Hi! On Thu, 30 Jan 2020 at 12:37, Moritz Mühlenhoff <[email protected]> wrote: > > On Thu, Jan 30, 2020 at 12:19:31PM -0300, Lisandro Damián Nicanor Pérez Meyer > wrote: > > Hi! > > > > On Thu, 30 Jan 2020 at 11:44, Moritz Mühlenhoff <[email protected]> wrote: > > > > > > On Thu, Jan 30, 2020 at 11:25:02AM -0300, Lisandro Damián Nicanor Pérez > > > Meyer wrote: > > > > Hi! Two security bugs where found in qtbase-opensource-src: > > > > > > > > https://lists.qt-project.org/pipermail/development/2020-January/038521.html > > > > > > > Please noe that the attached debdiff is made againt the current version > > > > in > > > > buster p-u, already accepted by SRM. > > > > > > Hi Lisandro, > > > debdiff looks good, please upload to security-master! > > > > Do I need to do a binary upload or source only is enough? (apart from > > including the source in the upload, first security upload if I'm not > > mistaken). > > Ack, source uploads are fine for stretch (for the first upload to a security > suite -sa is needed, but that already happened for 5.7.1+dfsg-3+deb9u1)
Ah, excellent, so I'll do source only uploads for both buster and stretch. > > > Stretch is still supported for another ~ half year, could you also prepare > > > a stretch-security update for CVE-2020-0569? > > > > Sure. I'll also see to prepare a qt4-x11 upload too. I might even do > > an unstable one... > > Let's not waste time on an additional sid uploads for Qt4, the big RM hammer > is coming in a month anyway :-) OK :-) I might keep it fixed just in case non the less... I'm attaching the stretch debdiff. -- Lisandro Damián Nicanor Pérez Meyer http://perezmeyer.com.ar/ http://perezmeyer.blogspot.com/
diff -Nru qtbase-opensource-src-5.7.1+dfsg/debian/changelog qtbase-opensource-src-5.7.1+dfsg/debian/changelog --- qtbase-opensource-src-5.7.1+dfsg/debian/changelog 2019-01-25 11:11:01.000000000 -0300 +++ qtbase-opensource-src-5.7.1+dfsg/debian/changelog 2020-01-30 12:33:15.000000000 -0300 @@ -1,3 +1,9 @@ +qtbase-opensource-src (5.7.1+dfsg-3+deb9u2) stretch-security; urgency=high + + * Backport fix for CVE-2020-0569: Do not load plugin from the CWD. + + -- Lisandro Damián Nicanor Pérez Meyer <[email protected]> Thu, 30 Jan 2020 12:33:15 -0300 + qtbase-opensource-src (5.7.1+dfsg-3+deb9u1) stretch-security; urgency=medium * Backport fixes for: diff -Nru qtbase-opensource-src-5.7.1+dfsg/debian/patches/CVE-2020-0569.diff qtbase-opensource-src-5.7.1+dfsg/debian/patches/CVE-2020-0569.diff --- qtbase-opensource-src-5.7.1+dfsg/debian/patches/CVE-2020-0569.diff 1969-12-31 21:00:00.000000000 -0300 +++ qtbase-opensource-src-5.7.1+dfsg/debian/patches/CVE-2020-0569.diff 2020-01-30 12:28:55.000000000 -0300 @@ -0,0 +1,18 @@ +Description: do not load plugin from the $PWD +Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=bf131e8d2181b340 +Last-Update: 2020-01-30 + +--- + src/corelib/plugin/qpluginloader.cpp | 1 - + 1 file changed, 1 deletion(-) + +--- a/src/corelib/plugin/qpluginloader.cpp ++++ b/src/corelib/plugin/qpluginloader.cpp +@@ -304,7 +304,6 @@ static QString locatePlugin(const QStrin + paths.append(fileName.left(slash)); // don't include the '/' + } else { + paths = QCoreApplication::libraryPaths(); +- paths.prepend(QStringLiteral(".")); // search in current dir first + } + + for (const QString &path : qAsConst(paths)) { diff -Nru qtbase-opensource-src-5.7.1+dfsg/debian/patches/series qtbase-opensource-src-5.7.1+dfsg/debian/patches/series --- qtbase-opensource-src-5.7.1+dfsg/debian/patches/series 2019-01-25 11:10:32.000000000 -0300 +++ qtbase-opensource-src-5.7.1+dfsg/debian/patches/series 2020-01-30 12:27:39.000000000 -0300 @@ -10,6 +10,7 @@ CVE-2018-19870.patch CVE-2018-19873.patch ensure_pixel_density_of_at_least_1.patch +CVE-2020-0569.diff # Debian specific. no_dbus_dependency.diff
-- https://alioth-lists.debian.net/cgi-bin/mailman/listinfo/pkg-kde-talk
