Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 707354 (CVE-2020-0569, CVE-2020-0570) - <dev-qt/qtcore-{5.12.3-r2,5.13.2-r2}: Multiple vulnerabilities (CVE-2020-{0569,0570})
Summary: <dev-qt/qtcore-{5.12.3-r2,5.13.2-r2}: Multiple vulnerabilities (CVE-2020-{056...
Status: RESOLVED FIXED
Alias: CVE-2020-0569, CVE-2020-0570
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL: https://www.openwall.com/lists/oss-se...
Whiteboard: B2 [glsa+ cve]
Keywords:
Depends on:
Blocks:
 
Reported: 2020-01-30 08:44 UTC by Agostino Sarubbo
Modified: 2020-03-26 18:53 UTC (History)
1 user (show)

See Also:
Package list:
dev-qt/qtcore-5.12.3-r2 x86 dev-qt/qtcore-5.13.2-r2 amd64 arm arm64 ppc ppc64
Runtime testing required: ---
stable-bot: sanity-check+


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2020-01-30 08:44:09 UTC
From ${URL} :

The Qt security team was made aware of two issues affecting the currently-
released versions of Qt that could lead to loading of untrusted plugins, which 
can execute code immediately upon loading. We have assigned two IDs for them. 
The patches fixing those issues are linked to below.

Issue 1) CVE-2020-0569
Score: 7.3 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
* Vendor: Qt Project
* Product: Qt
* Versions affected: 5.0.0 to 5.13.2
* Versions fixed: 5.14.0 (already released), 5.12.7, 5.9.10 (future)
* Issue: local attack, loading and execution of untrusted code
* Scope: class QPluginLoader (qtbase/src/corelib/plugin/qpluginloader.cpp)
* Description:
QPluginLoader in Qt versions 5.0.0 through 5.13.2 would search for certain 
plugins first on the current working directory of the application, which 
allows an attacker that can place files in the file system and influence the 
working directory of Qt-based applications to load and execute malicious code. 
This issue was verified on macOS and Linux and probably affects all other Unix 
operating systems. This issue does not affect Windows.

Patches:
- 5.6.0 through 5.13.2: https://code.qt.io/cgit/qt/qtbase.git/commit/?
id=bf131e8d2181b3404f5293546ed390999f760404
- 5.0.0 through 5.5.1: https://code.qt.io/cgit/qt/qtbase.git/commit/?
id=5c4234ed958130d655df8197129806f687d4df0d

Issue 2) CVE-2020-0570
Score: 7.3 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
* Vendor: Qt Project
* Product: Qt
* Versions affected: 5.12.0 through 5.14.0
* Versions fixed: 5.14.1 (released), 5.12.7, 5.9.10 (future)
* Issue: local attack, loading and execution of untrusted code
* Scope: class QLibrary (qtbase/src/corelib/plugin)
* Reference: https://bugreports.qt.io/browse/QTBUG-81272
* Description:
QLibrary in Qt versions 5.12.0 through 5.14.0, on certain x86 machines, would 
search for certain libraries and plugins relative to current working directory 
of the application, which allows an attacker that can place files in the file 
system and influence the working directory of Qt-based applications to load 
and execute malicious code. This issue was verified on Linux and probably 
affects all Unix operating systems, other than macOS (Darwin). This issue does 
not affect Windows.

Patch: https://code.qt.io/cgit/qt/qtbase.git/commit/?
id=e6f1fde24f77f63fb16b2df239f82a89d2bf05dd


@maintainer(s): since the fixed package is already in the tree, please let us know if it is ready for the stabilization or not.
Comment 1 Larry the Git Cow gentoo-dev 2020-02-02 23:24:06 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=2130279f2fa917a2e5ee9a29cd8413b39484897a

commit 2130279f2fa917a2e5ee9a29cd8413b39484897a
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-02-02 18:50:59 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-02-02 23:23:54 +0000

    dev-qt/qtcore: Fix CVE-2020-0569 and CVE-2020-0570
    
    Bug: https://bugs.gentoo.org/707354
    Package-Manager: Portage-2.3.87, Repoman-2.3.20
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 .../qtcore/files/qtcore-5.12.3-CVE-2020-0569.patch | 28 +++++++
 .../qtcore/files/qtcore-5.12.3-CVE-2020-0570.patch | 54 +++++++++++++
 dev-qt/qtcore/qtcore-5.12.3-r2.ebuild              | 90 ++++++++++++++++++++++
 dev-qt/qtcore/qtcore-5.13.2-r2.ebuild              | 89 +++++++++++++++++++++
 4 files changed, 261 insertions(+)
Comment 2 Andreas Sturmlechner gentoo-dev 2020-02-04 01:40:34 UTC
Arches please stabilise.
Comment 3 Agostino Sarubbo gentoo-dev 2020-02-04 09:01:09 UTC
amd64 stable
Comment 4 Agostino Sarubbo gentoo-dev 2020-02-05 10:34:36 UTC
ppc64 stable
Comment 5 ernsteiswuerfel archtester 2020-02-05 21:33:46 UTC
Looking good on ppc.

rdep cmake fails (bug #708402).

# cat qtcore-707354.report 
USE tests started on Mi 5. Feb 18:12:34 CET 2020

FEATURES=' test' USE='' succeeded for =dev-qt/qtcore-5.13.2-r2
USE='-icu -systemd' succeeded for =dev-qt/qtcore-5.13.2-r2
USE='icu -systemd' succeeded for =dev-qt/qtcore-5.13.2-r2
USE='-icu systemd' succeeded for =dev-qt/qtcore-5.13.2-r2
USE='icu systemd' succeeded for =dev-qt/qtcore-5.13.2-r2

revdep tests started on Mi 5. Feb 21:38:20 CET 2020

FEATURES=' test' USE='qt5' succeeded for app-text/highlight
FEATURES=' test' USE='' succeeded for dev-qt/qtwebkit
FEATURES=' test' USE='configuration_tool' succeeded for app-i18n/fcitx-rime
USE='qt5' FEATURES=' test' failed for dev-util/cmake
FEATURES=' test' USE='' succeeded for dev-qt/qtdbus
FEATURES=' test' USE='qt5' succeeded for x11-themes/qtcurve
FEATURES=' test' USE='' succeeded for dev-qt/qtdeclarative
FEATURES=' test' USE='qt5' succeeded for media-libs/libprojectm
FEATURES=' test' USE='' succeeded for x11-libs/qscintilla
FEATURES=' test' USE='qt5' succeeded for media-libs/openal
Comment 6 Sergei Trofimovich (RETIRED) gentoo-dev 2020-02-05 23:43:26 UTC
ppc stable thanks to ernsteiswuerfel!
Comment 7 Agostino Sarubbo gentoo-dev 2020-02-07 12:13:30 UTC
x86 stable
Comment 8 Larry the Git Cow gentoo-dev 2020-02-08 21:34:48 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f9447476d1a2484ec8da6c19f9f91dad84d3b699

commit f9447476d1a2484ec8da6c19f9f91dad84d3b699
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-02-08 14:16:05 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-02-08 21:34:22 +0000

    dev-qt/qtcore: Drop vulnerable 5.12.3-r1
    
    Bug: https://bugs.gentoo.org/707354
    Package-Manager: Portage-2.3.87, Repoman-2.3.20
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-qt/qtcore/qtcore-5.12.3-r1.ebuild | 86 -----------------------------------
 1 file changed, 86 deletions(-)
Comment 9 Agostino Sarubbo gentoo-dev 2020-02-11 11:37:28 UTC
arm stable
Comment 10 Andreas Sturmlechner gentoo-dev 2020-02-26 23:18:03 UTC
ping arm64
Comment 11 Mart Raudsepp gentoo-dev 2020-03-17 12:40:48 UTC
arm64 stable
Comment 12 Larry the Git Cow gentoo-dev 2020-03-17 12:50:11 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=27f4c18fdb5d9a16e1163d9b0a24aac11163b85a

commit 27f4c18fdb5d9a16e1163d9b0a24aac11163b85a
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-03-17 12:46:28 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-03-17 12:49:45 +0000

    dev-qt/qtcore: Drop vulnerable 5.13.2-r1
    
    Bug: https://bugs.gentoo.org/707354
    Package-Manager: Portage-2.3.94, Repoman-2.3.21
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-qt/qtcore/qtcore-5.13.2-r1.ebuild | 84 -----------------------------------
 1 file changed, 84 deletions(-)
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-26 18:28:01 UTC
Tree is clean.
Comment 14 Thomas Deutschmann (RETIRED) gentoo-dev 2020-03-26 18:43:35 UTC
New GLSA request filed.
Comment 15 GLSAMaker/CVETool Bot gentoo-dev 2020-03-26 18:53:27 UTC
This issue was resolved and addressed in
 GLSA 202003-60 at https://security.gentoo.org/glsa/202003-60
by GLSA coordinator Thomas Deutschmann (whissi).