Date: Mon, 21 Feb 2022 00:26:58 GMT From: Adriaan de Groot <adridg@FreeBSD.org> To: ports-committers@FreeBSD.org, dev-commits-ports-all@FreeBSD.org, dev-commits-ports-main@FreeBSD.org Subject: git: 7c60f16624be - main - devel/qt5-core: add upstream security patch Message-ID: <202202210026.21L0QwN0021915@gitrepo.freebsd.org>
next in thread | raw e-mail | index | archive | help
The branch main has been updated by adridg: URL: https://cgit.FreeBSD.org/ports/commit/?id=7c60f16624be06a178455989e618cc79d1eade6f commit 7c60f16624be06a178455989e618cc79d1eade6f Author: Adriaan de Groot <adridg@FreeBSD.org> AuthorDate: 2022-02-21 00:26:36 +0000 Commit: Adriaan de Groot <adridg@FreeBSD.org> CommitDate: 2022-02-21 00:26:36 +0000 devel/qt5-core: add upstream security patch --- devel/qt5-core/Makefile | 1 + .../files/patch-CVE-2022-25255-qprocess5-15.diff | 63 ++++++++++++++++++++++ 2 files changed, 64 insertions(+) diff --git a/devel/qt5-core/Makefile b/devel/qt5-core/Makefile index d2b938e1f768..32440f6a5882 100644 --- a/devel/qt5-core/Makefile +++ b/devel/qt5-core/Makefile @@ -1,5 +1,6 @@ PORTNAME= core PORTVERSION= ${QT5_VERSION}${QT5_KDE_PATCH} +PORTREVISION= 1 CATEGORIES= devel PKGNAMEPREFIX= qt5- diff --git a/devel/qt5-core/files/patch-CVE-2022-25255-qprocess5-15.diff b/devel/qt5-core/files/patch-CVE-2022-25255-qprocess5-15.diff new file mode 100644 index 000000000000..538ab4ead6db --- /dev/null +++ b/devel/qt5-core/files/patch-CVE-2022-25255-qprocess5-15.diff @@ -0,0 +1,63 @@ +This is the patch linked from the announcement + https://lists.qt-project.org/pipermail/announce/2022-February/000333.html +with two changes: in our sources, the copyright year for the +Qt Company is 2016, the upstream patch says 2021. Changed that +to make the patch apply. The upstream patch is fetched with +CRLF line-endings, changed to plain LF. + +--- src/corelib/io/qprocess_unix.cpp ++++ src/corelib/io/qprocess_unix.cpp +@@ -1,7 +1,7 @@ + /**************************************************************************** + ** + ** Copyright (C) 2016 The Qt Company Ltd. +-** Copyright (C) 2016 Intel Corporation. ++** Copyright (C) 2022 Intel Corporation. + ** Contact: https://www.qt.io/licensing/ + ** + ** This file is part of the QtCore module of the Qt Toolkit. +@@ -422,14 +422,15 @@ void QProcessPrivate::startProcess() + // Add the program name to the argument list. + argv[0] = nullptr; + if (!program.contains(QLatin1Char('/'))) { ++ // findExecutable() returns its argument if it's an absolute path, ++ // otherwise it searches $PATH; returns empty if not found (we handle ++ // that case much later) + const QString &exeFilePath = QStandardPaths::findExecutable(program); +- if (!exeFilePath.isEmpty()) { +- const QByteArray &tmp = QFile::encodeName(exeFilePath); +- argv[0] = ::strdup(tmp.constData()); +- } +- } +- if (!argv[0]) ++ const QByteArray &tmp = QFile::encodeName(exeFilePath); ++ argv[0] = ::strdup(tmp.constData()); ++ } else { + argv[0] = ::strdup(encodedProgramName.constData()); ++ } + + // Add every argument to the list + for (int i = 0; i < arguments.count(); ++i) +@@ -983,15 +984,16 @@ bool QProcessPrivate::startDetached(qint64 *pid) + envp = _q_dupEnvironment(environment.d.constData()->vars, &envc); + } + +- QByteArray tmp; + if (!program.contains(QLatin1Char('/'))) { ++ // findExecutable() returns its argument if it's an absolute path, ++ // otherwise it searches $PATH; returns empty if not found (we handle ++ // that case much later) + const QString &exeFilePath = QStandardPaths::findExecutable(program); +- if (!exeFilePath.isEmpty()) +- tmp = QFile::encodeName(exeFilePath); ++ const QByteArray &tmp = QFile::encodeName(exeFilePath); ++ argv[0] = ::strdup(tmp.constData()); ++ } else { ++ argv[0] = ::strdup(QFile::encodeName(program)); + } +- if (tmp.isEmpty()) +- tmp = QFile::encodeName(program); +- argv[0] = tmp.data(); + + if (envp) + qt_safe_execve(argv[0], argv, envp);
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?202202210026.21L0QwN0021915>