833583 – (CVE-2022-25255) <dev-qt/qtcore-5.15.3: QProcess path vulnerability

Bug 833583 (CVE-2022-25255) - <dev-qt/qtcore-5.15.3: QProcess path vulnerability

Summary: <dev-qt/qtcore-5.15.3: QProcess path vulnerability

Status:	IN_PROGRESS

Alias:	CVE-2022-25255

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal minor (vote)
Assignee:	Gentoo Security

URL:
Whiteboard:	B3 [glsa?]
Keywords:

Depends on:	qt-5.15.3-stable
Blocks:
	Show dependency tree

Reported:	2022-02-18 01:43 UTC by Sam James
Modified:	2022-04-18 14:07 UTC (History)
CC List:	1 user (show)

See Also:	https://invent.kde.org/qt/qt/qtbase/-/merge_requests/115
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Sam James archtester

2022-02-18 01:43:27 UTC

https://lists.qt-project.org/pipermail/development/2022-February/042238.html:

"Recently, the Qt Project's security team was made aware of an issue regarding QProcess and determined it to be a security issue on Unix-based platforms only. We do not believe this to be a considerable risk for applications as the likelihood of it being triggered is minimal.

Specifically, the problem is around using QProcess to start an application without having an absolute path, and as a result, it depends on it finding it in the PATH environment variable. As a result, it may be possible for an attacker to place their copy of the executable in question inside the working/current directory for the QProcess and have it invoked that instead.

This situation is expected on Windows because it will search that directory first before the PATH environment variable finds the executable in question. However, it is not normal on Unix-based platforms to search the working/current directory if it cannot find it in the PATH environment variable. Therefore, it could enable an attacker to place a malicious executable there with the same name.

If you are using QProcess with an absolute or relative path, then this is not a problem; it will invoke that one specifically, but if you are using it like: 

QProcess p;
p.start("application", args); 

it could run into this problem."

Comment 1 Andreas Sturmlechner gentoo-dev

2022-02-18 11:31:30 UTC

KDE are currently waiting for upstream if they will fix the tests broken by this change.

Comment 2 Larry the Git Cow gentoo-dev

2022-04-01 17:46:44 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=e2f59199cbeb3897bb3089895b65c2a7f7d0a8c7

commit e2f59199cbeb3897bb3089895b65c2a7f7d0a8c7
Author:     Ionen Wolkens <ionen@gentoo.org>
AuthorDate: 2022-04-01 17:20:45 +0000
Commit:     Ionen Wolkens <ionen@gentoo.org>
CommitDate: 2022-04-01 17:46:36 +0000

    www-client/qutebrowser: add 2.5.0
    
    This includes a workaround for CVE-2022-25255 wrt bug #833583
    
    Bug: https://bugs.gentoo.org/833583
    Signed-off-by: Ionen Wolkens <ionen@gentoo.org>

 www-client/qutebrowser/Manifest                 |   1 +
 www-client/qutebrowser/qutebrowser-2.5.0.ebuild | 122 ++++++++++++++++++++++++
 2 files changed, 123 insertions(+)

Comment 3 Andreas Sturmlechner gentoo-dev

2022-04-18 11:41:14 UTC

Cleanup done in commit 2e7a463a4c38e186585f1721fe20e99b304a3f95 then.