git: 7c60f16624be - main - devel/qt5-core: add upstream security patch
- Go to: [ bottom of page ] [ top of archives ] [ this month ]
Date: Mon, 21 Feb 2022 00:26:58 UTC
The branch main has been updated by adridg:
URL: https://cgit.FreeBSD.org/ports/commit/?id=7c60f16624be06a178455989e618cc79d1eade6f
commit 7c60f16624be06a178455989e618cc79d1eade6f
Author: Adriaan de Groot <adridg@FreeBSD.org>
AuthorDate: 2022-02-21 00:26:36 +0000
Commit: Adriaan de Groot <adridg@FreeBSD.org>
CommitDate: 2022-02-21 00:26:36 +0000
devel/qt5-core: add upstream security patch
---
devel/qt5-core/Makefile | 1 +
.../files/patch-CVE-2022-25255-qprocess5-15.diff | 63 ++++++++++++++++++++++
2 files changed, 64 insertions(+)
diff --git a/devel/qt5-core/Makefile b/devel/qt5-core/Makefile
index d2b938e1f768..32440f6a5882 100644
--- a/devel/qt5-core/Makefile
+++ b/devel/qt5-core/Makefile
@@ -1,5 +1,6 @@
PORTNAME= core
PORTVERSION= ${QT5_VERSION}${QT5_KDE_PATCH}
+PORTREVISION= 1
CATEGORIES= devel
PKGNAMEPREFIX= qt5-
diff --git a/devel/qt5-core/files/patch-CVE-2022-25255-qprocess5-15.diff b/devel/qt5-core/files/patch-CVE-2022-25255-qprocess5-15.diff
new file mode 100644
index 000000000000..538ab4ead6db
--- /dev/null
+++ b/devel/qt5-core/files/patch-CVE-2022-25255-qprocess5-15.diff
@@ -0,0 +1,63 @@
+This is the patch linked from the announcement
+ https://lists.qt-project.org/pipermail/announce/2022-February/000333.html
+with two changes: in our sources, the copyright year for the
+Qt Company is 2016, the upstream patch says 2021. Changed that
+to make the patch apply. The upstream patch is fetched with
+CRLF line-endings, changed to plain LF.
+
+--- src/corelib/io/qprocess_unix.cpp
++++ src/corelib/io/qprocess_unix.cpp
+@@ -1,7 +1,7 @@
+ /****************************************************************************
+ **
+ ** Copyright (C) 2016 The Qt Company Ltd.
+-** Copyright (C) 2016 Intel Corporation.
++** Copyright (C) 2022 Intel Corporation.
+ ** Contact: https://www.qt.io/licensing/
+ **
+ ** This file is part of the QtCore module of the Qt Toolkit.
+@@ -422,14 +422,15 @@ void QProcessPrivate::startProcess()
+ // Add the program name to the argument list.
+ argv[0] = nullptr;
+ if (!program.contains(QLatin1Char('/'))) {
++ // findExecutable() returns its argument if it's an absolute path,
++ // otherwise it searches $PATH; returns empty if not found (we handle
++ // that case much later)
+ const QString &exeFilePath = QStandardPaths::findExecutable(program);
+- if (!exeFilePath.isEmpty()) {
+- const QByteArray &tmp = QFile::encodeName(exeFilePath);
+- argv[0] = ::strdup(tmp.constData());
+- }
+- }
+- if (!argv[0])
++ const QByteArray &tmp = QFile::encodeName(exeFilePath);
++ argv[0] = ::strdup(tmp.constData());
++ } else {
+ argv[0] = ::strdup(encodedProgramName.constData());
++ }
+
+ // Add every argument to the list
+ for (int i = 0; i < arguments.count(); ++i)
+@@ -983,15 +984,16 @@ bool QProcessPrivate::startDetached(qint64 *pid)
+ envp = _q_dupEnvironment(environment.d.constData()->vars, &envc);
+ }
+
+- QByteArray tmp;
+ if (!program.contains(QLatin1Char('/'))) {
++ // findExecutable() returns its argument if it's an absolute path,
++ // otherwise it searches $PATH; returns empty if not found (we handle
++ // that case much later)
+ const QString &exeFilePath = QStandardPaths::findExecutable(program);
+- if (!exeFilePath.isEmpty())
+- tmp = QFile::encodeName(exeFilePath);
++ const QByteArray &tmp = QFile::encodeName(exeFilePath);
++ argv[0] = ::strdup(tmp.constData());
++ } else {
++ argv[0] = ::strdup(QFile::encodeName(program));
+ }
+- if (tmp.isEmpty())
+- tmp = QFile::encodeName(program);
+- argv[0] = tmp.data();
+
+ if (envp)
+ qt_safe_execve(argv[0], argv, envp);