c "import PyQt5.uic.pyuic" &> /dev/null
+@PYTHON3@ -Ic "import PyQt5.uic.pyuic" &> /dev/null
 if [ $? -eq 0 ]; then
-  exec @PYTHON3@ -m PyQt5.uic.pyuic ${1+"$@"}
+  exec @PYTHON3@ -Im PyQt5.uic.pyuic ${1+"$@"}
 else
-  exec @PYTHON2@ -m PyQt5.uic.pyuic ${1+"$@"}
+  exec @PYTHON2@ -Esm PyQt5.uic.pyuic ${1+"$@"}
 fi