From 97633f061d7b02e124d2df20cd54b00eb85d6555 Mon Sep 17 00:00:00 2001
From: Than Ngo <than@redhat.com>
Date: Thu, 17 Feb 2022 14:48:25 +0100
Subject: [PATCH] Fixed CVE-2022-25255

---
 qt5-qtbase.spec                               |  7 +++-
 ...-everywhere-src-5.15.2-CVE-2022-2525.patch | 35 +++++++++++++++++++
 2 files changed, 41 insertions(+), 1 deletion(-)
 create mode 100644 qtbase-everywhere-src-5.15.2-CVE-2022-2525.patch

diff --git a/qt5-qtbase.spec b/qt5-qtbase.spec
index 8804daa..c317bdf 100644
--- a/qt5-qtbase.spec
+++ b/qt5-qtbase.spec
@@ -58,7 +58,7 @@ BuildRequires: pkgconfig(libsystemd)
 Name:    qt5-qtbase
 Summary: Qt5 - QtBase components
 Version: 5.15.2
-Release: 34%{?dist}
+Release: 35%{?dist}
 
 # See LGPL_EXCEPTIONS.txt, for exception details
 License: LGPLv2 with exceptions or GPLv3 with exceptions
@@ -147,6 +147,7 @@ Patch100: kde-5.15-rollup-20220131.patch.gz
 # HACK to make 'fedpkg sources' consider it 'used"
 Source100: kde-5.15-rollup-20220131.patch.gz
 Patch101: 0068-Bump-version.patch
+Patch102: qtbase-everywhere-src-5.15.2-CVE-2022-2525.patch
 
 # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires.
 # Those themes are there for platform integration. If the required libraries are
@@ -422,6 +423,7 @@ Qt5 libraries used for drawing widgets and OpenGL items.
 %patch100 -p1
 # revert version bump
 %patch101 -p1 -R
+%patch102 -p1
 
 # move some bundled libs to ensure they're not accidentally used
 pushd src/3rdparty
@@ -1095,6 +1097,9 @@ fi
 
 
 %changelog
+* Thu Feb 17 2022 Than Ngo <than@redhat.com> - 5.15.2-35
+- Fixed CVE-2022-25255
+
 * Mon Jan 31 2022 Jan Grulich <jgrulich@redhat.com> - 5.15.2-34
 - refresh kde-5.15-rollup patch
 
diff --git a/qtbase-everywhere-src-5.15.2-CVE-2022-2525.patch b/qtbase-everywhere-src-5.15.2-CVE-2022-2525.patch
new file mode 100644
index 0000000..998b25a
--- /dev/null
+++ b/qtbase-everywhere-src-5.15.2-CVE-2022-2525.patch
@@ -0,0 +1,35 @@
+diff --git a/src/corelib/io/qprocess_unix.cpp b/src/corelib/io/qprocess_unix.cpp
+index 7a2daa2..cfd1ca3 100644
+--- a/src/corelib/io/qprocess_unix.cpp
++++ b/src/corelib/io/qprocess_unix.cpp
+@@ -422,11 +422,11 @@
+     // Add the program name to the argument list.
+     argv[0] = nullptr;
+     if (!program.contains(QLatin1Char('/'))) {
++        // findExecutable() returns its argument if it's an absolute path,
++        // otherwise it searches $PATH; returns empty if not found (we handle
++        // that case much later)
+         const QString &exeFilePath = QStandardPaths::findExecutable(program);
+-        if (!exeFilePath.isEmpty()) {
+-            const QByteArray &tmp = QFile::encodeName(exeFilePath);
+-            argv[0] = ::strdup(tmp.constData());
+-        }
++        argv[0] = ::strdup(QFile::encodeName(exeFilePath).constData());
+     }
+     if (!argv[0])
+         argv[0] = ::strdup(encodedProgramName.constData());
+@@ -978,11 +978,10 @@
+             QByteArray tmp;
+             if (!program.contains(QLatin1Char('/'))) {
+                 const QString &exeFilePath = QStandardPaths::findExecutable(program);
+-                if (!exeFilePath.isEmpty())
+-                    tmp = QFile::encodeName(exeFilePath);
+-            }
+-            if (tmp.isEmpty())
++                tmp = QFile::encodeName(exeFilePath);
++            } else {
+                 tmp = QFile::encodeName(program);
++            }
+             argv[0] = tmp.data();
+ 
+             if (envp)