diff mbox series

[1/3] package/qt5/qt5base: security bump

Message ID 20220317163823.2913753-1-foss+buildroot@0leil.net
State Superseded
Headers show
Series [1/3] package/qt5/qt5base: security bump | expand

Commit Message

Quentin Schulz March 17, 2022, 4:38 p.m. UTC
From: Quentin Schulz <quentin.schulz@theobroma-systems.com>

This fixes CVE-2022-25255 and CVE-2022-25634.

Cc: Quentin Schulz <foss+buildroot@0leil.net>
Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
---
 package/qt5/qt5base/qt5base.hash | 2 +-
 package/qt5/qt5base/qt5base.mk   | 6 +++++-
 2 files changed, 6 insertions(+), 2 deletions(-)

Comments

Arnout Vandecappelle March 24, 2022, 9:35 p.m. UTC | #1
On 17/03/2022 17:38, Quentin Schulz wrote:
> From: Quentin Schulz <quentin.schulz@theobroma-systems.com>
> 
> This fixes CVE-2022-25255 and CVE-2022-25634.
> 
> Cc: Quentin Schulz <foss+buildroot@0leil.net>
> Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>
> ---
>   package/qt5/qt5base/qt5base.hash | 2 +-
>   package/qt5/qt5base/qt5base.mk   | 6 +++++-
>   2 files changed, 6 insertions(+), 2 deletions(-)
> 
> diff --git a/package/qt5/qt5base/qt5base.hash b/package/qt5/qt5base/qt5base.hash
> index 1b9ff43ab2..c031f71c77 100644
> --- a/package/qt5/qt5base/qt5base.hash
> +++ b/package/qt5/qt5base/qt5base.hash
> @@ -1,5 +1,5 @@
>   # Locally calculated
> -sha256  96b1c96041ae7b5186c94f231979217bd50e3c0a4caeba32982faa8054a6d113  qtbase-d16bf02a11953dcac01dca73e6f3778f293adefe.tar.bz2
> +sha256  18c17d441fbefa9dd13d1d6bfb5f542c986ba86cc37930247f9e4d782df2244b  qtbase-f31e001a9399e4e620847ea2c3e90749350140ae.tar.bz2
>   
>   # Hashes for license files:
>   sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  LICENSE.GPL2
> diff --git a/package/qt5/qt5base/qt5base.mk b/package/qt5/qt5base/qt5base.mk
> index ef02edfc1d..8fd5800822 100644
> --- a/package/qt5/qt5base/qt5base.mk
> +++ b/package/qt5/qt5base/qt5base.mk
> @@ -4,7 +4,7 @@
>   #
>   ################################################################################
>   
> -QT5BASE_VERSION = d16bf02a11953dcac01dca73e6f3778f293adefe
> +QT5BASE_VERSION = f31e001a9399e4e620847ea2c3e90749350140ae
>   QT5BASE_SITE = $(QT5_SITE)/qtbase/-/archive/$(QT5BASE_VERSION)
>   QT5BASE_SOURCE = qtbase-$(QT5BASE_VERSION).tar.bz2
>   
> @@ -15,6 +15,10 @@ QT5BASE_SYNC_QT_HEADERS = YES
>   # 0010-Avoid-processing-intensive-painting-of-high-number-o.patch
>   # 0011-Improve-fix-for-avoiding-huge-number-of-tiny-dashes.patch
>   QT5BASE_IGNORE_CVES += CVE-2021-38593

  FYI, this no longer applies cleanly to master.

  Regards,
  Arnout

> +# From commit 2766b2cba6ca4b1c430304df5437e2a6c874b107 "QProcess/Unix: ensure we don't accidentally execute something from CWD"
> +QT5BASE_IGNORE_CVES += CVE-2022-25255
> +# From commit e68ca8e51375d963b2391715f70b42707992dbd8 "Windows: use QSystemLibrary instead of LoadLibrary directly"
> +QT5BASE_IGNORE_CVES += CVE-2022-25634
>   
>   # A few comments:
>   #  * -no-pch to workaround the issue described at
Peter Korsgaard March 31, 2022, 3:48 p.m. UTC | #2
>>>>> "Quentin" == Quentin Schulz <foss+buildroot@0leil.net> writes:

 > From: Quentin Schulz <quentin.schulz@theobroma-systems.com>
 > This fixes CVE-2022-25255 and CVE-2022-25634.

 > Cc: Quentin Schulz <foss+buildroot@0leil.net>
 > Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com>

Committed to 2022.02.x, thanks.
diff mbox series

Patch

diff --git a/package/qt5/qt5base/qt5base.hash b/package/qt5/qt5base/qt5base.hash
index 1b9ff43ab2..c031f71c77 100644
--- a/package/qt5/qt5base/qt5base.hash
+++ b/package/qt5/qt5base/qt5base.hash
@@ -1,5 +1,5 @@ 
 # Locally calculated
-sha256  96b1c96041ae7b5186c94f231979217bd50e3c0a4caeba32982faa8054a6d113  qtbase-d16bf02a11953dcac01dca73e6f3778f293adefe.tar.bz2
+sha256  18c17d441fbefa9dd13d1d6bfb5f542c986ba86cc37930247f9e4d782df2244b  qtbase-f31e001a9399e4e620847ea2c3e90749350140ae.tar.bz2
 
 # Hashes for license files:
 sha256  8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643  LICENSE.GPL2
diff --git a/package/qt5/qt5base/qt5base.mk b/package/qt5/qt5base/qt5base.mk
index ef02edfc1d..8fd5800822 100644
--- a/package/qt5/qt5base/qt5base.mk
+++ b/package/qt5/qt5base/qt5base.mk
@@ -4,7 +4,7 @@ 
 #
 ################################################################################
 
-QT5BASE_VERSION = d16bf02a11953dcac01dca73e6f3778f293adefe
+QT5BASE_VERSION = f31e001a9399e4e620847ea2c3e90749350140ae
 QT5BASE_SITE = $(QT5_SITE)/qtbase/-/archive/$(QT5BASE_VERSION)
 QT5BASE_SOURCE = qtbase-$(QT5BASE_VERSION).tar.bz2
 
@@ -15,6 +15,10 @@  QT5BASE_SYNC_QT_HEADERS = YES
 # 0010-Avoid-processing-intensive-painting-of-high-number-o.patch
 # 0011-Improve-fix-for-avoiding-huge-number-of-tiny-dashes.patch
 QT5BASE_IGNORE_CVES += CVE-2021-38593
+# From commit 2766b2cba6ca4b1c430304df5437e2a6c874b107 "QProcess/Unix: ensure we don't accidentally execute something from CWD"
+QT5BASE_IGNORE_CVES += CVE-2022-25255
+# From commit e68ca8e51375d963b2391715f70b42707992dbd8 "Windows: use QSystemLibrary instead of LoadLibrary directly"
+QT5BASE_IGNORE_CVES += CVE-2022-25634
 
 # A few comments:
 #  * -no-pch to workaround the issue described at