diff --git a/SOURCES/qtbase-do-not-load-plugin-from-pwd.patch b/SOURCES/qtbase-do-not-load-plugin-from-pwd.patch new file mode 100644 index 0000000..b07a8ed --- /dev/null +++ b/SOURCES/qtbase-do-not-load-plugin-from-pwd.patch @@ -0,0 +1,28 @@ +From bf131e8d2181b3404f5293546ed390999f760404 Mon Sep 17 00:00:00 2001 +From: Olivier Goffart +Date: Fri, 8 Nov 2019 11:30:40 +0100 +Subject: Do not load plugin from the $PWD + +I see no reason why this would make sense to look for plugins in the current +directory. And when there are plugins there, it may actually be wrong + +Change-Id: I5f5aa168021fedddafce90effde0d5762cd0c4c5 +Reviewed-by: Thiago Macieira +--- + src/corelib/plugin/qpluginloader.cpp | 1 - + 1 file changed, 1 deletion(-) + +diff --git a/src/corelib/plugin/qpluginloader.cpp b/src/corelib/plugin/qpluginloader.cpp +index cadff4f32b..c2443dbdda 100644 +--- a/src/corelib/plugin/qpluginloader.cpp ++++ b/src/corelib/plugin/qpluginloader.cpp +@@ -305,7 +305,6 @@ static QString locatePlugin(const QString& fileName) + paths.append(fileName.left(slash)); // don't include the '/' + } else { + paths = QCoreApplication::libraryPaths(); +- paths.prepend(QStringLiteral(".")); // search in current dir first + } + + for (const QString &path : qAsConst(paths)) { +-- +cgit v1.2.1 diff --git a/SOURCES/qtbase-qlibrary-do-not-attempt-to-load-library-relative-to-pwd.patch b/SOURCES/qtbase-qlibrary-do-not-attempt-to-load-library-relative-to-pwd.patch new file mode 100644 index 0000000..8b40b25 --- /dev/null +++ b/SOURCES/qtbase-qlibrary-do-not-attempt-to-load-library-relative-to-pwd.patch @@ -0,0 +1,43 @@ +From e6f1fde24f77f63fb16b2df239f82a89d2bf05dd Mon Sep 17 00:00:00 2001 +From: Thiago Macieira +Date: Fri, 10 Jan 2020 09:26:27 -0800 +Subject: QLibrary/Unix: do not attempt to load a library relative to $PWD + +I added the code in commit 5219c37f7c98f37f078fee00fe8ca35d83ff4f5d to +find libraries in a haswell/ subdir of the main path, but we only need +to do that transformation if the library is contains at least one +directory seprator. That is, if the user asks to load "lib/foo", then we +should try "lib/haswell/foo" (often, the path prefix will be absolute). + +When the library name the user requested has no directory separators, we +let dlopen() do the transformation for us. Testing on Linux confirms +glibc does so: + +$ LD_DEBUG=libs /lib64/ld-linux-x86-64.so.2 --inhibit-cache ./qml -help |& grep Xcursor + 1972475: find library=libXcursor.so.1 [0]; searching + 1972475: trying file=/usr/lib64/haswell/avx512_1/libXcursor.so.1 + 1972475: trying file=/usr/lib64/haswell/libXcursor.so.1 + 1972475: trying file=/usr/lib64/libXcursor.so.1 + 1972475: calling init: /usr/lib64/libXcursor.so.1 + 1972475: calling fini: /usr/lib64/libXcursor.so.1 [0] + +Fixes: QTBUG-81272 +Change-Id: I596aec77785a4e4e84d5fffd15e89689bb91ffbb +Reviewed-by: Thiago Macieira +--- + src/corelib/plugin/qlibrary_unix.cpp | 4 +++- + 1 file changed, 3 insertions(+), 1 deletion(-) + +diff --git a/src/corelib/plugin/qlibrary_unix.cpp b/src/corelib/plugin/qlibrary_unix.cpp +index e0381498..7cc7c8e3 100644 +--- a/src/corelib/plugin/qlibrary_unix.cpp ++++ b/src/corelib/plugin/qlibrary_unix.cpp +@@ -208,6 +208,8 @@ bool QLibraryPrivate::load_sys() + for(int suffix = 0; retry && !pHnd && suffix < suffixes.size(); suffix++) { + if (!prefixes.at(prefix).isEmpty() && name.startsWith(prefixes.at(prefix))) + continue; ++ if (path.isEmpty() && prefixes.at(prefix).contains(QLatin1Char('/'))) ++ continue; + if (!suffixes.at(suffix).isEmpty() && name.endsWith(suffixes.at(suffix))) + continue; + if (loadHints & QLibrary::LoadArchiveMemberHint) { diff --git a/SOURCES/qtcore-config-multilib.h b/SOURCES/qtcore-config-multilib.h new file mode 100644 index 0000000..5482d88 --- /dev/null +++ b/SOURCES/qtcore-config-multilib.h @@ -0,0 +1,23 @@ +/* qtcore-config.h */ +/* This file is here to prevent a file conflict on multiarch systems. A + * conflict will occur because qtcore-config.h has arch-specific definitions. + * + * DO NOT INCLUDE THE NEW FILE DIRECTLY -- ALWAYS INCLUDE THIS ONE INSTEAD. */ + +#ifndef QTCORE_CONFIG_MULTILIB_H +#define QTCORE_CONFIG_MULTILIB_H + +#ifndef __WORDSIZE +#include +#endif + +#if __WORDSIZE == 32 +#include "QtCore/qtcore-config-32.h" +#elif __WORDSIZE == 64 +#include "QtCore/qtcore-config-64.h" +#else +#error "unexpected value for __WORDSIZE macro" +#endif + +#endif + diff --git a/SPECS/qt5-qtbase.spec b/SPECS/qt5-qtbase.spec index 1fee0a4..c378a04 100644 --- a/SPECS/qt5-qtbase.spec +++ b/SPECS/qt5-qtbase.spec @@ -57,7 +57,7 @@ BuildRequires: pkgconfig(libsystemd) Summary: Qt5 - QtBase components Name: qt5-qtbase Version: 5.9.7 -Release: 2%{?dist} +Release: 4%{?dist} # See LGPL_EXCEPTIONS.txt, for exception details License: LGPLv2 with exceptions or GPLv3 with exceptions @@ -68,6 +68,10 @@ Source0: http://download.qt.io/official_releases/qt/5.9/%{version}/submodules/%{ Source1: qtlogging.ini # header file to workaround multilib issue +# https://bugzilla.redhat.com/show_bug.cgi?id=1534528 +Source4: qtcore-config-multilib.h + +# header file to workaround multilib issue # https://bugzilla.redhat.com/show_bug.cgi?id=1036956 Source5: qconfig-multilib.h @@ -105,6 +109,12 @@ Patch62: qt5-qtbase-5.9.1-firebird.patch # fix for new mariadb Patch63: qtbase-opensource-src-5.9.0-mysql.patch +# CVE-2020-0570 qt5: qt: files placed by attacker can influence the working directory and lead to malicious code execution +Patch200: qtbase-qlibrary-do-not-attempt-to-load-library-relative-to-pwd.patch + +# CVE-2020-0569 qt5-qtbase: qt: files placed by attacker can influence the working directory and lead to malicious code execution +Patch201: qtbase-do-not-load-plugin-from-pwd.patch + # Do not check any files in %%{_qt5_plugindir}/platformthemes/ for requires. # Those themes are there for platform integration. If the required libraries are # not there, the platform to integrate with isn't either. Then Qt will just @@ -369,6 +379,10 @@ RPM macros for building Qt5 packages. %patch62 -p1 -b .firebird %patch63 -p1 -b .mysql +# Security fixes +%patch200 -p1 -b .qlibrary-do-not-attempt-to-load-library-relative-to-pwd +%patch201 -p1 -b .do-not-load-plugin-from-pwd + %if 0%{?inject_optflags} ## adjust $RPM_OPT_FLAGS @@ -564,6 +578,9 @@ done popd %ifarch %{multilib_archs} +# multilib: qtcore-config.h + mv %{buildroot}%{_qt5_headerdir}/QtCore/qtcore-config.h %{buildroot}%{_qt5_headerdir}/QtCore/qtcore-config-%{__isa_bits}.h + install -p -m644 -D %{SOURCE4} %{buildroot}%{_qt5_headerdir}/QtCore/qtcore-config.h # multilib: qconfig.h mv %{buildroot}%{_qt5_headerdir}/QtCore/qconfig.h %{buildroot}%{_qt5_headerdir}/QtCore/qconfig-%{__isa_bits}.h install -p -m644 -D %{SOURCE5} %{buildroot}%{_qt5_headerdir}/QtCore/qconfig.h @@ -689,7 +706,6 @@ fi %{_qt5_libdir}/libQt5Sql.so.5* %{_qt5_libdir}/libQt5Test.so.5* %{_qt5_libdir}/libQt5Xml.so.5* -%{_qt5_libdir}/libQt5EglFSDeviceIntegration.so.5* %dir %{_qt5_libdir}/cmake/ %dir %{_qt5_libdir}/cmake/Qt5/ %dir %{_qt5_libdir}/cmake/Qt5Concurrent/ @@ -981,6 +997,7 @@ fi %{_qt5_libdir}/cmake/Qt5Gui/Qt5Gui_QIbusPlatformInputContextPlugin.cmake %if 0%{?egl} %{_qt5_libdir}/libQt5EglFsKmsSupport.so.5* +%{_qt5_libdir}/libQt5EglFSDeviceIntegration.so.5* %{_qt5_plugindir}/platforms/libqeglfs.so %{_qt5_plugindir}/platforms/libqminimalegl.so %dir %{_qt5_plugindir}/egldeviceintegrations/ @@ -1020,6 +1037,18 @@ fi %changelog +* Tue May 19 2020 Jan Grulich - 5.9.7-4 +- Fix: Files placed by attacker can influence the working directory and lead to malicious code execution + Resolves: bz#1814740 + Resolves: bz#1814685 + +* Wed Feb 19 2020 Jan Grulich - 5.9.7-3 +- Fix multilib issue with qtcore-config.h header file + Resolves: bz#1534528 + +- Move libQt5EglFSDeviceIntegration lib into correct subpackage + Resolves: bz#1792680 + * Thu Feb 07 2019 Jan Grulich - 5.9.7-1 - Enable -doc subpkg on PPC Resolves: bz#1564000