Qt has issued an advisory today (January 30): https://www.openwall.com/lists/oss-security/2020/01/30/1 Patches to fix the issues are linked from the message above. We need to fix Bug 25418 in this update as well.
Blocks: (none) => 25418
CC: (none) => geiger.david68210
Done for both issues!
Advisory: ======================== Updated qtbase5 packages fix security vulnerabilities: QPluginLoader in Qt versions 5.0.0 through 5.13.2 would search for certain plugins first on the current working directory of the application, which allows an attacker that can place files in the file system and influence the working directory of Qt-based applications to load and execute malicious code (CVE-2020-0569). QLibrary in Qt versions 5.12.0 through 5.14.0, on certain x86 machines, would search for certain libraries and plugins relative to current working directory of the application, which allows an attacker that can place files in the file system and influence the working directory of Qt-based applications to load and execute malicious code (CVE-2020-0570). Also, a file conflict that caused issues when upgrading from Mageia 6 has been fixed. References: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0569 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0570 https://www.openwall.com/lists/oss-security/2020/01/30/1 https://bugs.mageia.org/show_bug.cgi?id=25418 https://bugs.mageia.org/show_bug.cgi?id=26153 ======================== Updated packages in core/updates_testing: ======================== qtbase5-common-5.12.6-2.mga7 qtbase5-common-devel-5.12.6-2.mga7 qtbase5-examples-5.12.6-2.mga7 qtbase5-doc-5.12.6-2.mga7 libqt5core5-5.12.6-2.mga7 libqt5core-devel-5.12.6-2.mga7 libqt5concurrent5-5.12.6-2.mga7 libqt5concurrent-devel-5.12.6-2.mga7 libqt5dbus5-5.12.6-2.mga7 libqt5dbus-devel-5.12.6-2.mga7 libqt5eglfsdeviceintegration5-5.12.6-2.mga7 libqt5eglfsdeviceintegration-devel-5.12.6-2.mga7 libqt5eglfskmssupport5-5.12.6-2.mga7 libqt5eglfskmssupport-devel-5.12.6-2.mga7 libqt5gui5-5.12.6-2.mga7 libqt5gui-devel-5.12.6-2.mga7 libqt5network5-5.12.6-2.mga7 libqt5network-devel-5.12.6-2.mga7 libqt5opengl5-5.12.6-2.mga7 libqt5opengl-devel-5.12.6-2.mga7 libqt5platformsupport-devel-5.12.6-2.mga7 libqt5printsupport5-5.12.6-2.mga7 libqt5printsupport-devel-5.12.6-2.mga7 libqt5sql5-5.12.6-2.mga7 libqt5sql-devel-5.12.6-2.mga7 libqt5test5-5.12.6-2.mga7 libqt5test-devel-5.12.6-2.mga7 libqt5widgets5-5.12.6-2.mga7 libqt5widgets-devel-5.12.6-2.mga7 libqt5xcbqpa5-5.12.6-2.mga7 libqt5xcbqpa-devel-5.12.6-2.mga7 libqt5xml5-5.12.6-2.mga7 libqt5xml-devel-5.12.6-2.mga7 libqt5base5-devel-5.12.6-2.mga7 libqt5accessibilitysupport-static-devel-5.12.6-2.mga7 libqt5linuxaccessibilitysupport-static-devel-5.12.6-2.mga7 libqt5bootstrap-static-devel-5.12.6-2.mga7 libqt5devicediscoverysupport-static-devel-5.12.6-2.mga7 libqt5eglsupport-static-devel-5.12.6-2.mga7 libqt5eventdispatchersupport-static-devel-5.12.6-2.mga7 libqt5fbsupport-static-devel-5.12.6-2.mga7 libqt5fontdatabasesupport-static-devel-5.12.6-2.mga7 libqt5glxsupport-static-devel-5.12.6-2.mga7 libqt5inputsupport-static-devel-5.12.6-2.mga7 libqt5kmssupport-static-devel-5.12.6-2.mga7 libqt5platformcompositorsupport-static-devel-5.12.6-2.mga7 libqt5servicesupport-static-devel-5.12.6-2.mga7 libqt5edid-devel-5.12.6-2.mga7 libqt5themesupport-static-devel-5.12.6-2.mga7 libqt5-database-plugin-odbc-5.12.6-2.mga7 libqt5-database-plugin-mysql-5.12.6-2.mga7 libqt5-database-plugin-sqlite-5.12.6-2.mga7 libqt5-database-plugin-tds-5.12.6-2.mga7 libqt5-database-plugin-pgsql-5.12.6-2.mga7 from qtbase5-5.12.6-2.mga7.src.rpm
Assignee: kde => qa-bugs
I believe there's a typo in the "source rpm" listed at the top of the bug. The last time we tested a qtbase5 update, there was a whole host of other packages that had to be rebuilt. Is that true this time as well?
CC: (none) => andrewsfarm
(In reply to Thomas Andrews from comment #3) > I believe there's a typo in the "source rpm" listed at the top of the bug. > > The last time we tested a qtbase5 update, there was a whole host of other > packages that had to be rebuilt. Is that true this time as well? Nope, we are already at 5.12.6, so this should not be an issue
CC: (none) => tmb
Yep, I copied over the incorrect version from the other bug. Thanks for catching it.
Source RPM: qtbase5-5.12.2-2.1.mga7.src.rpm => qtbase5-5.12.6-1.mga7.src.rpm
AMD Phenom II X4 910 processor, 8GB RAM, Radeon HD 8490 graphics, Atheros wifi, 64-bit Plasma system. Used the list at http://madb.mageia.org/tools/listRpmsForQaBug/bugnum/26153/application/0 with the qa Repo tool, as the list in Comment 2 does not contain any "lib64" file names. The following 17 packages are going to be installed: - lib64qt5-database-plugin-mysql-5.12.6-2.mga7.x86_64 - lib64qt5-database-plugin-sqlite-5.12.6-2.mga7.x86_64 - lib64qt5concurrent5-5.12.6-2.mga7.x86_64 - lib64qt5core5-5.12.6-2.mga7.x86_64 - lib64qt5dbus5-5.12.6-2.mga7.x86_64 - lib64qt5eglfsdeviceintegration5-5.12.6-2.mga7.x86_64 - lib64qt5eglfskmssupport5-5.12.6-2.mga7.x86_64 - lib64qt5gui5-5.12.6-2.mga7.x86_64 - lib64qt5network5-5.12.6-2.mga7.x86_64 - lib64qt5opengl5-5.12.6-2.mga7.x86_64 - lib64qt5printsupport5-5.12.6-2.mga7.x86_64 - lib64qt5sql5-5.12.6-2.mga7.x86_64 - lib64qt5test5-5.12.6-2.mga7.x86_64 - lib64qt5widgets5-5.12.6-2.mga7.x86_64 - lib64qt5xcbqpa5-5.12.6-2.mga7.x86_64 - lib64qt5xml5-5.12.6-2.mga7.x86_64 - qtbase5-common-5.12.6-2.mga7.x86_64 No installation issues. Rebooted, even though not instructed to, because I think it's wise with these big QT updates. Booted to a working desktop. Tried this and that, Plasma apps in particular, with no issues noted. Looks OK on this hardware.
Intel i5-2500, 16GB RAM, Integrated Intel graphics, wired Internet, 64-bit Plasma system. The following 17 packages are going to be installed: - lib64qt5-database-plugin-mysql-5.12.6-2.mga7.x86_64 - lib64qt5-database-plugin-sqlite-5.12.6-2.mga7.x86_64 - lib64qt5concurrent5-5.12.6-2.mga7.x86_64 - lib64qt5core5-5.12.6-2.mga7.x86_64 - lib64qt5dbus5-5.12.6-2.mga7.x86_64 - lib64qt5eglfsdeviceintegration5-5.12.6-2.mga7.x86_64 - lib64qt5eglfskmssupport5-5.12.6-2.mga7.x86_64 - lib64qt5gui5-5.12.6-2.mga7.x86_64 - lib64qt5network5-5.12.6-2.mga7.x86_64 - lib64qt5opengl5-5.12.6-2.mga7.x86_64 - lib64qt5printsupport5-5.12.6-2.mga7.x86_64 - lib64qt5sql5-5.12.6-2.mga7.x86_64 - lib64qt5test5-5.12.6-2.mga7.x86_64 - lib64qt5widgets5-5.12.6-2.mga7.x86_64 - lib64qt5xcbqpa5-5.12.6-2.mga7.x86_64 - lib64qt5xml5-5.12.6-2.mga7.x86_64 - qtbase5-common-5.12.6-2.mga7.x86_64 Did the same tests as in Comment 6, with the same results. OK on this hardware.
MGA7-64 Plasma on Lenovo B50 Left out all the devel stuff from the installation. Since then rebooted two times and cannot find anything wrong yet.
CC: (none) => herman.viaene
on mga7-64 plasma kernel-desktop packages installed cleanly: - lib64qt5-database-plugin-mysql-5.12.6-2.mga7.x86_64 - lib64qt5-database-plugin-sqlite-5.12.6-2.mga7.x86_64 - lib64qt5concurrent5-5.12.6-2.mga7.x86_64 - lib64qt5core5-5.12.6-2.mga7.x86_64 - lib64qt5dbus5-5.12.6-2.mga7.x86_64 - lib64qt5eglfsdeviceintegration5-5.12.6-2.mga7.x86_64 - lib64qt5eglfskmssupport5-5.12.6-2.mga7.x86_64 - lib64qt5gui5-5.12.6-2.mga7.x86_64 - lib64qt5network5-5.12.6-2.mga7.x86_64 - lib64qt5opengl5-5.12.6-2.mga7.x86_64 - lib64qt5printsupport5-5.12.6-2.mga7.x86_64 - lib64qt5sql5-5.12.6-2.mga7.x86_64 - lib64qt5test5-5.12.6-2.mga7.x86_64 - lib64qt5widgets5-5.12.6-2.mga7.x86_64 - lib64qt5xcbqpa5-5.12.6-2.mga7.x86_64 - lib64qt5xml5-5.12.6-2.mga7.x86_64 - qtbase5-common-5.12.6-2.mga7.x86_64 no regressions noted looks OK for mga7-64 on this system: Mobo: Dell model: 09WH54 v: UEFI [Legacy]: Dell v: 2.13.1 CPU: Intel Core i7-6700 Graphics: Intel HD Graphics 530 (Skylake GT2)
CC: (none) => jim
Same hardware as Comment 6, i586 Plasma system, using the server kernel. Updated the 32-bit versions of the same 17 packages as in Comment 6. Rebooted to a working desktop, no issues noted. As this has been working for me for several days now, I'm giving it an OK on both arches, and validating. Advisory in Comment 2.
Whiteboard: (none) => MGA7-64-OK MGA7-32-OKKeywords: (none) => validated_updateCC: (none) => sysadmin-bugs
Debian has issued an advisory for this on February 3: https://www.debian.org/security/2020/dsa-4617
Keywords: (none) => advisory
An update for this issue has been pushed to the Mageia Updates repository. https://advisories.mageia.org/MGASA-2020-0080.html
Resolution: (none) => FIXEDStatus: NEW => RESOLVED