Doesn't the first fix break the standard way of deploying plugins on windows ? I'm also not sure why this shouldn't affect windows ?
Most applications using Qt on windows just deploy their plugins in the folder next to the binary. Same like all dlls needed for the binary... I see how this fixes the security problem when Qt comes from the system and you cannot write to that location, but for all other cases it won't change anything ? Sorry if i missed something very obvious Dominik Am 30.01.20 um 02:18 schrieb Thiago Macieira: > The Qt security team was made aware of two issues affecting the currently- > released versions of Qt that could lead to loading of untrusted plugins, > which > can execute code immediately upon loading. We have assigned two IDs for them. > The patches fixing those issues are linked to below. > > Issue 1) CVE-2020-0569 > Score: 7.3 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C > * Vendor: Qt Project > * Product: Qt > * Versions affected: 5.0.0 to 5.13.2 > * Versions fixed: 5.14.0 (already released), 5.12.7, 5.9.10 (future) > * Issue: local attack, loading and execution of untrusted code > * Scope: class QPluginLoader (qtbase/src/corelib/plugin/qpluginloader.cpp) > * Description: > QPluginLoader in Qt versions 5.0.0 through 5.13.2 would search for certain > plugins first on the current working directory of the application, which > allows an attacker that can place files in the file system and influence the > working directory of Qt-based applications to load and execute malicious > code. > This issue was verified on macOS and Linux and probably affects all other > Unix > operating systems. This issue does not affect Windows. > > Patches: > - 5.6.0 through 5.13.2: https://code.qt.io/cgit/qt/qtbase.git/commit/? > id=bf131e8d2181b3404f5293546ed390999f760404 > - 5.0.0 through 5.5.1: https://code.qt.io/cgit/qt/qtbase.git/commit/? > id=5c4234ed958130d655df8197129806f687d4df0d > > Issue 2) CVE-2020-0570 > Score: 7.3 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C > * Vendor: Qt Project > * Product: Qt > * Versions affected: 5.12.0 through 5.14.0 > * Versions fixed: 5.14.1 (released), 5.12.7, 5.9.10 (future) > * Issue: local attack, loading and execution of untrusted code > * Scope: class QLibrary (qtbase/src/corelib/plugin) > * Reference: https://bugreports.qt.io/browse/QTBUG-81272 > * Description: > QLibrary in Qt versions 5.12.0 through 5.14.0, on certain x86 machines, would > search for certain libraries and plugins relative to current working > directory > of the application, which allows an attacker that can place files in the file > system and influence the working directory of Qt-based applications to load > and execute malicious code. This issue was verified on Linux and probably > affects all Unix operating systems, other than macOS (Darwin). This issue > does > not affect Windows. > > Patch: https://code.qt.io/cgit/qt/qtbase.git/commit/? > id=e6f1fde24f77f63fb16b2df239f82a89d2bf05dd > _______________________________________________ Development mailing list [email protected] https://lists.qt-project.org/listinfo/development
