From ${URL} : The Qt security team was made aware of two issues affecting the currently- released versions of Qt that could lead to loading of untrusted plugins, which can execute code immediately upon loading. We have assigned two IDs for them. The patches fixing those issues are linked to below. Issue 1) CVE-2020-0569 Score: 7.3 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C * Vendor: Qt Project * Product: Qt * Versions affected: 5.0.0 to 5.13.2 * Versions fixed: 5.14.0 (already released), 5.12.7, 5.9.10 (future) * Issue: local attack, loading and execution of untrusted code * Scope: class QPluginLoader (qtbase/src/corelib/plugin/qpluginloader.cpp) * Description: QPluginLoader in Qt versions 5.0.0 through 5.13.2 would search for certain plugins first on the current working directory of the application, which allows an attacker that can place files in the file system and influence the working directory of Qt-based applications to load and execute malicious code. This issue was verified on macOS and Linux and probably affects all other Unix operating systems. This issue does not affect Windows. Patches: - 5.6.0 through 5.13.2: https://code.qt.io/cgit/qt/qtbase.git/commit/? id=bf131e8d2181b3404f5293546ed390999f760404 - 5.0.0 through 5.5.1: https://code.qt.io/cgit/qt/qtbase.git/commit/? id=5c4234ed958130d655df8197129806f687d4df0d Issue 2) CVE-2020-0570 Score: 7.3 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C * Vendor: Qt Project * Product: Qt * Versions affected: 5.12.0 through 5.14.0 * Versions fixed: 5.14.1 (released), 5.12.7, 5.9.10 (future) * Issue: local attack, loading and execution of untrusted code * Scope: class QLibrary (qtbase/src/corelib/plugin) * Reference: https://bugreports.qt.io/browse/QTBUG-81272 * Description: QLibrary in Qt versions 5.12.0 through 5.14.0, on certain x86 machines, would search for certain libraries and plugins relative to current working directory of the application, which allows an attacker that can place files in the file system and influence the working directory of Qt-based applications to load and execute malicious code. This issue was verified on Linux and probably affects all Unix operating systems, other than macOS (Darwin). This issue does not affect Windows. Patch: https://code.qt.io/cgit/qt/qtbase.git/commit/? id=e6f1fde24f77f63fb16b2df239f82a89d2bf05dd @maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2130279f2fa917a2e5ee9a29cd8413b39484897a commit 2130279f2fa917a2e5ee9a29cd8413b39484897a Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-02-02 18:50:59 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-02-02 23:23:54 +0000 dev-qt/qtcore: Fix CVE-2020-0569 and CVE-2020-0570 Bug: https://bugs.gentoo.org/707354 Package-Manager: Portage-2.3.87, Repoman-2.3.20 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> .../qtcore/files/qtcore-5.12.3-CVE-2020-0569.patch | 28 +++++++ .../qtcore/files/qtcore-5.12.3-CVE-2020-0570.patch | 54 +++++++++++++ dev-qt/qtcore/qtcore-5.12.3-r2.ebuild | 90 ++++++++++++++++++++++ dev-qt/qtcore/qtcore-5.13.2-r2.ebuild | 89 +++++++++++++++++++++ 4 files changed, 261 insertions(+)
Arches please stabilise.
amd64 stable
ppc64 stable
Looking good on ppc. rdep cmake fails (bug #708402). # cat qtcore-707354.report USE tests started on Mi 5. Feb 18:12:34 CET 2020 FEATURES=' test' USE='' succeeded for =dev-qt/qtcore-5.13.2-r2 USE='-icu -systemd' succeeded for =dev-qt/qtcore-5.13.2-r2 USE='icu -systemd' succeeded for =dev-qt/qtcore-5.13.2-r2 USE='-icu systemd' succeeded for =dev-qt/qtcore-5.13.2-r2 USE='icu systemd' succeeded for =dev-qt/qtcore-5.13.2-r2 revdep tests started on Mi 5. Feb 21:38:20 CET 2020 FEATURES=' test' USE='qt5' succeeded for app-text/highlight FEATURES=' test' USE='' succeeded for dev-qt/qtwebkit FEATURES=' test' USE='configuration_tool' succeeded for app-i18n/fcitx-rime USE='qt5' FEATURES=' test' failed for dev-util/cmake FEATURES=' test' USE='' succeeded for dev-qt/qtdbus FEATURES=' test' USE='qt5' succeeded for x11-themes/qtcurve FEATURES=' test' USE='' succeeded for dev-qt/qtdeclarative FEATURES=' test' USE='qt5' succeeded for media-libs/libprojectm FEATURES=' test' USE='' succeeded for x11-libs/qscintilla FEATURES=' test' USE='qt5' succeeded for media-libs/openal
ppc stable thanks to ernsteiswuerfel!
x86 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f9447476d1a2484ec8da6c19f9f91dad84d3b699 commit f9447476d1a2484ec8da6c19f9f91dad84d3b699 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-02-08 14:16:05 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-02-08 21:34:22 +0000 dev-qt/qtcore: Drop vulnerable 5.12.3-r1 Bug: https://bugs.gentoo.org/707354 Package-Manager: Portage-2.3.87, Repoman-2.3.20 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> dev-qt/qtcore/qtcore-5.12.3-r1.ebuild | 86 ----------------------------------- 1 file changed, 86 deletions(-)
arm stable
ping arm64
arm64 stable
The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=27f4c18fdb5d9a16e1163d9b0a24aac11163b85a commit 27f4c18fdb5d9a16e1163d9b0a24aac11163b85a Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-03-17 12:46:28 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-03-17 12:49:45 +0000 dev-qt/qtcore: Drop vulnerable 5.13.2-r1 Bug: https://bugs.gentoo.org/707354 Package-Manager: Portage-2.3.94, Repoman-2.3.21 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> dev-qt/qtcore/qtcore-5.13.2-r1.ebuild | 84 ----------------------------------- 1 file changed, 84 deletions(-)
Tree is clean.
New GLSA request filed.
This issue was resolved and addressed in GLSA 202003-60 at https://security.gentoo.org/glsa/202003-60 by GLSA coordinator Thomas Deutschmann (whissi).
