* [Buildroot] [PATCH v1 1/2] package/qt5base: add patch to fix CVE-2020-0569 for LTS
@ 2020-01-30 21:13 Peter Seiderer
2020-01-30 21:13 ` [Buildroot] [PATCH v1 2/2] package/qt5base: add patches to fix CVE-2020-0569 and CVE-2020-0570 for latest Peter Seiderer
` (2 more replies)
0 siblings, 3 replies; 8+ messages in thread
From: Peter Seiderer @ 2020-01-30 21:13 UTC (permalink / raw)
To: buildroot
Add upstream patch to fix CVE-2020-0569 for LTS version
(see [1] for details).
[1] https://www.openwall.com/lists/oss-security/2020/01/30/1
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
---
...0005-Do-not-load-plugin-from-the-PWD.patch | 32 +++++++++++++++++++
1 file changed, 32 insertions(+)
create mode 100644 package/qt5/qt5base/5.6.3/0005-Do-not-load-plugin-from-the-PWD.patch
diff --git a/package/qt5/qt5base/5.6.3/0005-Do-not-load-plugin-from-the-PWD.patch b/package/qt5/qt5base/5.6.3/0005-Do-not-load-plugin-from-the-PWD.patch
new file mode 100644
index 0000000000..4acd42f005
--- /dev/null
+++ b/package/qt5/qt5base/5.6.3/0005-Do-not-load-plugin-from-the-PWD.patch
@@ -0,0 +1,32 @@
+From bf131e8d2181b3404f5293546ed390999f760404 Mon Sep 17 00:00:00 2001
+From: Olivier Goffart <ogoffart@woboq.com>
+Date: Fri, 8 Nov 2019 11:30:40 +0100
+Subject: [PATCH] Do not load plugin from the $PWD
+
+I see no reason why this would make sense to look for plugins in the current
+directory. And when there are plugins there, it may actually be wrong
+
+Change-Id: I5f5aa168021fedddafce90effde0d5762cd0c4c5
+Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
+
+Upstream: https://code.qt.io/cgit/qt/qtbase.git/commit/?id=bf131e8d2181b3404f5293546ed390999f760404
+Signed-off-by: Peter Seiderer <ps.report@gmx.net>
+---
+ src/corelib/plugin/qpluginloader.cpp | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/corelib/plugin/qpluginloader.cpp b/src/corelib/plugin/qpluginloader.cpp
+index cadff4f32b..c2443dbdda 100644
+--- a/src/corelib/plugin/qpluginloader.cpp
++++ b/src/corelib/plugin/qpluginloader.cpp
+@@ -305,7 +305,6 @@ static QString locatePlugin(const QString& fileName)
+ paths.append(fileName.left(slash)); // don't include the '/'
+ } else {
+ paths = QCoreApplication::libraryPaths();
+- paths.prepend(QStringLiteral(".")); // search in current dir first
+ }
+
+ for (const QString &path : qAsConst(paths)) {
+--
+2.25.0
+
--
2.25.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH v1 2/2] package/qt5base: add patches to fix CVE-2020-0569 and CVE-2020-0570 for latest
2020-01-30 21:13 [Buildroot] [PATCH v1 1/2] package/qt5base: add patch to fix CVE-2020-0569 for LTS Peter Seiderer
@ 2020-01-30 21:13 ` Peter Seiderer
2020-02-01 22:44 ` Peter Korsgaard
2020-03-07 20:17 ` Peter Korsgaard
2020-02-01 22:43 ` [Buildroot] [PATCH v1 1/2] package/qt5base: add patch to fix CVE-2020-0569 for LTS Peter Korsgaard
2020-03-07 20:17 ` Peter Korsgaard
2 siblings, 2 replies; 8+ messages in thread
From: Peter Seiderer @ 2020-01-30 21:13 UTC (permalink / raw)
To: buildroot
Add upstream patches to fix CVE-2020-0569 and CVE-2020-0570 for
latest qt version (for details see [1]).
[1] https://www.openwall.com/lists/oss-security/2020/01/30/1
Signed-off-by: Peter Seiderer <ps.report@gmx.net>
---
...0003-Do-not-load-plugin-from-the-PWD.patch | 32 ++++++++++
...-not-attempt-to-load-a-library-relat.patch | 59 +++++++++++++++++++
2 files changed, 91 insertions(+)
create mode 100644 package/qt5/qt5base/5.12.5/0003-Do-not-load-plugin-from-the-PWD.patch
create mode 100644 package/qt5/qt5base/5.12.5/0004-QLibrary-Unix-do-not-attempt-to-load-a-library-relat.patch
diff --git a/package/qt5/qt5base/5.12.5/0003-Do-not-load-plugin-from-the-PWD.patch b/package/qt5/qt5base/5.12.5/0003-Do-not-load-plugin-from-the-PWD.patch
new file mode 100644
index 0000000000..4acd42f005
--- /dev/null
+++ b/package/qt5/qt5base/5.12.5/0003-Do-not-load-plugin-from-the-PWD.patch
@@ -0,0 +1,32 @@
+From bf131e8d2181b3404f5293546ed390999f760404 Mon Sep 17 00:00:00 2001
+From: Olivier Goffart <ogoffart@woboq.com>
+Date: Fri, 8 Nov 2019 11:30:40 +0100
+Subject: [PATCH] Do not load plugin from the $PWD
+
+I see no reason why this would make sense to look for plugins in the current
+directory. And when there are plugins there, it may actually be wrong
+
+Change-Id: I5f5aa168021fedddafce90effde0d5762cd0c4c5
+Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
+
+Upstream: https://code.qt.io/cgit/qt/qtbase.git/commit/?id=bf131e8d2181b3404f5293546ed390999f760404
+Signed-off-by: Peter Seiderer <ps.report@gmx.net>
+---
+ src/corelib/plugin/qpluginloader.cpp | 1 -
+ 1 file changed, 1 deletion(-)
+
+diff --git a/src/corelib/plugin/qpluginloader.cpp b/src/corelib/plugin/qpluginloader.cpp
+index cadff4f32b..c2443dbdda 100644
+--- a/src/corelib/plugin/qpluginloader.cpp
++++ b/src/corelib/plugin/qpluginloader.cpp
+@@ -305,7 +305,6 @@ static QString locatePlugin(const QString& fileName)
+ paths.append(fileName.left(slash)); // don't include the '/'
+ } else {
+ paths = QCoreApplication::libraryPaths();
+- paths.prepend(QStringLiteral(".")); // search in current dir first
+ }
+
+ for (const QString &path : qAsConst(paths)) {
+--
+2.25.0
+
diff --git a/package/qt5/qt5base/5.12.5/0004-QLibrary-Unix-do-not-attempt-to-load-a-library-relat.patch b/package/qt5/qt5base/5.12.5/0004-QLibrary-Unix-do-not-attempt-to-load-a-library-relat.patch
new file mode 100644
index 0000000000..5004851a71
--- /dev/null
+++ b/package/qt5/qt5base/5.12.5/0004-QLibrary-Unix-do-not-attempt-to-load-a-library-relat.patch
@@ -0,0 +1,59 @@
+From e6f1fde24f77f63fb16b2df239f82a89d2bf05dd Mon Sep 17 00:00:00 2001
+From: Thiago Macieira <thiago.macieira@intel.com>
+Date: Fri, 10 Jan 2020 09:26:27 -0800
+Subject: [PATCH] QLibrary/Unix: do not attempt to load a library relative to
+ $PWD
+
+I added the code in commit 5219c37f7c98f37f078fee00fe8ca35d83ff4f5d to
+find libraries in a haswell/ subdir of the main path, but we only need
+to do that transformation if the library is contains at least one
+directory seprator. That is, if the user asks to load "lib/foo", then we
+should try "lib/haswell/foo" (often, the path prefix will be absolute).
+
+When the library name the user requested has no directory separators, we
+let dlopen() do the transformation for us. Testing on Linux confirms
+glibc does so:
+
+$ LD_DEBUG=libs /lib64/ld-linux-x86-64.so.2 --inhibit-cache ./qml -help |& grep Xcursor
+ 1972475: find library=libXcursor.so.1 [0]; searching
+ 1972475: trying file=/usr/lib64/haswell/avx512_1/libXcursor.so.1
+ 1972475: trying file=/usr/lib64/haswell/libXcursor.so.1
+ 1972475: trying file=/usr/lib64/libXcursor.so.1
+ 1972475: calling init: /usr/lib64/libXcursor.so.1
+ 1972475: calling fini: /usr/lib64/libXcursor.so.1 [0]
+
+Fixes: QTBUG-81272
+Change-Id: I596aec77785a4e4e84d5fffd15e89689bb91ffbb
+Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
+
+Upstream: https://code.qt.io/cgit/qt/qtbase.git/commit/?id=e6f1fde24f77f63fb16b2df239f82a89d2bf05dd
+Signed-off-by: Peter Seiderer <ps.report@gmx.net>
+---
+ src/corelib/plugin/qlibrary_unix.cpp | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/corelib/plugin/qlibrary_unix.cpp b/src/corelib/plugin/qlibrary_unix.cpp
+index f0de1010d7..135b82cd37 100644
+--- a/src/corelib/plugin/qlibrary_unix.cpp
++++ b/src/corelib/plugin/qlibrary_unix.cpp
+@@ -1,7 +1,7 @@
+ /****************************************************************************
+ **
+ ** Copyright (C) 2016 The Qt Company Ltd.
+-** Copyright (C) 2018 Intel Corporation
++** Copyright (C) 2020 Intel Corporation
+ ** Contact: https://www.qt.io/licensing/
+ **
+ ** This file is part of the QtCore module of the Qt Toolkit.
+@@ -218,6 +218,8 @@ bool QLibraryPrivate::load_sys()
+ for(int suffix = 0; retry && !pHnd && suffix < suffixes.size(); suffix++) {
+ if (!prefixes.at(prefix).isEmpty() && name.startsWith(prefixes.at(prefix)))
+ continue;
++ if (path.isEmpty() && prefixes.at(prefix).contains(QLatin1Char('/')))
++ continue;
+ if (!suffixes.at(suffix).isEmpty() && name.endsWith(suffixes.at(suffix)))
+ continue;
+ if (loadHints & QLibrary::LoadArchiveMemberHint) {
+--
+2.25.0
+
--
2.25.0
^ permalink raw reply related [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH v1 1/2] package/qt5base: add patch to fix CVE-2020-0569 for LTS
2020-01-30 21:13 [Buildroot] [PATCH v1 1/2] package/qt5base: add patch to fix CVE-2020-0569 for LTS Peter Seiderer
2020-01-30 21:13 ` [Buildroot] [PATCH v1 2/2] package/qt5base: add patches to fix CVE-2020-0569 and CVE-2020-0570 for latest Peter Seiderer
@ 2020-02-01 22:43 ` Peter Korsgaard
2020-03-07 20:17 ` Peter Korsgaard
2 siblings, 0 replies; 8+ messages in thread
From: Peter Korsgaard @ 2020-02-01 22:43 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Seiderer <ps.report@gmx.net> writes:
> Add upstream patch to fix CVE-2020-0569 for LTS version
> (see [1] for details).
> [1] https://www.openwall.com/lists/oss-security/2020/01/30/1
> Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Committed after extending the commit message a bit, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH v1 2/2] package/qt5base: add patches to fix CVE-2020-0569 and CVE-2020-0570 for latest
2020-01-30 21:13 ` [Buildroot] [PATCH v1 2/2] package/qt5base: add patches to fix CVE-2020-0569 and CVE-2020-0570 for latest Peter Seiderer
@ 2020-02-01 22:44 ` Peter Korsgaard
2020-02-02 8:48 ` Peter Seiderer
2020-03-07 20:17 ` Peter Korsgaard
1 sibling, 1 reply; 8+ messages in thread
From: Peter Korsgaard @ 2020-02-01 22:44 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Seiderer <ps.report@gmx.net> writes:
> Add upstream patches to fix CVE-2020-0569 and CVE-2020-0570 for
> latest qt version (for details see [1]).
> [1] https://www.openwall.com/lists/oss-security/2020/01/30/1
> Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Committed after extending the commit message a bit, thanks.
I see from the advisory that there is a 5.12.7 version with this fix
included. Any specific reason why we don't bump the version instead?
https://download.qt.io/archive/qt/5.12/5.12.7/
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH v1 2/2] package/qt5base: add patches to fix CVE-2020-0569 and CVE-2020-0570 for latest
2020-02-01 22:44 ` Peter Korsgaard
@ 2020-02-02 8:48 ` Peter Seiderer
2020-02-02 13:27 ` Peter Korsgaard
0 siblings, 1 reply; 8+ messages in thread
From: Peter Seiderer @ 2020-02-02 8:48 UTC (permalink / raw)
To: buildroot
Hello Peter,
On Sat, 01 Feb 2020 23:44:26 +0100, Peter Korsgaard <peter@korsgaard.com> wrote:
> >>>>> "Peter" == Peter Seiderer <ps.report@gmx.net> writes:
>
> > Add upstream patches to fix CVE-2020-0569 and CVE-2020-0570 for
> > latest qt version (for details see [1]).
>
> > [1] https://www.openwall.com/lists/oss-security/2020/01/30/1
>
> > Signed-off-by: Peter Seiderer <ps.report@gmx.net>
>
> Committed after extending the commit message a bit, thanks.
>
> I see from the advisory that there is a 5.12.7 version with this fix
> included. Any specific reason why we don't bump the version instead?
Because the advisory states 'fixed 5.12.7 (future)'...
>
> https://download.qt.io/archive/qt/5.12/5.12.7/
>
...and the version is only available since two days (and the sha256 sums only since
yesterday)..., but version bump patch will follow soon ;-)
Regards,
Peter
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH v1 2/2] package/qt5base: add patches to fix CVE-2020-0569 and CVE-2020-0570 for latest
2020-02-02 8:48 ` Peter Seiderer
@ 2020-02-02 13:27 ` Peter Korsgaard
0 siblings, 0 replies; 8+ messages in thread
From: Peter Korsgaard @ 2020-02-02 13:27 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Seiderer <ps.report@gmx.net> writes:
Hi,
>> https://download.qt.io/archive/qt/5.12/5.12.7/
> ...and the version is only available since two days (and the sha256 sums only since
> yesterday)..., but version bump patch will follow soon ;-)
Great, thanks!
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH v1 1/2] package/qt5base: add patch to fix CVE-2020-0569 for LTS
2020-01-30 21:13 [Buildroot] [PATCH v1 1/2] package/qt5base: add patch to fix CVE-2020-0569 for LTS Peter Seiderer
2020-01-30 21:13 ` [Buildroot] [PATCH v1 2/2] package/qt5base: add patches to fix CVE-2020-0569 and CVE-2020-0570 for latest Peter Seiderer
2020-02-01 22:43 ` [Buildroot] [PATCH v1 1/2] package/qt5base: add patch to fix CVE-2020-0569 for LTS Peter Korsgaard
@ 2020-03-07 20:17 ` Peter Korsgaard
2 siblings, 0 replies; 8+ messages in thread
From: Peter Korsgaard @ 2020-03-07 20:17 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Seiderer <ps.report@gmx.net> writes:
> Add upstream patch to fix CVE-2020-0569 for LTS version
> (see [1] for details).
> [1] https://www.openwall.com/lists/oss-security/2020/01/30/1
> Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Committed to 2019.11.x, thanks.
> ---
> ...0005-Do-not-load-plugin-from-the-PWD.patch | 32 +++++++++++++++++++
> 1 file changed, 32 insertions(+)
> create mode 100644 package/qt5/qt5base/5.6.3/0005-Do-not-load-plugin-from-the-PWD.patch
> diff --git
> a/package/qt5/qt5base/5.6.3/0005-Do-not-load-plugin-from-the-PWD.patch
> b/package/qt5/qt5base/5.6.3/0005-Do-not-load-plugin-from-the-PWD.patch
> new file mode 100644
> index 0000000000..4acd42f005
> --- /dev/null
> +++ b/package/qt5/qt5base/5.6.3/0005-Do-not-load-plugin-from-the-PWD.patch
> @@ -0,0 +1,32 @@
> +From bf131e8d2181b3404f5293546ed390999f760404 Mon Sep 17 00:00:00 2001
> +From: Olivier Goffart <ogoffart@woboq.com>
> +Date: Fri, 8 Nov 2019 11:30:40 +0100
> +Subject: [PATCH] Do not load plugin from the $PWD
> +
> +I see no reason why this would make sense to look for plugins in the current
> +directory. And when there are plugins there, it may actually be wrong
> +
> +Change-Id: I5f5aa168021fedddafce90effde0d5762cd0c4c5
> +Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
> +
> +Upstream: https://code.qt.io/cgit/qt/qtbase.git/commit/?id=bf131e8d2181b3404f5293546ed390999f760404
> +Signed-off-by: Peter Seiderer <ps.report@gmx.net>
> +---
> + src/corelib/plugin/qpluginloader.cpp | 1 -
> + 1 file changed, 1 deletion(-)
> +
> +diff --git a/src/corelib/plugin/qpluginloader.cpp b/src/corelib/plugin/qpluginloader.cpp
> +index cadff4f32b..c2443dbdda 100644
> +--- a/src/corelib/plugin/qpluginloader.cpp
> ++++ b/src/corelib/plugin/qpluginloader.cpp
> +@@ -305,7 +305,6 @@ static QString locatePlugin(const QString& fileName)
> + paths.append(fileName.left(slash)); // don't include the '/'
> + } else {
> + paths = QCoreApplication::libraryPaths();
> +- paths.prepend(QStringLiteral(".")); // search in current dir first
> + }
> +
> + for (const QString &path : qAsConst(paths)) {
> +--
> +2.25.0
> +
> --
> 2.25.0
> _______________________________________________
> buildroot mailing list
> buildroot at busybox.net
> http://lists.busybox.net/mailman/listinfo/buildroot
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 8+ messages in thread
* [Buildroot] [PATCH v1 2/2] package/qt5base: add patches to fix CVE-2020-0569 and CVE-2020-0570 for latest
2020-01-30 21:13 ` [Buildroot] [PATCH v1 2/2] package/qt5base: add patches to fix CVE-2020-0569 and CVE-2020-0570 for latest Peter Seiderer
2020-02-01 22:44 ` Peter Korsgaard
@ 2020-03-07 20:17 ` Peter Korsgaard
1 sibling, 0 replies; 8+ messages in thread
From: Peter Korsgaard @ 2020-03-07 20:17 UTC (permalink / raw)
To: buildroot
>>>>> "Peter" == Peter Seiderer <ps.report@gmx.net> writes:
> Add upstream patches to fix CVE-2020-0569 and CVE-2020-0570 for
> latest qt version (for details see [1]).
> [1] https://www.openwall.com/lists/oss-security/2020/01/30/1
> Signed-off-by: Peter Seiderer <ps.report@gmx.net>
Committed to 2019.11.x, thanks.
--
Bye, Peter Korsgaard
^ permalink raw reply [flat|nested] 8+ messages in thread
end of thread, other threads:[~2020-03-07 20:17 UTC | newest]
Thread overview: 8+ messages (download: mbox.gz / follow: Atom feed)
-- links below jump to the message on this page --
2020-01-30 21:13 [Buildroot] [PATCH v1 1/2] package/qt5base: add patch to fix CVE-2020-0569 for LTS Peter Seiderer
2020-01-30 21:13 ` [Buildroot] [PATCH v1 2/2] package/qt5base: add patches to fix CVE-2020-0569 and CVE-2020-0570 for latest Peter Seiderer
2020-02-01 22:44 ` Peter Korsgaard
2020-02-02 8:48 ` Peter Seiderer
2020-02-02 13:27 ` Peter Korsgaard
2020-03-07 20:17 ` Peter Korsgaard
2020-02-01 22:43 ` [Buildroot] [PATCH v1 1/2] package/qt5base: add patch to fix CVE-2020-0569 for LTS Peter Korsgaard
2020-03-07 20:17 ` Peter Korsgaard
This is an external index of several public inboxes,
see mirroring instructions on how to clone and mirror
all data and code used by this external index.