CVSROOT: /cvs
Module name: ports
Changes by: [email protected] 2022/02/22 08:54:54
Modified files:
x11/qt5/qtbase : Tag: OPENBSD_7_0 Makefile
Added files:
x11/qt5/qtbase/patches: Tag: OPENBSD_7_0
patch-src_corelib_io_qprocess_unix_cpp
Log message:
Fix CVE-2022-25255
The Qt Company reports:
Recently, the Qt Project's security team was made aware of an issue regarding
QProcess and determined it to be a security issue on Unix-based platforms only.
We do not believe this to be a considerable risk for applications as the
likelihood of it being triggered is minimal.
Specifically, the problem is around using QProcess to start an application
without having an absolute path, and as a result, it depends on it finding it
in the PATH environment variable. As a result, it may be possible for an
attacker to place their copy of the executable in question inside the
working/current directory for the QProcess and have it invoked that instead.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25255
This is the patch linked from the announcement:
https://lists.qt-project.org/pipermail/announce/2022-February/000333.html
