[Development] New Qt vulnerabilities

Olivier Goffart olivier at woboq.com
Thu Jan 30 12:05:50 CET 2020


On 30/01/20 11:30, Dominik Holland wrote:
> Doesn't the first fix break the standard way of deploying plugins on
> windows ? I'm also not sure why this shouldn't affect windows ?
> 
> Most applications using Qt on windows just deploy their plugins in the
> folder next to the binary. Same like all dlls needed for the binary...
> 
> I see how this fixes the security problem when Qt comes from the system
> and you cannot write to that location, but for all other cases it won't
> change anything ?
> 
> Sorry if i missed something very obvious

$PWD is not the same as the binary dir (QCoreApplication::applicationDirPath)
The later is still searched while looking for plugin. (so that covers the case 
where plugin is in the folder next to the binary)

But I am also not sure why Windows is not affected.

-- 
Olivier



> Am 30.01.20 um 02:18 schrieb Thiago Macieira:
>> The Qt security team was made aware of two issues affecting the currently-
>> released versions of Qt that could lead to loading of untrusted plugins, which
>> can execute code immediately upon loading. We have assigned two IDs for them.
>> The patches fixing those issues are linked to below.
>>
>> Issue 1) CVE-2020-0569
>> Score: 7.3 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
>> * Vendor: Qt Project
>> * Product: Qt
>> * Versions affected: 5.0.0 to 5.13.2
>> * Versions fixed: 5.14.0 (already released), 5.12.7, 5.9.10 (future)
>> * Issue: local attack, loading and execution of untrusted code
>> * Scope: class QPluginLoader (qtbase/src/corelib/plugin/qpluginloader.cpp)
>> * Description:
>> QPluginLoader in Qt versions 5.0.0 through 5.13.2 would search for certain
>> plugins first on the current working directory of the application, which
>> allows an attacker that can place files in the file system and influence the
>> working directory of Qt-based applications to load and execute malicious code.
>> This issue was verified on macOS and Linux and probably affects all other Unix
>> operating systems. This issue does not affect Windows.
>>
>> Patches:
>> - 5.6.0 through 5.13.2: https://code.qt.io/cgit/qt/qtbase.git/commit/?
>> id=bf131e8d2181b3404f5293546ed390999f760404
>> - 5.0.0 through 5.5.1: https://code.qt.io/cgit/qt/qtbase.git/commit/?
>> id=5c4234ed958130d655df8197129806f687d4df0d
>>
>> Issue 2) CVE-2020-0570
>> Score: 7.3 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
>> * Vendor: Qt Project
>> * Product: Qt
>> * Versions affected: 5.12.0 through 5.14.0
>> * Versions fixed: 5.14.1 (released), 5.12.7, 5.9.10 (future)
>> * Issue: local attack, loading and execution of untrusted code
>> * Scope: class QLibrary (qtbase/src/corelib/plugin)
>> * Reference: https://bugreports.qt.io/browse/QTBUG-81272
>> * Description:
>> QLibrary in Qt versions 5.12.0 through 5.14.0, on certain x86 machines, would
>> search for certain libraries and plugins relative to current working directory
>> of the application, which allows an attacker that can place files in the file
>> system and influence the working directory of Qt-based applications to load
>> and execute malicious code. This issue was verified on Linux and probably
>> affects all Unix operating systems, other than macOS (Darwin). This issue does
>> not affect Windows.
>>
>> Patch: https://code.qt.io/cgit/qt/qtbase.git/commit/?
>> id=e6f1fde24f77f63fb16b2df239f82a89d2bf05dd
>>
> _______________________________________________
> Development mailing list
> Development at qt-project.org
> https://lists.qt-project.org/listinfo/development
> 



More information about the Development mailing list