From 81a4f398617f53d8186c782b852f773c96d85b33 Mon Sep 17 00:00:00 2001 From: Eric Hameleers Date: Wed, 22 Jan 2020 00:30:48 +0100 Subject: DEPS: updated qt5 Patches applied that address two vulnerabilities: CVE-2020-0569 and CVE-2020-0570 --- deps/qt5/patches/qt5.cve-2020-0569.patch | 29 +++++++++++++++++++ deps/qt5/patches/qt5.cve-2020-0570.patch | 48 ++++++++++++++++++++++++++++++++ deps/qt5/qt5.SlackBuild | 14 +++++++++- 3 files changed, 90 insertions(+), 1 deletion(-) create mode 100644 deps/qt5/patches/qt5.cve-2020-0569.patch create mode 100644 deps/qt5/patches/qt5.cve-2020-0570.patch diff --git a/deps/qt5/patches/qt5.cve-2020-0569.patch b/deps/qt5/patches/qt5.cve-2020-0569.patch new file mode 100644 index 0000000..fa0efdc --- /dev/null +++ b/deps/qt5/patches/qt5.cve-2020-0569.patch @@ -0,0 +1,29 @@ +From bf131e8d2181b3404f5293546ed390999f760404 Mon Sep 17 00:00:00 2001 +From: Olivier Goffart +Date: Fri, 8 Nov 2019 11:30:40 +0100 +Subject: Do not load plugin from the $PWD + +I see no reason why this would make sense to look for plugins in the current +directory. And when there are plugins there, it may actually be wrong + +Change-Id: I5f5aa168021fedddafce90effde0d5762cd0c4c5 +Reviewed-by: Thiago Macieira +--- + src/corelib/plugin/qpluginloader.cpp | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/corelib/plugin/qpluginloader.cpp b/src/corelib/plugin/qpluginloader.cpp +index cadff4f32b..c2443dbdda 100644 +--- a/src/corelib/plugin/qpluginloader.cpp ++++ b/src/corelib/plugin/qpluginloader.cpp +@@ -305,7 +305,6 @@ static QString locatePlugin(const QString& fileName) + paths.append(fileName.left(slash)); // don't include the '/' + } else { + paths = QCoreApplication::libraryPaths(); +- paths.prepend(QStringLiteral(".")); // search in current dir first + } + + for (const QString &path : qAsConst(paths)) { +-- +cgit v1.2.1 + diff --git a/deps/qt5/patches/qt5.cve-2020-0570.patch b/deps/qt5/patches/qt5.cve-2020-0570.patch new file mode 100644 index 0000000..fa3eb33 --- /dev/null +++ b/deps/qt5/patches/qt5.cve-2020-0570.patch @@ -0,0 +1,48 @@ +QLibrary/Unix: do not attempt to load a library relative to $PWD + +I added the code in commit 5219c37f7c98f37f078fee00fe8ca35d83ff4f5d to +find libraries in a haswell/ subdir of the main path, but we only need +to do that transformation if the library is contains at least one +directory seprator. That is, if the user asks to load "lib/foo", then we +should try "lib/haswell/foo" (often, the path prefix will be absolute). + +When the library name the user requested has no directory separators, we +let dlopen() do the transformation for us. Testing on Linux confirms +glibc does so: + +$ LD_DEBUG=libs /lib64/ld-linux-x86-64.so.2 --inhibit-cache ./qml -help |& grep Xcursor + 1972475: find library=libXcursor.so.1 [0]; searching + 1972475: trying file=/usr/lib64/haswell/avx512_1/libXcursor.so.1 + 1972475: trying file=/usr/lib64/haswell/libXcursor.so.1 + 1972475: trying file=/usr/lib64/libXcursor.so.1 + 1972475: calling init: /usr/lib64/libXcursor.so.1 + 1972475: calling fini: /usr/lib64/libXcursor.so.1 [0] + +Fixes: QTBUG-81272 +Change-Id: I596aec77785a4e4e84d5fffd15e89689bb91ffbb + +X-Git-Url: https://codereview.qt-project.org/gitweb?p=qt%2Fqtbase.git;a=blobdiff_plain;f=src%2Fcorelib%2Fplugin%2Fqlibrary_unix.cpp;h=135b82cd378b00abe231c2320866d88f8a71b25a;hp=f0de1010d7b7126d83c4365a31924fa080ec334d;hb=27d92ead3a5f3c145f16b96f95a43c5af136a36b;hpb=3b54009b13e9629b75827a59f8537451d25613a4 + +diff --git a/src/corelib/plugin/qlibrary_unix.cpp b/src/corelib/plugin/qlibrary_unix.cpp +index f0de1010d7b..135b82cd378 100644 +--- a/src/corelib/plugin/qlibrary_unix.cpp ++++ b/src/corelib/plugin/qlibrary_unix.cpp +@@ -1,7 +1,7 @@ + /**************************************************************************** + ** + ** Copyright (C) 2016 The Qt Company Ltd. +-** Copyright (C) 2018 Intel Corporation ++** Copyright (C) 2020 Intel Corporation + ** Contact: https://www.qt.io/licensing/ + ** + ** This file is part of the QtCore module of the Qt Toolkit. +@@ -218,6 +218,8 @@ bool QLibraryPrivate::load_sys() + for(int suffix = 0; retry && !pHnd && suffix < suffixes.size(); suffix++) { + if (!prefixes.at(prefix).isEmpty() && name.startsWith(prefixes.at(prefix))) + continue; ++ if (path.isEmpty() && prefixes.at(prefix).contains(QLatin1Char('/'))) ++ continue; + if (!suffixes.at(suffix).isEmpty() && name.endsWith(suffixes.at(suffix))) + continue; + if (loadHints & QLibrary::LoadArchiveMemberHint) { + diff --git a/deps/qt5/qt5.SlackBuild b/deps/qt5/qt5.SlackBuild index 88ce38b..7ce93c3 100755 --- a/deps/qt5/qt5.SlackBuild +++ b/deps/qt5/qt5.SlackBuild @@ -70,7 +70,7 @@ cd $(dirname $0) ; CWD=$(pwd) PKGNAM=qt5 VERSION=${VERSION:-5.13.2} -BUILD=${BUILD:-1} +BUILD=${BUILD:-2} PKGSRC=$(echo $VERSION |cut -d- -f1) PKGVER=$(echo $VERSION |tr - _) @@ -168,6 +168,18 @@ cd qtbase | patch -p1 --verbose || exit 1 cd - 1>/dev/null +# CVE-2020-0569 (fixed in 5.14.0): +cd qtbase + cat $CWD/patches/qt5.cve-2020-0569.patch \ + | patch -p1 --verbose || exit 1 +cd - 1>/dev/null + +# CVE-2020-0570 (fixed in 5.14.1): +cd qtbase + cat $CWD/patches/qt5.cve-2020-0570.patch \ + | patch -p1 --verbose || exit 1 +cd - 1>/dev/null + if ! pkg-config --exists libpulse 2>/dev/null ; then # Forcibly disable pulseaudio in qtwebengine: cat $CWD/patches/qt5.pulseaudio.diff | patch -p1 --verbose || exit 1 -- cgit v1.2.3