Message ID | 20220317163823.2913753-1-foss+buildroot@0leil.net |
---|---|
State | Superseded |
Headers | show |
Series | [1/3] package/qt5/qt5base: security bump | expand |
On 17/03/2022 17:38, Quentin Schulz wrote: > From: Quentin Schulz <quentin.schulz@theobroma-systems.com> > > This fixes CVE-2022-25255 and CVE-2022-25634. > > Cc: Quentin Schulz <foss+buildroot@0leil.net> > Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> > --- > package/qt5/qt5base/qt5base.hash | 2 +- > package/qt5/qt5base/qt5base.mk | 6 +++++- > 2 files changed, 6 insertions(+), 2 deletions(-) > > diff --git a/package/qt5/qt5base/qt5base.hash b/package/qt5/qt5base/qt5base.hash > index 1b9ff43ab2..c031f71c77 100644 > --- a/package/qt5/qt5base/qt5base.hash > +++ b/package/qt5/qt5base/qt5base.hash > @@ -1,5 +1,5 @@ > # Locally calculated > -sha256 96b1c96041ae7b5186c94f231979217bd50e3c0a4caeba32982faa8054a6d113 qtbase-d16bf02a11953dcac01dca73e6f3778f293adefe.tar.bz2 > +sha256 18c17d441fbefa9dd13d1d6bfb5f542c986ba86cc37930247f9e4d782df2244b qtbase-f31e001a9399e4e620847ea2c3e90749350140ae.tar.bz2 > > # Hashes for license files: > sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 LICENSE.GPL2 > diff --git a/package/qt5/qt5base/qt5base.mk b/package/qt5/qt5base/qt5base.mk > index ef02edfc1d..8fd5800822 100644 > --- a/package/qt5/qt5base/qt5base.mk > +++ b/package/qt5/qt5base/qt5base.mk > @@ -4,7 +4,7 @@ > # > ################################################################################ > > -QT5BASE_VERSION = d16bf02a11953dcac01dca73e6f3778f293adefe > +QT5BASE_VERSION = f31e001a9399e4e620847ea2c3e90749350140ae > QT5BASE_SITE = $(QT5_SITE)/qtbase/-/archive/$(QT5BASE_VERSION) > QT5BASE_SOURCE = qtbase-$(QT5BASE_VERSION).tar.bz2 > > @@ -15,6 +15,10 @@ QT5BASE_SYNC_QT_HEADERS = YES > # 0010-Avoid-processing-intensive-painting-of-high-number-o.patch > # 0011-Improve-fix-for-avoiding-huge-number-of-tiny-dashes.patch > QT5BASE_IGNORE_CVES += CVE-2021-38593 FYI, this no longer applies cleanly to master. Regards, Arnout > +# From commit 2766b2cba6ca4b1c430304df5437e2a6c874b107 "QProcess/Unix: ensure we don't accidentally execute something from CWD" > +QT5BASE_IGNORE_CVES += CVE-2022-25255 > +# From commit e68ca8e51375d963b2391715f70b42707992dbd8 "Windows: use QSystemLibrary instead of LoadLibrary directly" > +QT5BASE_IGNORE_CVES += CVE-2022-25634 > > # A few comments: > # * -no-pch to workaround the issue described at
>>>>> "Quentin" == Quentin Schulz <foss+buildroot@0leil.net> writes: > From: Quentin Schulz <quentin.schulz@theobroma-systems.com> > This fixes CVE-2022-25255 and CVE-2022-25634. > Cc: Quentin Schulz <foss+buildroot@0leil.net> > Signed-off-by: Quentin Schulz <quentin.schulz@theobroma-systems.com> Committed to 2022.02.x, thanks.
diff --git a/package/qt5/qt5base/qt5base.hash b/package/qt5/qt5base/qt5base.hash index 1b9ff43ab2..c031f71c77 100644 --- a/package/qt5/qt5base/qt5base.hash +++ b/package/qt5/qt5base/qt5base.hash @@ -1,5 +1,5 @@ # Locally calculated -sha256 96b1c96041ae7b5186c94f231979217bd50e3c0a4caeba32982faa8054a6d113 qtbase-d16bf02a11953dcac01dca73e6f3778f293adefe.tar.bz2 +sha256 18c17d441fbefa9dd13d1d6bfb5f542c986ba86cc37930247f9e4d782df2244b qtbase-f31e001a9399e4e620847ea2c3e90749350140ae.tar.bz2 # Hashes for license files: sha256 8177f97513213526df2cf6184d8ff986c675afb514d4e68a404010521b880643 LICENSE.GPL2 diff --git a/package/qt5/qt5base/qt5base.mk b/package/qt5/qt5base/qt5base.mk index ef02edfc1d..8fd5800822 100644 --- a/package/qt5/qt5base/qt5base.mk +++ b/package/qt5/qt5base/qt5base.mk @@ -4,7 +4,7 @@ # ################################################################################ -QT5BASE_VERSION = d16bf02a11953dcac01dca73e6f3778f293adefe +QT5BASE_VERSION = f31e001a9399e4e620847ea2c3e90749350140ae QT5BASE_SITE = $(QT5_SITE)/qtbase/-/archive/$(QT5BASE_VERSION) QT5BASE_SOURCE = qtbase-$(QT5BASE_VERSION).tar.bz2 @@ -15,6 +15,10 @@ QT5BASE_SYNC_QT_HEADERS = YES # 0010-Avoid-processing-intensive-painting-of-high-number-o.patch # 0011-Improve-fix-for-avoiding-huge-number-of-tiny-dashes.patch QT5BASE_IGNORE_CVES += CVE-2021-38593 +# From commit 2766b2cba6ca4b1c430304df5437e2a6c874b107 "QProcess/Unix: ensure we don't accidentally execute something from CWD" +QT5BASE_IGNORE_CVES += CVE-2022-25255 +# From commit e68ca8e51375d963b2391715f70b42707992dbd8 "Windows: use QSystemLibrary instead of LoadLibrary directly" +QT5BASE_IGNORE_CVES += CVE-2022-25634 # A few comments: # * -no-pch to workaround the issue described at