fix CVE-2020-0570

2020-10-14 15:22:51 +08:00 · 2020-10-14 15:22:51 +08:00 · 6cddb31ae2
commit 6cddb31ae2
parent 3b22778064
2 changed files with 53 additions and 2 deletions
--- a/CVE-2020-0570.patch
+++ b/CVE-2020-0570.patch
@ -0,0 +1,47 @@
+From 15d5017b8f61a4af9196ba8f802df75efb77a319 Mon Sep 17 00:00:00 2001
+From: Thiago Macieira <thiago.macieira@intel.com>
+Date: Fri, 10 Jan 2020 09:26:27 -0800
+Subject: QLibrary/Unix: do not attempt to load a library relative to $PWD
+
+I added the code in commit 5219c37f7c98f37f078fee00fe8ca35d83ff4f5d to
+find libraries in a haswell/ subdir of the main path, but we only need
+to do that transformation if the library is contains at least one
+directory seprator. That is, if the user asks to load "lib/foo", then we
+should try "lib/haswell/foo" (often, the path prefix will be absolute).
+
+When the library name the user requested has no directory separators, we
+let dlopen() do the transformation for us. Testing on Linux confirms
+glibc does so:
+
+$ LD_DEBUG=libs /lib64/ld-linux-x86-64.so.2 --inhibit-cache ./qml -help
+|& grep Xcurs or
+   1972475:     find library=libXcursor.so.1 [0]; searching
+   1972475:trying file=/usr/lib64/haswell/avx512_1/libXcursor.so.1
+   1972475:trying file=/usr/lib64/haswell/libXcursor.so.1
+   1972475:trying file=/usr/lib64/libXcursor.so.1
+   1972475:     calling init: /usr/lib64/libXcursor.so.1
+   1972475:     calling fini: /usr/lib64/libXcursor.so.1 [0]
+
+Fixes: QTBUG-81272
+Change-Id: I596aec77785a4e4e84d5fffd15e89689bb91ffbb
+Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
+---
+ src/corelib/plugin/qlibrary_unix.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/corelib/plugin/qlibrary_unix.cpp b/src/corelib/plugin/qlibrary_unix.cpp
+index 90797a49..99c646e1 100644
+--- a/src/corelib/plugin/qlibrary_unix.cpp
+++ b/src/corelib/plugin/qlibrary_unix.cpp
+@@ -209,6 +209,8 @@ bool QLibraryPrivate::load_sys()
+         for(int suffix = 0; retry && !pHnd && suffix < suffixes.size(); suffix++) {
+             if (!prefixes.at(prefix).isEmpty() && name.startsWith(prefixes.at(prefix)))
+                 continue;
+	    if (path.isEmpty() && prefixes.at(prefix).contains(QLatin1Char('/')))
+		continue;
+             if (!suffixes.at(suffix).isEmpty() && name.endsWith(suffixes.at(suffix)))
+                 continue;
+             if (loadHints & QLibrary::LoadArchiveMemberHint) {
+-- 
+2.23.0
+
--- a/qt.spec
+++ b/qt.spec
@ -13,7 +13,7 @@
 Name:           qt
 Epoch:          1
 Version:        4.8.7
-Release:        50
+Release:        51
 Summary:        A software toolkit for developing applications
 License:        (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
 URL:            http://qt-project.org/
@ -78,7 +78,8 @@ Patch6001:      CVE-2018-19872.patch
 Patch6002:      CVE-2018-19871.patch
 Patch6003:      CVE-2018-19870.patch
 Patch6004:      CVE-2018-19873.patch
-Patch45:        CVE-2020-17507.patch
+Patch6005:      CVE-2020-17507.patch
+Patch6006:      CVE-2020-0570.patch

 BuildRequires:  cups-devel desktop-file-utils gcc-c++ libjpeg-devel findutils libmng-devel libtiff-devel pkgconfig pkgconfig(alsa)
 BuildRequires:  pkgconfig(dbus-1) pkgconfig(fontconfig) pkgconfig(glib-2.0) pkgconfig(icu-i18n) openssl-devel pkgconfig(libpng)
@ -445,6 +446,9 @@ fi
 %{_qt4_prefix}/examples/

 %changelog
+* Wed 14 Oct 2020 wangyue <wangyue92@huawei.com> - 1:4.8.7-51
+- fix CVE-2020-0570
+
 * Sun Sep 20 2020 shaoqiang kang <kangshaoqiang1@huawei.com> - 1:4.8.7-50
 - fix CVE-2020-17507