On Thursday, 30 January 2020 09:16:19 PST Olivier Goffart wrote:
> > I actually found that the patch applies to 5.7, and even qt4 with the
> > proper modifications. Is there something else in the code that limits
> > the affected version or maybe it does affects older versions too?
>
> The patch j
On Thursday, 30 January 2020 09:09:47 PST Olivier Goffart wrote:
> > This is similar to a TOCTOU attack, but I couldn't come up with a
> > reasonable attack scenario. If the interposing DLL has metadata saying
> > not to load, QLibrary will find the actual plugin later and will load
> > that. The w
On 2020-01-30 18:09, Olivier Goffart wrote:
On 30/01/20 17:12, Thiago Macieira wrote:
On Thursday, 30 January 2020 03:05:50 PST Olivier Goffart wrote:
$PWD is not the same as the binary dir
(QCoreApplication::applicationDirPath) The later is still searched
while
looking for plugin. (so that co
On 30/01/20 17:16, Lisandro Damián Nicanor Pérez Meyer wrote:
Hi Thiago!
On Wed, 29 Jan 2020 at 22:19, Thiago Macieira wrote:
[snip]
Issue 2) CVE-2020-0570
Score: 7.3 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
* Vendor: Qt Project
* Product: Qt
* Versions affected: 5.1
On 30/01/20 17:12, Thiago Macieira wrote:
On Thursday, 30 January 2020 03:05:50 PST Olivier Goffart wrote:
$PWD is not the same as the binary dir
(QCoreApplication::applicationDirPath) The later is still searched while
looking for plugin. (so that covers the case where plugin is in the folder
ne
Hi Thiago!
On Wed, 29 Jan 2020 at 22:19, Thiago Macieira wrote:
[snip]
> Issue 2) CVE-2020-0570
> Score: 7.3 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
> * Vendor: Qt Project
> * Product: Qt
> * Versions affected: 5.12.0 through 5.14.0
I actually found that the patch app
On Thursday, 30 January 2020 03:05:50 PST Olivier Goffart wrote:
> $PWD is not the same as the binary dir
> (QCoreApplication::applicationDirPath) The later is still searched while
> looking for plugin. (so that covers the case where plugin is in the folder
> next to the binary)
>
> But I am also
Am 30.01.20 um 12:05 schrieb Olivier Goffart:
> On 30/01/20 11:30, Dominik Holland wrote:
>> Doesn't the first fix break the standard way of deploying plugins on
>> windows ? I'm also not sure why this shouldn't affect windows ?
>>
>> Most applications using Qt on windows just deploy their plugins
On 30/01/20 11:30, Dominik Holland wrote:
Doesn't the first fix break the standard way of deploying plugins on
windows ? I'm also not sure why this shouldn't affect windows ?
Most applications using Qt on windows just deploy their plugins in the
folder next to the binary. Same like all dlls need
Doesn't the first fix break the standard way of deploying plugins on
windows ? I'm also not sure why this shouldn't affect windows ?
Most applications using Qt on windows just deploy their plugins in the
folder next to the binary. Same like all dlls needed for the binary...
I see how this fixes t
The Qt security team was made aware of two issues affecting the currently-
released versions of Qt that could lead to loading of untrusted plugins, which
can execute code immediately upon loading. We have assigned two IDs for them.
The patches fixing those issues are linked to below.
Issue 1) CV
11 matches
Mail list logo
