[neon/qt/qtbase/Neon/release] debian: Backport upstream patch to make QProcess not search for executables in CWD.

Dmitry Shachnev null at kde.org
Thu May 5 10:59:25 BST 2022


Git commit 387bd8f179abc9221c2bd59a38ac140afc661654 by Dmitry Shachnev.
Committed on 21/02/2022 at 13:04.
Pushed by jriddell into branch 'Neon/release'.

Backport upstream patch to make QProcess not search for executables in CWD.

Unless explicitly told so.

This fixes CVE-2022-25255.

M  +2    -0    debian/changelog
A  +92   -0    debian/patches/CVE-2022-25255.diff
M  +1    -0    debian/patches/series

https://invent.kde.org/neon/qt/qtbase/commit/387bd8f179abc9221c2bd59a38ac140afc661654

diff --git a/debian/changelog b/debian/changelog
index 28ce304..e470095 100644
--- a/debian/changelog
+++ b/debian/changelog
@@ -3,6 +3,8 @@ qtbase-opensource-src (5.15.2+dfsg-15) UNRELEASED; urgency=medium
   [ Dmitry Shachnev ]
   * Backport upstream changes to improve support for OpenSSL 3.0.
   * Replace -ffile-prefix-map in qmodule.pri.
+  * Backport upstream patch to make QProcess not search for executables in
+    CWD unless explicitly told so (CVE-2022-25255).
 
  -- Debian Qt/KDE Maintainers <debian-qt-kde at lists.debian.org>  Sun, 05 Dec 2021 17:23:13 +0300
 
diff --git a/debian/patches/CVE-2022-25255.diff b/debian/patches/CVE-2022-25255.diff
new file mode 100644
index 0000000..764e939
--- /dev/null
+++ b/debian/patches/CVE-2022-25255.diff
@@ -0,0 +1,92 @@
+Description: QProcess: ensure we don't accidentally execute something from CWD
+ Unless "." (or the empty string) is in $PATH, we're not supposed to find
+ executables in the current directory. This is how the Unix shells behave
+ and we match their behavior. It's also the behavior Qt had prior to 5.9
+ (commit 28666d167aa8e602c0bea25ebc4d51b55005db13). On Windows, searching
+ the current directory is the norm, so we keep that behavior.
+ .
+ This commit does not add an explicit check for an empty return from
+ QStandardPaths::findExecutable(). Instead, we allow that empty string to
+ go all the way to execve(2), which will fail with ENOENT. We could catch
+ it early, before fork(2), but why add code for the error case?
+ .
+ See https://kde.org/info/security/advisory-20220131-1.txt
+Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2022-25255-qprocess5-15.diff
+Last-Update: 2022-02-21
+
+--- a/src/corelib/io/qprocess_unix.cpp
++++ b/src/corelib/io/qprocess_unix.cpp
+@@ -1,7 +1,7 @@
+ /****************************************************************************
+ **
+ ** Copyright (C) 2016 The Qt Company Ltd.
+-** Copyright (C) 2016 Intel Corporation.
++** Copyright (C) 2022 Intel Corporation.
+ ** Contact: https://www.qt.io/licensing/
+ **
+ ** This file is part of the QtCore module of the Qt Toolkit.
+@@ -422,14 +422,15 @@ void QProcessPrivate::startProcess()
+     // Add the program name to the argument list.
+     argv[0] = nullptr;
+     if (!program.contains(QLatin1Char('/'))) {
++        // findExecutable() returns its argument if it's an absolute path,
++        // otherwise it searches $PATH; returns empty if not found (we handle
++        // that case much later)
+         const QString &exeFilePath = QStandardPaths::findExecutable(program);
+-        if (!exeFilePath.isEmpty()) {
+-            const QByteArray &tmp = QFile::encodeName(exeFilePath);
+-            argv[0] = ::strdup(tmp.constData());
+-        }
+-    }
+-    if (!argv[0])
++        const QByteArray &tmp = QFile::encodeName(exeFilePath);
++        argv[0] = ::strdup(tmp.constData());
++    } else {
+         argv[0] = ::strdup(encodedProgramName.constData());
++    }
+ 
+     // Add every argument to the list
+     for (int i = 0; i < arguments.count(); ++i)
+@@ -983,15 +984,16 @@ bool QProcessPrivate::startDetached(qint
+                 envp = _q_dupEnvironment(environment.d.constData()->vars, &envc);
+             }
+ 
+-            QByteArray tmp;
+             if (!program.contains(QLatin1Char('/'))) {
++                // findExecutable() returns its argument if it's an absolute path,
++                // otherwise it searches $PATH; returns empty if not found (we handle
++                // that case much later)
+                 const QString &exeFilePath = QStandardPaths::findExecutable(program);
+-                if (!exeFilePath.isEmpty())
+-                    tmp = QFile::encodeName(exeFilePath);
++                const QByteArray &tmp = QFile::encodeName(exeFilePath);
++                argv[0] = ::strdup(tmp.constData());
++            } else {
++                argv[0] = ::strdup(QFile::encodeName(program));
+             }
+-            if (tmp.isEmpty())
+-                tmp = QFile::encodeName(program);
+-            argv[0] = tmp.data();
+ 
+             if (envp)
+                 qt_safe_execve(argv[0], argv, envp);
+--- a/tests/auto/widgets/kernel/qapplication/tst_qapplication.cpp
++++ b/tests/auto/widgets/kernel/qapplication/tst_qapplication.cpp
+@@ -1449,7 +1449,7 @@ void tst_QApplication::desktopSettingsAw
+ {
+ #if QT_CONFIG(process)
+     QProcess testProcess;
+-    testProcess.start("desktopsettingsaware_helper");
++    testProcess.start("./desktopsettingsaware_helper");
+     QVERIFY2(testProcess.waitForStarted(),
+              qPrintable(QString::fromLatin1("Cannot start 'desktopsettingsaware_helper': %1").arg(testProcess.errorString())));
+     QVERIFY(testProcess.waitForFinished(10000));
+@@ -2365,7 +2365,7 @@ void tst_QApplication::qtbug_12673()
+ #if QT_CONFIG(process)
+     QProcess testProcess;
+     QStringList arguments;
+-    testProcess.start("modal_helper", arguments);
++    testProcess.start("./modal_helper", arguments);
+     QVERIFY2(testProcess.waitForStarted(),
+              qPrintable(QString::fromLatin1("Cannot start 'modal_helper': %1").arg(testProcess.errorString())));
+     QVERIFY(testProcess.waitForFinished(20000));
diff --git a/debian/patches/series b/debian/patches/series
index 8725f63..f37d1c6 100644
--- a/debian/patches/series
+++ b/debian/patches/series
@@ -15,6 +15,7 @@ fix_recursion_crash.diff
 mysql_field_readonly.diff
 CVE-2021-38593.diff
 openssl3.diff
+CVE-2022-25255.diff
 
 # Debian specific.
 gnukfreebsd.diff



More information about the Neon-commits mailing list