summaryrefslogtreecommitdiff
path: root/user/qt5-qtbase/CVE-2020-0570.patch
diff options
context:
space:
mode:
authorA. Wilcox <awilcox@wilcox-tech.com>2020-04-05 03:53:24 +0000
committerA. Wilcox <awilcox@wilcox-tech.com>2020-04-05 03:53:24 +0000
commit32c4884ced79362bb0f24585f523ed5ff04daade (patch)
tree49cd897810543f2eb86f8656416e8ccb61679108 /user/qt5-qtbase/CVE-2020-0570.patch
parent2ce327f2b426d3d8f44e1b5ae7dcdab70248a2d3 (diff)
parent0401ed06b3057dd45a935b9a82acc7980a064abe (diff)
downloadpackages-32c4884ced79362bb0f24585f523ed5ff04daade.tar.gz
packages-32c4884ced79362bb0f24585f523ed5ff04daade.tar.bz2
packages-32c4884ced79362bb0f24585f523ed5ff04daade.tar.xz
packages-32c4884ced79362bb0f24585f523ed5ff04daade.zip
Merge branch 'sec/2020.03.29' into 'master'
Security updates for 2020.03.29 See merge request adelie/packages!419
Diffstat (limited to 'user/qt5-qtbase/CVE-2020-0570.patch')
-rw-r--r--user/qt5-qtbase/CVE-2020-0570.patch55
1 files changed, 55 insertions, 0 deletions
diff --git a/user/qt5-qtbase/CVE-2020-0570.patch b/user/qt5-qtbase/CVE-2020-0570.patch
new file mode 100644
index 000000000..dcf507c0d
--- /dev/null
+++ b/user/qt5-qtbase/CVE-2020-0570.patch
@@ -0,0 +1,55 @@
+From e6f1fde24f77f63fb16b2df239f82a89d2bf05dd Mon Sep 17 00:00:00 2001
+From: Thiago Macieira <thiago.macieira@intel.com>
+Date: Fri, 10 Jan 2020 09:26:27 -0800
+Subject: QLibrary/Unix: do not attempt to load a library relative to $PWD
+
+I added the code in commit 5219c37f7c98f37f078fee00fe8ca35d83ff4f5d to
+find libraries in a haswell/ subdir of the main path, but we only need
+to do that transformation if the library is contains at least one
+directory seprator. That is, if the user asks to load "lib/foo", then we
+should try "lib/haswell/foo" (often, the path prefix will be absolute).
+
+When the library name the user requested has no directory separators, we
+let dlopen() do the transformation for us. Testing on Linux confirms
+glibc does so:
+
+$ LD_DEBUG=libs /lib64/ld-linux-x86-64.so.2 --inhibit-cache ./qml -help |& grep Xcursor
+ 1972475: find library=libXcursor.so.1 [0]; searching
+ 1972475: trying file=/usr/lib64/haswell/avx512_1/libXcursor.so.1
+ 1972475: trying file=/usr/lib64/haswell/libXcursor.so.1
+ 1972475: trying file=/usr/lib64/libXcursor.so.1
+ 1972475: calling init: /usr/lib64/libXcursor.so.1
+ 1972475: calling fini: /usr/lib64/libXcursor.so.1 [0]
+
+Fixes: QTBUG-81272
+Change-Id: I596aec77785a4e4e84d5fffd15e89689bb91ffbb
+Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
+---
+ src/corelib/plugin/qlibrary_unix.cpp | 4 +++-
+ 1 file changed, 3 insertions(+), 1 deletion(-)
+
+diff --git a/src/corelib/plugin/qlibrary_unix.cpp b/src/corelib/plugin/qlibrary_unix.cpp
+index f0de1010d7..135b82cd37 100644
+--- a/src/corelib/plugin/qlibrary_unix.cpp
++++ b/src/corelib/plugin/qlibrary_unix.cpp
+@@ -1,7 +1,7 @@
+ /****************************************************************************
+ **
+ ** Copyright (C) 2016 The Qt Company Ltd.
+-** Copyright (C) 2018 Intel Corporation
++** Copyright (C) 2020 Intel Corporation
+ ** Contact: https://www.qt.io/licensing/
+ **
+ ** This file is part of the QtCore module of the Qt Toolkit.
+@@ -218,6 +218,8 @@ bool QLibraryPrivate::load_sys()
+ for(int suffix = 0; retry && !pHnd && suffix < suffixes.size(); suffix++) {
+ if (!prefixes.at(prefix).isEmpty() && name.startsWith(prefixes.at(prefix)))
+ continue;
++ if (path.isEmpty() && prefixes.at(prefix).contains(QLatin1Char('/')))
++ continue;
+ if (!suffixes.at(suffix).isEmpty() && name.endsWith(suffixes.at(suffix)))
+ continue;
+ if (loadHints & QLibrary::LoadArchiveMemberHint) {
+--
+cgit v1.2.1
+