Hi! Two security bugs where found in qtbase-opensource-src: https://lists.qt-project.org/pipermail/development/2020-January/038521.html
Issue 1) CVE-2020-0569 Score: 7.3 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C * Vendor: Qt Project * Product: Qt * Versions affected: 5.0.0 to 5.13.2 * Versions fixed: 5.14.0 (5.14.1 is currently being prepared in experimental, 5.14.0 never hit the Debian archive) * Issue: local attack, loading and execution of untrusted code * Scope: class QPluginLoader (qtbase/src/corelib/plugin/qpluginloader.cpp) * Description: QPluginLoader in Qt versions 5.0.0 through 5.13.2 would search for certain plugins first on the current working directory of the application, which allows an attacker that can place files in the file system and influence the working directory of Qt-based applications to load and execute malicious code. This issue was verified on macOS and Linux and probably affects all other Unix operating systems. This issue does not affect Windows. Issue 2) CVE-2020-0570 Score: 7.3 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C * Vendor: Qt Project * Product: Qt * Versions affected: 5.12.0 through 5.14.0 * Versions fixed: 5.14.1 (currently being prepared in experimental) * Issue: local attack, loading and execution of untrusted code * Scope: class QLibrary (qtbase/src/corelib/plugin) * Reference: https://bugreports.qt.io/browse/QTBUG-81272 * Description: QLibrary in Qt versions 5.12.0 through 5.14.0, on certain x86 machines, would search for certain libraries and plugins relative to current working directory of the application, which allows an attacker that can place files in the file system and influence the working directory of Qt-based applications to load and execute malicious code. This issue was verified on Linux and probably affects all Unix operating systems, other than macOS (Darwin). This issue does not affect Windows. Please noe that the attached debdiff is made againt the current version in buster p-u, already accepted by SRM.
diff -Nru qtbase-opensource-src-5.11.3+dfsg1/debian/changelog qtbase-opensource-src-5.11.3+dfsg1/debian/changelog --- qtbase-opensource-src-5.11.3+dfsg1/debian/changelog 2019-11-24 14:34:59.000000000 -0300 +++ qtbase-opensource-src-5.11.3+dfsg1/debian/changelog 2020-01-30 10:42:01.000000000 -0300 @@ -1,3 +1,12 @@ +qtbase-opensource-src (5.11.3+dfsg1-1+deb10u3) buster-security; urgency=high + + [ Dmitry Shachnev ] + * Backport fixes for two vulnerabilities: + - CVE-2020-0569: Do not load plugin from the CWD. + - CVE-2020-0570: Qt tries to load invalid library from CWD. + + -- Lisandro Damián Nicanor Pérez Meyer <[email protected]> Thu, 30 Jan 2020 10:42:01 -0300 + qtbase-opensource-src (5.11.3+dfsg1-1+deb10u2) buster; urgency=medium [ Dmitry Shachnev ] diff -Nru qtbase-opensource-src-5.11.3+dfsg1/debian/patches/CVE-2020-0569.diff qtbase-opensource-src-5.11.3+dfsg1/debian/patches/CVE-2020-0569.diff --- qtbase-opensource-src-5.11.3+dfsg1/debian/patches/CVE-2020-0569.diff 1969-12-31 21:00:00.000000000 -0300 +++ qtbase-opensource-src-5.11.3+dfsg1/debian/patches/CVE-2020-0569.diff 2020-01-30 10:37:03.000000000 -0300 @@ -0,0 +1,14 @@ +Description: do not load plugin from the $PWD +Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=bf131e8d2181b340 +Last-Update: 2020-01-30 + +--- a/src/corelib/plugin/qpluginloader.cpp ++++ b/src/corelib/plugin/qpluginloader.cpp +@@ -305,7 +305,6 @@ static QString locatePlugin(const QStrin + paths.append(fileName.left(slash)); // don't include the '/' + } else { + paths = QCoreApplication::libraryPaths(); +- paths.prepend(QStringLiteral(".")); // search in current dir first + } + + for (const QString &path : qAsConst(paths)) { diff -Nru qtbase-opensource-src-5.11.3+dfsg1/debian/patches/CVE-2020-0570.diff qtbase-opensource-src-5.11.3+dfsg1/debian/patches/CVE-2020-0570.diff --- qtbase-opensource-src-5.11.3+dfsg1/debian/patches/CVE-2020-0570.diff 1969-12-31 21:00:00.000000000 -0300 +++ qtbase-opensource-src-5.11.3+dfsg1/debian/patches/CVE-2020-0570.diff 2020-01-30 10:37:03.000000000 -0300 @@ -0,0 +1,32 @@ +Description: QLibrary/Unix: do not attempt to load a library relative to $PWD + I added the code in commit 5219c37f7c98f37f078fee00fe8ca35d83ff4f5d to + find libraries in a haswell/ subdir of the main path, but we only need + to do that transformation if the library is contains at least one + directory separator. That is, if the user asks to load "lib/foo", then we + should try "lib/haswell/foo" (often, the path prefix will be absolute). + . + When the library name the user requested has no directory separators, we + let dlopen() do the transformation for us. Testing on Linux confirms + glibc does so: + . + $ LD_DEBUG=libs /lib64/ld-linux-x86-64.so.2 --inhibit-cache ./qml -help |& grep Xcursor + 1972475: find library=libXcursor.so.1 [0]; searching + 1972475: trying file=/usr/lib64/haswell/avx512_1/libXcursor.so.1 + 1972475: trying file=/usr/lib64/haswell/libXcursor.so.1 + 1972475: trying file=/usr/lib64/libXcursor.so.1 + 1972475: calling init: /usr/lib64/libXcursor.so.1 + 1972475: calling fini: /usr/lib64/libXcursor.so.1 [0] +Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=e6f1fde24f77f63f +Last-Update: 2020-01-30 + +--- a/src/corelib/plugin/qlibrary_unix.cpp ++++ b/src/corelib/plugin/qlibrary_unix.cpp +@@ -208,6 +208,8 @@ bool QLibraryPrivate::load_sys() + for(int suffix = 0; retry && !pHnd && suffix < suffixes.size(); suffix++) { + if (!prefixes.at(prefix).isEmpty() && name.startsWith(prefixes.at(prefix))) + continue; ++ if (path.isEmpty() && prefixes.at(prefix).contains(QLatin1Char('/'))) ++ continue; + if (!suffixes.at(suffix).isEmpty() && name.endsWith(suffixes.at(suffix))) + continue; + if (loadHints & QLibrary::LoadArchiveMemberHint) { diff -Nru qtbase-opensource-src-5.11.3+dfsg1/debian/patches/series qtbase-opensource-src-5.11.3+dfsg1/debian/patches/series --- qtbase-opensource-src-5.11.3+dfsg1/debian/patches/series 2019-11-24 14:34:59.000000000 -0300 +++ qtbase-opensource-src-5.11.3+dfsg1/debian/patches/series 2020-01-30 10:37:24.000000000 -0300 @@ -8,6 +8,8 @@ raw_printers.diff ensure-qtabletevent-is-not-pre-accepted.patch repolish_run_on_direct_children.diff +CVE-2020-0569.diff +CVE-2020-0570.diff # Debian specific. gnukfreebsd.diff
-- https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-kde-talk
