rpms/qt5-qtbase
6
0
Fork 0
Code Issues Pull Requests Releases Activity

Fixed CVE-2022-25255

Browse Source
This commit is contained in:
Than Ngo 2022-02-17 14:48:25 +01:00
parent 9350a6e028
commit 97633f061d
2 changed files with 41 additions and 1 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

7
qt5-qtbase.spec
View File

@ -58,7 +58,7 @@ BuildRequires: pkgconfig(libsystemd)
Name: qt5-qtbase Name: qt5-qtbase
Summary: Qt5 - QtBase components Summary: Qt5 - QtBase components
Version: 5.15.2 Version: 5.15.2
Release: 34%{?dist} Release: 35%{?dist}
# See LGPL_EXCEPTIONS.txt, for exception details # See LGPL_EXCEPTIONS.txt, for exception details
License: LGPLv2 with exceptions or GPLv3 with exceptions License: LGPLv2 with exceptions or GPLv3 with exceptions
@ -147,6 +147,7 @@ Patch100: kde-5.15-rollup-20220131.patch.gz
# HACK to make 'fedpkg sources' consider it 'used" # HACK to make 'fedpkg sources' consider it 'used"
Source100: kde-5.15-rollup-20220131.patch.gz Source100: kde-5.15-rollup-20220131.patch.gz
Patch101: 0068-Bump-version.patch Patch101: 0068-Bump-version.patch
Patch102: qtbase-everywhere-src-5.15.2-CVE-2022-2525.patch
# Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires. # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires.
# Those themes are there for platform integration. If the required libraries are # Those themes are there for platform integration. If the required libraries are
@ -422,6 +423,7 @@ Qt5 libraries used for drawing widgets and OpenGL items.
%patch100 -p1 %patch100 -p1
# revert version bump # revert version bump
%patch101 -p1 -R %patch101 -p1 -R
%patch102 -p1
# move some bundled libs to ensure they're not accidentally used # move some bundled libs to ensure they're not accidentally used
pushd src/3rdparty pushd src/3rdparty
@ -1095,6 +1097,9 @@ fi
%changelog %changelog
* Thu Feb 17 2022 Than Ngo <than@redhat.com> - 5.15.2-35
- Fixed CVE-2022-25255
* Mon Jan 31 2022 Jan Grulich <jgrulich@redhat.com> - 5.15.2-34 * Mon Jan 31 2022 Jan Grulich <jgrulich@redhat.com> - 5.15.2-34
- refresh kde-5.15-rollup patch - refresh kde-5.15-rollup patch

35
qtbase-everywhere-src-5.15.2-CVE-2022-2525.patch Normal file
View File

@ -0,0 +1,35 @@
diff --git a/src/corelib/io/qprocess_unix.cpp b/src/corelib/io/qprocess_unix.cpp
index 7a2daa2..cfd1ca3 100644
--- a/src/corelib/io/qprocess_unix.cpp
+++ b/src/corelib/io/qprocess_unix.cpp
@@ -422,11 +422,11 @@
// Add the program name to the argument list.
argv[0] = nullptr;
if (!program.contains(QLatin1Char('/'))) {
+ // findExecutable() returns its argument if it's an absolute path,
+ // otherwise it searches $PATH; returns empty if not found (we handle
+ // that case much later)
const QString &exeFilePath = QStandardPaths::findExecutable(program);
- if (!exeFilePath.isEmpty()) {
- const QByteArray &tmp = QFile::encodeName(exeFilePath);
- argv[0] = ::strdup(tmp.constData());
- }
+ argv[0] = ::strdup(QFile::encodeName(exeFilePath).constData());
}
if (!argv[0])
argv[0] = ::strdup(encodedProgramName.constData());
@@ -978,11 +978,10 @@
QByteArray tmp;
if (!program.contains(QLatin1Char('/'))) {
const QString &exeFilePath = QStandardPaths::findExecutable(program);
- if (!exeFilePath.isEmpty())
- tmp = QFile::encodeName(exeFilePath);
- }
- if (tmp.isEmpty())
+ tmp = QFile::encodeName(exeFilePath);
+ } else {
tmp = QFile::encodeName(program);
+ }
argv[0] = tmp.data();
if (envp)