[Development] New Qt vulnerabilities
Dominik Holland
dominik.holland at qt.io
Thu Jan 30 11:30:07 CET 2020
Doesn't the first fix break the standard way of deploying plugins on
windows ? I'm also not sure why this shouldn't affect windows ?
Most applications using Qt on windows just deploy their plugins in the
folder next to the binary. Same like all dlls needed for the binary...
I see how this fixes the security problem when Qt comes from the system
and you cannot write to that location, but for all other cases it won't
change anything ?
Sorry if i missed something very obvious
Dominik
Am 30.01.20 um 02:18 schrieb Thiago Macieira:
> The Qt security team was made aware of two issues affecting the currently-
> released versions of Qt that could lead to loading of untrusted plugins, which
> can execute code immediately upon loading. We have assigned two IDs for them.
> The patches fixing those issues are linked to below.
>
> Issue 1) CVE-2020-0569
> Score: 7.3 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
> * Vendor: Qt Project
> * Product: Qt
> * Versions affected: 5.0.0 to 5.13.2
> * Versions fixed: 5.14.0 (already released), 5.12.7, 5.9.10 (future)
> * Issue: local attack, loading and execution of untrusted code
> * Scope: class QPluginLoader (qtbase/src/corelib/plugin/qpluginloader.cpp)
> * Description:
> QPluginLoader in Qt versions 5.0.0 through 5.13.2 would search for certain
> plugins first on the current working directory of the application, which
> allows an attacker that can place files in the file system and influence the
> working directory of Qt-based applications to load and execute malicious code.
> This issue was verified on macOS and Linux and probably affects all other Unix
> operating systems. This issue does not affect Windows.
>
> Patches:
> - 5.6.0 through 5.13.2: https://code.qt.io/cgit/qt/qtbase.git/commit/?
> id=bf131e8d2181b3404f5293546ed390999f760404
> - 5.0.0 through 5.5.1: https://code.qt.io/cgit/qt/qtbase.git/commit/?
> id=5c4234ed958130d655df8197129806f687d4df0d
>
> Issue 2) CVE-2020-0570
> Score: 7.3 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
> * Vendor: Qt Project
> * Product: Qt
> * Versions affected: 5.12.0 through 5.14.0
> * Versions fixed: 5.14.1 (released), 5.12.7, 5.9.10 (future)
> * Issue: local attack, loading and execution of untrusted code
> * Scope: class QLibrary (qtbase/src/corelib/plugin)
> * Reference: https://bugreports.qt.io/browse/QTBUG-81272
> * Description:
> QLibrary in Qt versions 5.12.0 through 5.14.0, on certain x86 machines, would
> search for certain libraries and plugins relative to current working directory
> of the application, which allows an attacker that can place files in the file
> system and influence the working directory of Qt-based applications to load
> and execute malicious code. This issue was verified on Linux and probably
> affects all Unix operating systems, other than macOS (Darwin). This issue does
> not affect Windows.
>
> Patch: https://code.qt.io/cgit/qt/qtbase.git/commit/?
> id=e6f1fde24f77f63fb16b2df239f82a89d2bf05dd
>
More information about the Development
mailing list