[Development] [Announce] Security advisory: QProcess

[List for announcements regarding Qt releases and development]

Recently, the Qt Project's security team was made aware of an issue regarding 
QProcess and determined it to be a security issue on Unix-based platforms only. 
We do not believe this to be a considerable risk for applications as the 
likelihood of it being triggered is minimal.

Specifically, the problem is around using QProcess to start an application 
without having an absolute path, and as a result, it depends on it finding it 
in the PATH environment variable. As a result, it may be possible for an 
attacker to place their copy of the executable in question inside the 
working/current directory for the QProcess and have it invoked that instead.

This situation is expected on Windows because it will search that directory 
first before the PATH environment variable finds the executable in question. 
However, it is not normal on Unix-based platforms to search the working/current 
directory if it cannot find it in the PATH environment variable. Therefore, it 
could enable an attacker to place a malicious executable there with the same 
name.

If you are using QProcess with an absolute or relative path, then this is not a 
problem; it will invoke that one specifically, but if you are using it like: 

QProcess p;
p.start("application", args); 

it could run into this problem.

Patches are available for the currently supported versions of Qt and Qt 5.12 
can be found here:

dev: https://codereview.qt-project.org/c/qt/qtbase/+/393113
Qt 6.2: https://codereview.qt-project.org/c/qt/qtbase/+/394914 or 
https://download.qt.io/official_releases/qt/6.2/CVE-2022-25255-qprocess6-2.diff
Qt 5.15: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/394919 or 
https://download.qt.io/official_releases/qt/5.15/CVE-2022-25255-qprocess5-15.diff
Qt 5.12: https://codereview.qt-project.org/c/qt/qtbase/+/396020

If you prefer not to patch Qt, you can get around this by ensuring a complete 
path for your application instead of inside QProcess. You can utilize 
QStandardPaths::findExecutable() for this purpose as this will search your PATH 
environment variable and, as a result, will give you a safe path to use.

The official CVE report for this can be found here: 
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25255

Kind regards,
Andy
--
Andy Shaw
The Qt Company

_______________________________________________
Announce mailing list
annou...@qt-project.org
https://lists.qt-project.org/listinfo/announce
_______________________________________________
Development mailing list
Development@qt-project.org
https://lists.qt-project.org/listinfo/development