QProcess: ensure we don't accidentally execute something from CWD
Origin: upstream, https://download.qt.io/official_releases/qt/5.15/CVE-2022-25255-qprocess5-15.diff
Last-Update: 2022-02-21
Unless "." (or the empty string) is in $PATH, we're not supposed to find
executables in the current directory. This is how the Unix shells behave
and we match their behavior. It's also the behavior Qt had prior to 5.9
(commit
28666d167aa8e602c0bea25ebc4d51b55005db13). On Windows, searching
the current directory is the norm, so we keep that behavior.
This commit does not add an explicit check for an empty return from
QStandardPaths::findExecutable(). Instead, we allow that empty string to
go all the way to execve(2), which will fail with ENOENT. We could catch
it early, before fork(2), but why add code for the error case?
See https://kde.org/info/security/advisory-
20220131-1.txt
Gbp-Pq: Name CVE-2022-25255.diff
adjust QMimeDatabase implementation
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
0cbbba2aa5b47224
Last-Update: 2021-06-12
When multiple globs match, and the result from magic sniffing is
unrelated to any of those globs, globs have priority and one of them
should be picked up.
Gbp-Pq: Name mime_globs.diff
fix allocated memory of QByteArray returned by QIODevice::readLine
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
6485b6d45ad165cf
Last-Update: 2021-02-20
Gbp-Pq: Name qiodevice_readline_memory.diff
include <limits> to fix some GCC 11 build issues
Origin: upstream, commits:
https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
813a928c7c3cf986
https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
9c56d4da2ff631a8
Last-Update: 2021-01-26
Gbp-Pq: Name gcc_11_limits.diff
QNAM: work around QObject finicky orphan cleanup details
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
0807f16eb407eaf8
Last-Update: 2021-01-26
Gbp-Pq: Name qnam_connect_memory_leak.diff
Avoid use-after-free in QXcbConnection::initializeScreens()
Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=
86b8c5c3f32c2457
Last-Update: 2020-11-23
Gbp-Pq: Name xcb_screens_uaf.patch
qtbase-opensource-src (5.15.2+dfsg-9+deb11u1) bullseye; urgency=medium
* Non-maintainer upload by the LTS Team.
* CVE-2024-25580 (Closes: #
1064053)
fix buffer overflow due to crafted KTX image file
* CVE-2023-32763 (Closes: #
1036702)
fix QTextLayout buffer overflow due to crafted SVG file
* CVE-2022-25255
prevent QProcess from execution of a binary from the current working
directory when not found in the PATH
* CVE-2023-24607 (Closes: #
1031872)
fix denial of service via a crafted string when the SQL ODBC driver
plugin is used
* fix regression caused by patch for CVE-2023-24607
* CVE-2023-32762
prevent incorrect parsing of the strict-transport-security (HSTS) header
* CVE-2023-51714 (Closes: #
1060694)
fix incorrect HPack integer overflow check.
* CVE-2023-38197 (Closes: #
1041105)
fix infinite loop in recursive entity expansion
* CVE-2023-37369 (Closes: #
1059302)
fix crash of application in QXmlStreamReader due to crafted XML string
* CVE-2023-34410 (Closes: #
1037210)
fix checking during TLS whether root of the chain really is a
configured CA certificate
* CVE-2023-33285 (Closes: #
1036848)
fix buffer overflow in QDnsLookup
[dgit import unpatched qtbase-opensource-src 5.15.2+dfsg-9+deb11u1]
projects / qtbase-opensource-src.git / log