[neon/qt/qtbase/Neon/release] debian: Backport upstream patch to make QProcess not search for executables in CWD.
Dmitry Shachnev
null at kde.org
Thu May 5 10:59:25 BST 2022
Git commit 387bd8f179abc9221c2bd59a38ac140afc661654 by Dmitry Shachnev.
Committed on 21/02/2022 at 13:04.
Pushed by jriddell into branch 'Neon/release'.
Backport upstream patch to make QProcess not search for executables in CWD.
Unless explicitly told so.
This fixes CVE-2022-25255.
M +2 -0 debian/changelog
A +92 -0 debian/patches/CVE-2022-25255.diff
M +1 -0 debian/patches/series
https://invent.kde.org/neon/qt/qtbase/commit/387bd8f179abc9221c2bd59a38ac140afc661654
diff --git a/debian/changelog b/debian/changelog
index 28ce304..e470095 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ qtbase-opensource-src (5.15.2+dfsg-15) UNRELEASED; urgency=medium
[ Dmitry Shachnev ]
* Backport upstream changes to improve support for OpenSSL 3.0.
* Replace -ffile-prefix-map in qmodule.pri.
+ * Backport upstream patch to make QProcess not search for executables in
+ CWD unless explicitly told so (CVE-2022-25255).
-- Debian Qt/KDE Maintainers <debian-qt-kde at lists.debian.org> Sun, 05 Dec 2021 17:23:13 +0300
diff --git a/debian/patches/CVE-2022-25255.diff b/debian/patches/CVE-2022-25255.diff
new file mode 100644
index 0000000..764e939
--- /dev/null
+++ b/debian/patches/CVE-2022-25255.diff
@@ -0,0 +1,92 @@
+Description: QProcess: ensure we don't accidentally execute something from CWD
+ Unless "." (or the empty string) is in $PATH, we're not supposed to find
+ executables in the current directory. This is how the Unix shells behave
+ and we match their behavior. It's also the behavior Qt had prior to 5.9
+ (commit 28666d167aa8e602c0bea25ebc4d51b55005db13). On Windows, searching
+ the current directory is the norm, so we keep that behavior.
+ .
+ This commit does not add an explicit check for an empty return from
+ QStandardPaths::findExecutable(). Instead, we allow that empty string to
+ go all the way to execve(2), which will fail with ENOENT. We could catch
+ it early, before fork(2), but why add code for the error case?
+ .
+ See https://kde.org/info/security/advisory-20220131-1.txt
+Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2022-25255-qprocess5-15.diff
+Last-Update: 2022-02-21
+
+--- a/src/corelib/io/qprocess_unix.cpp
++++ b/src/corelib/io/qprocess_unix.cpp
+@@ -1,7 +1,7 @@
+ /****************************************************************************
+ **
+ ** Copyright (C) 2016 The Qt Company Ltd.
+-** Copyright (C) 2016 Intel Corporation.
++** Copyright (C) 2022 Intel Corporation.
+ ** Contact: https://www.qt.io/licensing/
+ **
+ ** This file is part of the QtCore module of the Qt Toolkit.
+@@ -422,14 +422,15 @@ void QProcessPrivate::startProcess()
+ // Add the program name to the argument list.
+ argv[0] = nullptr;
+ if (!program.contains(QLatin1Char('/'))) {
++ // findExecutable() returns its argument if it's an absolute path,
++ // otherwise it searches $PATH; returns empty if not found (we handle
++ // that case much later)
+ const QString &exeFilePath = QStandardPaths::findExecutable(program);
+- if (!exeFilePath.isEmpty()) {
+- const QByteArray &tmp = QFile::encodeName(exeFilePath);
+- argv[0] = ::strdup(tmp.constData());
+- }
+- }
+- if (!argv[0])
++ const QByteArray &tmp = QFile::encodeName(exeFilePath);
++ argv[0] = ::strdup(tmp.constData());
++ } else {
+ argv[0] = ::strdup(encodedProgramName.constData());
++ }
+
+ // Add every argument to the list
+ for (int i = 0; i < arguments.count(); ++i)
+@@ -983,15 +984,16 @@ bool QProcessPrivate::startDetached(qint
+ envp = _q_dupEnvironment(environment.d.constData()->vars, &envc);
+ }
+
+- QByteArray tmp;
+ if (!program.contains(QLatin1Char('/'))) {
++ // findExecutable() returns its argument if it's an absolute path,
++ // otherwise it searches $PATH; returns empty if not found (we handle
++ // that case much later)
+ const QString &exeFilePath = QStandardPaths::findExecutable(program);
+- if (!exeFilePath.isEmpty())
+- tmp = QFile::encodeName(exeFilePath);
++ const QByteArray &tmp = QFile::encodeName(exeFilePath);
++ argv[0] = ::strdup(tmp.constData());
++ } else {
++ argv[0] = ::strdup(QFile::encodeName(program));
+ }
+- if (tmp.isEmpty())
+- tmp = QFile::encodeName(program);
+- argv[0] = tmp.data();
+
+ if (envp)
+ qt_safe_execve(argv[0], argv, envp);
+--- a/tests/auto/widgets/kernel/qapplication/tst_qapplication.cpp
++++ b/tests/auto/widgets/kernel/qapplication/tst_qapplication.cpp
+@@ -1449,7 +1449,7 @@ void tst_QApplication::desktopSettingsAw
+ {
+ #if QT_CONFIG(process)
+ QProcess testProcess;
+- testProcess.start("desktopsettingsaware_helper");
++ testProcess.start("./desktopsettingsaware_helper");
+ QVERIFY2(testProcess.waitForStarted(),
+ qPrintable(QString::fromLatin1("Cannot start 'desktopsettingsaware_helper': %1").arg(testProcess.errorString())));
+ QVERIFY(testProcess.waitForFinished(10000));
+@@ -2365,7 +2365,7 @@ void tst_QApplication::qtbug_12673()
+ #if QT_CONFIG(process)
+ QProcess testProcess;
+ QStringList arguments;
+- testProcess.start("modal_helper", arguments);
++ testProcess.start("./modal_helper", arguments);
+ QVERIFY2(testProcess.waitForStarted(),
+ qPrintable(QString::fromLatin1("Cannot start 'modal_helper': %1").arg(testProcess.errorString())));
+ QVERIFY(testProcess.waitForFinished(20000));
diff --git a/debian/patches/series b/debian/patches/series
index 8725f63..f37d1c6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,6 +15,7 @@ fix_recursion_crash.diff
mysql_field_readonly.diff
CVE-2021-38593.diff
openssl3.diff
+CVE-2022-25255.diff
# Debian specific.
gnukfreebsd.diff
More information about the Neon-commits
mailing list