diff --git a/SOURCES/qtbase-add-expansion-limit-for-entities.patch b/SOURCES/qtbase-add-expansion-limit-for-entities.patch new file mode 100644 index 0000000..162ad91 --- /dev/null +++ b/SOURCES/qtbase-add-expansion-limit-for-entities.patch @@ -0,0 +1,146 @@ +From f432c08882ffebe5074ea28de871559a98a4d094 Mon Sep 17 00:00:00 2001 +From: Lars Knoll +Date: Wed, 26 Feb 2020 10:42:10 +0100 +Subject: Add an expansion limit for entities + +Recursively defined entities can easily exhaust all available +memory. Limit entity expansion to a default of 4096 characters to +avoid DoS attacks when a user loads untrusted content. + +[ChangeLog][QtCore][QXmlStream] QXmlStreamReader does now +limit the expansion of entities to 4096 characters. Documents where +a single entity expands to more characters than the limit are not +considered well formed. The limit is there to avoid DoS attacks through +recursively expanding entities when loading untrusted content. Qt 5.15 +will add methods that allow changing that limit. + +Fixes: QTBUG-47417 +Change-Id: I94387815d74fcf34783e136387ee57fac5ded0c9 +Reviewed-by: Oswald Buddenhagen +Reviewed-by: Volker Hilsheimer +(cherry picked from commit fd4be84d23a0db4186cb42e736a9de3af722c7f7) +Reviewed-by: Eirik Aavitsland +--- + src/corelib/serialization/qxmlstream.g | 14 ++++++++++++- + src/corelib/serialization/qxmlstream_p.h | 14 ++++++++++++- + .../serialization/qxmlstream/tst_qxmlstream.cpp | 23 ++++++++++++++++++++-- + 3 files changed, 47 insertions(+), 4 deletions(-) + +diff --git a/src/corelib/serialization/qxmlstream.g b/src/corelib/serialization/qxmlstream.g +index 10bfcd491c..5726bafb26 100644 +--- a/src/corelib/serialization/qxmlstream.g ++++ b/src/corelib/serialization/qxmlstream.g +@@ -277,9 +277,19 @@ public: + QHash entityHash; + QHash parameterEntityHash; + QXmlStreamSimpleStackentityReferenceStack; ++ int entityExpansionLimit = 4096; ++ int entityLength = 0; + inline bool referenceEntity(Entity &entity) { + if (entity.isCurrentlyReferenced) { +- raiseWellFormedError(QXmlStream::tr("Recursive entity detected.")); ++ raiseWellFormedError(QXmlStream::tr("Self-referencing entity detected.")); ++ return false; ++ } ++ // entityLength represents the amount of additional characters the ++ // entity expands into (can be negative for e.g. &). It's used to ++ // avoid DoS attacks through recursive entity expansions ++ entityLength += entity.value.size() - entity.name.size() - 2; ++ if (entityLength > entityExpansionLimit) { ++ raiseWellFormedError(QXmlStream::tr("Entity expands to more characters than the entity expansion limit.")); + return false; + } + entity.isCurrentlyReferenced = true; +@@ -830,6 +840,8 @@ entity_done ::= ENTITY_DONE; + /. + case $rule_number: + entityReferenceStack.pop()->isCurrentlyReferenced = false; ++ if (entityReferenceStack.isEmpty()) ++ entityLength = 0; + clearSym(); + break; + ./ +diff --git a/src/corelib/serialization/qxmlstream_p.h b/src/corelib/serialization/qxmlstream_p.h +index 61f501f81b..31053f8e0b 100644 +--- a/src/corelib/serialization/qxmlstream_p.h ++++ b/src/corelib/serialization/qxmlstream_p.h +@@ -774,9 +774,19 @@ public: + QHash entityHash; + QHash parameterEntityHash; + QXmlStreamSimpleStackentityReferenceStack; ++ int entityExpansionLimit = 4096; ++ int entityLength = 0; + inline bool referenceEntity(Entity &entity) { + if (entity.isCurrentlyReferenced) { +- raiseWellFormedError(QXmlStream::tr("Recursive entity detected.")); ++ raiseWellFormedError(QXmlStream::tr("Self-referencing entity detected.")); ++ return false; ++ } ++ // entityLength represents the amount of additional characters the ++ // entity expands into (can be negative for e.g. &). It's used to ++ // avoid DoS attacks through recursive entity expansions ++ entityLength += entity.value.size() - entity.name.size() - 2; ++ if (entityLength > entityExpansionLimit) { ++ raiseWellFormedError(QXmlStream::tr("Entity expands to more characters than the entity expansion limit.")); + return false; + } + entity.isCurrentlyReferenced = true; +@@ -1308,6 +1318,8 @@ bool QXmlStreamReaderPrivate::parse() + + case 10: + entityReferenceStack.pop()->isCurrentlyReferenced = false; ++ if (entityReferenceStack.isEmpty()) ++ entityLength = 0; + clearSym(); + break; + +diff --git a/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp b/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp +index 8fdf91b090..1f9a0d575d 100644 +--- a/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp ++++ b/tests/auto/corelib/serialization/qxmlstream/tst_qxmlstream.cpp +@@ -393,8 +393,6 @@ public: + return true; + } + +- QXmlStreamReader reader(&inputFile); +- + /* See testcases.dtd which reads: 'Nonvalidating parsers + * must also accept "invalid" testcases, but validating ones must reject them.' */ + if(type == QLatin1String("invalid") || type == QLatin1String("valid")) +@@ -580,6 +578,8 @@ private slots: + void roundTrip() const; + void roundTrip_data() const; + ++ void entityExpansionLimit() const; ++ + private: + static QByteArray readFile(const QString &filename); + +@@ -1756,6 +1756,25 @@ void tst_QXmlStream::roundTrip_data() const + "\n"; + } + ++void tst_QXmlStream::entityExpansionLimit() const ++{ ++ QString xml = QStringLiteral("" ++ "" ++ "" ++ "" ++ "" ++ "]>" ++ "&d;&d;&d;"); ++ { ++ QXmlStreamReader reader(xml); ++ do { ++ reader.readNext(); ++ } while (!reader.atEnd()); ++ QCOMPARE(reader.error(), QXmlStreamReader::NotWellFormedError); ++ } ++} ++ + void tst_QXmlStream::roundTrip() const + { + QFETCH(QString, in); +-- +cgit v1.2.1 diff --git a/SOURCES/qtbase-do-not-load-plugin-from-pwd.patch b/SOURCES/qtbase-do-not-load-plugin-from-pwd.patch new file mode 100644 index 0000000..b07a8ed --- /dev/null +++ b/SOURCES/qtbase-do-not-load-plugin-from-pwd.patch @@ -0,0 +1,28 @@ +From bf131e8d2181b3404f5293546ed390999f760404 Mon Sep 17 00:00:00 2001 +From: Olivier Goffart +Date: Fri, 8 Nov 2019 11:30:40 +0100 +Subject: Do not load plugin from the $PWD + +I see no reason why this would make sense to look for plugins in the current +directory. And when there are plugins there, it may actually be wrong + +Change-Id: I5f5aa168021fedddafce90effde0d5762cd0c4c5 +Reviewed-by: Thiago Macieira +--- + src/corelib/plugin/qpluginloader.cpp | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/corelib/plugin/qpluginloader.cpp b/src/corelib/plugin/qpluginloader.cpp +index cadff4f32b..c2443dbdda 100644 +--- a/src/corelib/plugin/qpluginloader.cpp ++++ b/src/corelib/plugin/qpluginloader.cpp +@@ -305,7 +305,6 @@ static QString locatePlugin(const QString& fileName) + paths.append(fileName.left(slash)); // don't include the '/' + } else { + paths = QCoreApplication::libraryPaths(); +- paths.prepend(QStringLiteral(".")); // search in current dir first + } + + for (const QString &path : qAsConst(paths)) { +-- +cgit v1.2.1 diff --git a/SOURCES/qtbase-qlibrary-do-not-attempt-to-load-library-relative-to-pwd.patch b/SOURCES/qtbase-qlibrary-do-not-attempt-to-load-library-relative-to-pwd.patch new file mode 100644 index 0000000..824640c --- /dev/null +++ b/SOURCES/qtbase-qlibrary-do-not-attempt-to-load-library-relative-to-pwd.patch @@ -0,0 +1,52 @@ +From e6f1fde24f77f63fb16b2df239f82a89d2bf05dd Mon Sep 17 00:00:00 2001 +From: Thiago Macieira +Date: Fri, 10 Jan 2020 09:26:27 -0800 +Subject: QLibrary/Unix: do not attempt to load a library relative to $PWD + +I added the code in commit 5219c37f7c98f37f078fee00fe8ca35d83ff4f5d to +find libraries in a haswell/ subdir of the main path, but we only need +to do that transformation if the library is contains at least one +directory seprator. That is, if the user asks to load "lib/foo", then we +should try "lib/haswell/foo" (often, the path prefix will be absolute). + +When the library name the user requested has no directory separators, we +let dlopen() do the transformation for us. Testing on Linux confirms +glibc does so: + +$ LD_DEBUG=libs /lib64/ld-linux-x86-64.so.2 --inhibit-cache ./qml -help |& grep Xcursor + 1972475: find library=libXcursor.so.1 [0]; searching + 1972475: trying file=/usr/lib64/haswell/avx512_1/libXcursor.so.1 + 1972475: trying file=/usr/lib64/haswell/libXcursor.so.1 + 1972475: trying file=/usr/lib64/libXcursor.so.1 + 1972475: calling init: /usr/lib64/libXcursor.so.1 + 1972475: calling fini: /usr/lib64/libXcursor.so.1 [0] + +Fixes: QTBUG-81272 +Change-Id: I596aec77785a4e4e84d5fffd15e89689bb91ffbb +Reviewed-by: Thiago Macieira +--- + src/corelib/plugin/qlibrary_unix.cpp | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/corelib/plugin/qlibrary_unix.cpp b/src/corelib/plugin/qlibrary_unix.cpp +index e0381498..7cc7c8e3 100644 +--- a/src/corelib/plugin/qlibrary_unix.cpp ++++ b/src/corelib/plugin/qlibrary_unix.cpp +@@ -1,7 +1,7 @@ + /**************************************************************************** + ** + ** Copyright (C) 2016 The Qt Company Ltd. +-** Copyright (C) 2018 Intel Corporation ++** Copyright (C) 2020 Intel Corporation + ** Contact: https://www.qt.io/licensing/ + ** + ** This file is part of the QtCore module of the Qt Toolkit. +@@ -208,6 +208,8 @@ bool QLibraryPrivate::load_sys() + for(int suffix = 0; retry && !pHnd && suffix < suffixes.size(); suffix++) { + if (!prefixes.at(prefix).isEmpty() && name.startsWith(prefixes.at(prefix))) + continue; ++ if (path.isEmpty() && prefixes.at(prefix).contains(QLatin1Char('/'))) ++ continue; + if (!suffixes.at(suffix).isEmpty() && name.endsWith(suffixes.at(suffix))) + continue; + if (loadHints & QLibrary::LoadArchiveMemberHint) { diff --git a/SPECS/qt5-qtbase.spec b/SPECS/qt5-qtbase.spec index 654a787..8160c7c 100644 --- a/SPECS/qt5-qtbase.spec +++ b/SPECS/qt5-qtbase.spec @@ -42,7 +42,7 @@ BuildRequires: pkgconfig(libsystemd) Name: qt5-qtbase Summary: Qt5 - QtBase components Version: 5.12.5 -Release: 4%{?dist} +Release: 5%{?dist} # See LGPL_EXCEPTIONS.txt, for exception details License: LGPLv2 with exceptions or GPLv3 with exceptions @@ -116,6 +116,17 @@ Patch68: qtbase-ambiguous-python-shebang.patch Patch101: qtbase-allow-dbus-not-running-during-build.patch +# Security fixes + +# CVE-2020-0570 qt5: qt: files placed by attacker can influence the working directory and lead to malicious code execution +Patch200: qtbase-qlibrary-do-not-attempt-to-load-library-relative-to-pwd.patch + +# CVE-2020-0569 qt5-qtbase: qt: files placed by attacker can influence the working directory and lead to malicious code execution +Patch201: qtbase-do-not-load-plugin-from-pwd.patch + +# CVE-2015-9541 qt5: qt: XML entity expansion vulnerability +Patch202: qtbase-add-expansion-limit-for-entities.patch + # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires. # Those themes are there for platform integration. If the required libraries are # not there, the platform to integrate with isn't either. Then Qt will just @@ -379,6 +390,11 @@ Qt5 libraries used for drawing widgets and OpenGL items. %patch101 -p1 -b .qtbase-allow-dbus-not-running-during-build +# Security fixes +%patch200 -p1 -b .qlibrary-do-not-attempt-to-load-library-relative-to-pwd +%patch201 -p1 -b .do-not-load-plugin-from-pwd +%patch202 -p1 -b .add-expansion-limit-for-entities + # move some bundled libs to ensure they're not accidentally used pushd src/3rdparty mkdir UNUSED @@ -1013,6 +1029,14 @@ fi %changelog +* Mon May 11 2020 Jan Grulich - 5.12-5-5 +- Fix: Files placed by attacker can influence the working directory and lead to malicious code execution + Resolves: bz#1814739 + Resolves: bz#1814683 + +- Fix: XML entity expansion vulnerability + Resolves: bz#1822193 + * Wed Nov 27 2019 Jan Grulich - 5.12-5-4 - Fix build on RHEL 7 kernel Resolves: bz#1733135