Bug 26153 - qtbase5 new security issues CVE-2020-0569 and CVE-2020-0570
Summary: qtbase5 new security issues CVE-2020-0569 and CVE-2020-0570
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 7
Hardware: All Linux
Priority: Normal critical
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA7-64-OK MGA7-32-OK
Keywords: advisory, validated_update
Depends on:
Blocks: 25418
  Show dependency treegraph
 
Reported: 2020-01-30 14:00 CET by David Walser
Modified: 2020-02-09 20:15 CET (History)
6 users (show)

See Also:
Source RPM: qtbase5-5.12.6-1.mga7.src.rpm
CVE:
Status comment:

Attachments
Add an attachment (proposed patch, testcase, etc.)

Description David Walser 2020-01-30 14:00:09 CET 
Qt has issued an advisory today (January 30):
https://www.openwall.com/lists/oss-security/2020/01/30/1

Patches to fix the issues are linked from the message above.

We need to fix Bug 25418 in this update as well.
David Walser 2020-01-30 14:00:17 CET

Blocks: (none) => 25418

David Walser 2020-01-30 14:00:25 CET

CC: (none) => geiger.david68210

Comment 1 David GEIGER 2020-01-30 16:44:46 CET 
Done for both issues!
Comment 2 David Walser 2020-01-30 17:30:18 CET 
Advisory:
========================

Updated qtbase5 packages fix security vulnerabilities:

QPluginLoader in Qt versions 5.0.0 through 5.13.2 would search for certain
plugins first on the current working directory of the application, which allows
an attacker that can place files in the file system and influence the working
directory of Qt-based applications to load and execute malicious code
(CVE-2020-0569).

QLibrary in Qt versions 5.12.0 through 5.14.0, on certain x86 machines, would
search for certain libraries and plugins relative to current working directory
of the application, which allows an attacker that can place files in the file
system and influence the working directory of Qt-based applications to load and
execute malicious code (CVE-2020-0570).

Also, a file conflict that caused issues when upgrading from Mageia 6 has been
fixed.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0569
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-0570
https://www.openwall.com/lists/oss-security/2020/01/30/1
https://bugs.mageia.org/show_bug.cgi?id=25418
https://bugs.mageia.org/show_bug.cgi?id=26153
========================

Updated packages in core/updates_testing:
========================
qtbase5-common-5.12.6-2.mga7
qtbase5-common-devel-5.12.6-2.mga7
qtbase5-examples-5.12.6-2.mga7
qtbase5-doc-5.12.6-2.mga7
libqt5core5-5.12.6-2.mga7
libqt5core-devel-5.12.6-2.mga7
libqt5concurrent5-5.12.6-2.mga7
libqt5concurrent-devel-5.12.6-2.mga7
libqt5dbus5-5.12.6-2.mga7
libqt5dbus-devel-5.12.6-2.mga7
libqt5eglfsdeviceintegration5-5.12.6-2.mga7
libqt5eglfsdeviceintegration-devel-5.12.6-2.mga7
libqt5eglfskmssupport5-5.12.6-2.mga7
libqt5eglfskmssupport-devel-5.12.6-2.mga7
libqt5gui5-5.12.6-2.mga7
libqt5gui-devel-5.12.6-2.mga7
libqt5network5-5.12.6-2.mga7
libqt5network-devel-5.12.6-2.mga7
libqt5opengl5-5.12.6-2.mga7
libqt5opengl-devel-5.12.6-2.mga7
libqt5platformsupport-devel-5.12.6-2.mga7
libqt5printsupport5-5.12.6-2.mga7
libqt5printsupport-devel-5.12.6-2.mga7
libqt5sql5-5.12.6-2.mga7
libqt5sql-devel-5.12.6-2.mga7
libqt5test5-5.12.6-2.mga7
libqt5test-devel-5.12.6-2.mga7
libqt5widgets5-5.12.6-2.mga7
libqt5widgets-devel-5.12.6-2.mga7
libqt5xcbqpa5-5.12.6-2.mga7
libqt5xcbqpa-devel-5.12.6-2.mga7
libqt5xml5-5.12.6-2.mga7
libqt5xml-devel-5.12.6-2.mga7
libqt5base5-devel-5.12.6-2.mga7
libqt5accessibilitysupport-static-devel-5.12.6-2.mga7
libqt5linuxaccessibilitysupport-static-devel-5.12.6-2.mga7
libqt5bootstrap-static-devel-5.12.6-2.mga7
libqt5devicediscoverysupport-static-devel-5.12.6-2.mga7
libqt5eglsupport-static-devel-5.12.6-2.mga7
libqt5eventdispatchersupport-static-devel-5.12.6-2.mga7
libqt5fbsupport-static-devel-5.12.6-2.mga7
libqt5fontdatabasesupport-static-devel-5.12.6-2.mga7
libqt5glxsupport-static-devel-5.12.6-2.mga7
libqt5inputsupport-static-devel-5.12.6-2.mga7
libqt5kmssupport-static-devel-5.12.6-2.mga7
libqt5platformcompositorsupport-static-devel-5.12.6-2.mga7
libqt5servicesupport-static-devel-5.12.6-2.mga7
libqt5edid-devel-5.12.6-2.mga7
libqt5themesupport-static-devel-5.12.6-2.mga7
libqt5-database-plugin-odbc-5.12.6-2.mga7
libqt5-database-plugin-mysql-5.12.6-2.mga7
libqt5-database-plugin-sqlite-5.12.6-2.mga7
libqt5-database-plugin-tds-5.12.6-2.mga7
libqt5-database-plugin-pgsql-5.12.6-2.mga7

from qtbase5-5.12.6-2.mga7.src.rpm

Assignee: kde => qa-bugs

Comment 3 Thomas Andrews 2020-01-30 20:28:48 CET 
I believe there's a typo in the "source rpm" listed at the top of the bug.

The last time we tested a qtbase5 update, there was a whole host of other packages that had to be rebuilt. Is that true this time as well?

CC: (none) => andrewsfarm

Comment 4 Thomas Backlund 2020-01-30 21:20:04 CET 
(In reply to Thomas Andrews from comment #3)
> I believe there's a typo in the "source rpm" listed at the top of the bug.
> 
> The last time we tested a qtbase5 update, there was a whole host of other
> packages that had to be rebuilt. Is that true this time as well?

Nope, we are already at 5.12.6, so this should not be an issue

CC: (none) => tmb

Comment 5 David Walser 2020-01-30 21:54:34 CET 
Yep, I copied over the incorrect version from the other bug.  Thanks for catching it.

Source RPM: qtbase5-5.12.2-2.1.mga7.src.rpm => qtbase5-5.12.6-1.mga7.src.rpm

Comment 6 Thomas Andrews 2020-02-03 23:33:07 CET 
AMD Phenom II X4 910 processor, 8GB RAM, Radeon HD 8490 graphics, Atheros wifi, 64-bit Plasma system.

Used the list at http://madb.mageia.org/tools/listRpmsForQaBug/bugnum/26153/application/0 with the qa Repo tool, as the list in Comment 2 does not contain any "lib64" file names.

The following 17 packages are going to be installed:

- lib64qt5-database-plugin-mysql-5.12.6-2.mga7.x86_64
- lib64qt5-database-plugin-sqlite-5.12.6-2.mga7.x86_64
- lib64qt5concurrent5-5.12.6-2.mga7.x86_64
- lib64qt5core5-5.12.6-2.mga7.x86_64
- lib64qt5dbus5-5.12.6-2.mga7.x86_64
- lib64qt5eglfsdeviceintegration5-5.12.6-2.mga7.x86_64
- lib64qt5eglfskmssupport5-5.12.6-2.mga7.x86_64
- lib64qt5gui5-5.12.6-2.mga7.x86_64
- lib64qt5network5-5.12.6-2.mga7.x86_64
- lib64qt5opengl5-5.12.6-2.mga7.x86_64
- lib64qt5printsupport5-5.12.6-2.mga7.x86_64
- lib64qt5sql5-5.12.6-2.mga7.x86_64
- lib64qt5test5-5.12.6-2.mga7.x86_64
- lib64qt5widgets5-5.12.6-2.mga7.x86_64
- lib64qt5xcbqpa5-5.12.6-2.mga7.x86_64
- lib64qt5xml5-5.12.6-2.mga7.x86_64
- qtbase5-common-5.12.6-2.mga7.x86_64

No installation issues. Rebooted, even though not instructed to, because I think it's wise with these big QT updates. 

Booted to a working desktop. Tried this and that, Plasma apps in particular, with no issues noted.

Looks OK on this hardware.
Comment 7 Thomas Andrews 2020-02-04 00:30:28 CET 
Intel i5-2500, 16GB RAM, Integrated Intel graphics, wired Internet, 64-bit Plasma system.

The following 17 packages are going to be installed:

- lib64qt5-database-plugin-mysql-5.12.6-2.mga7.x86_64
- lib64qt5-database-plugin-sqlite-5.12.6-2.mga7.x86_64
- lib64qt5concurrent5-5.12.6-2.mga7.x86_64
- lib64qt5core5-5.12.6-2.mga7.x86_64
- lib64qt5dbus5-5.12.6-2.mga7.x86_64
- lib64qt5eglfsdeviceintegration5-5.12.6-2.mga7.x86_64
- lib64qt5eglfskmssupport5-5.12.6-2.mga7.x86_64
- lib64qt5gui5-5.12.6-2.mga7.x86_64
- lib64qt5network5-5.12.6-2.mga7.x86_64
- lib64qt5opengl5-5.12.6-2.mga7.x86_64
- lib64qt5printsupport5-5.12.6-2.mga7.x86_64
- lib64qt5sql5-5.12.6-2.mga7.x86_64
- lib64qt5test5-5.12.6-2.mga7.x86_64
- lib64qt5widgets5-5.12.6-2.mga7.x86_64
- lib64qt5xcbqpa5-5.12.6-2.mga7.x86_64
- lib64qt5xml5-5.12.6-2.mga7.x86_64
- qtbase5-common-5.12.6-2.mga7.x86_64

Did the same tests as in Comment 6, with the same results. OK on this hardware.
Comment 8 Herman Viaene 2020-02-04 09:22:04 CET 
MGA7-64 Plasma on Lenovo B50
Left out all the devel stuff from the installation. Since then rebooted two times and cannot find anything wrong yet.

CC: (none) => herman.viaene

Comment 9 James Kerr 2020-02-04 15:26:03 CET 
on mga7-64 plasma kernel-desktop

packages installed cleanly:
- lib64qt5-database-plugin-mysql-5.12.6-2.mga7.x86_64
- lib64qt5-database-plugin-sqlite-5.12.6-2.mga7.x86_64
- lib64qt5concurrent5-5.12.6-2.mga7.x86_64
- lib64qt5core5-5.12.6-2.mga7.x86_64
- lib64qt5dbus5-5.12.6-2.mga7.x86_64
- lib64qt5eglfsdeviceintegration5-5.12.6-2.mga7.x86_64
- lib64qt5eglfskmssupport5-5.12.6-2.mga7.x86_64
- lib64qt5gui5-5.12.6-2.mga7.x86_64
- lib64qt5network5-5.12.6-2.mga7.x86_64
- lib64qt5opengl5-5.12.6-2.mga7.x86_64
- lib64qt5printsupport5-5.12.6-2.mga7.x86_64
- lib64qt5sql5-5.12.6-2.mga7.x86_64
- lib64qt5test5-5.12.6-2.mga7.x86_64
- lib64qt5widgets5-5.12.6-2.mga7.x86_64
- lib64qt5xcbqpa5-5.12.6-2.mga7.x86_64
- lib64qt5xml5-5.12.6-2.mga7.x86_64
- qtbase5-common-5.12.6-2.mga7.x86_64

no regressions noted

looks OK for mga7-64 on this system:

Mobo: Dell model: 09WH54 v: UEFI [Legacy]: Dell v: 2.13.1 
CPU: Intel Core i7-6700
Graphics: Intel HD Graphics 530 (Skylake GT2)

CC: (none) => jim

Comment 10 Thomas Andrews 2020-02-06 20:59:25 CET 
Same hardware as Comment 6, i586 Plasma system, using the server kernel.

Updated the 32-bit versions of the same 17 packages as in Comment 6. Rebooted to a working desktop, no issues noted.

As this has been working for me for several days now, I'm giving it an OK on both arches, and validating. Advisory in Comment 2.

Whiteboard: (none) => MGA7-64-OK MGA7-32-OK
Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Comment 11 David Walser 2020-02-07 21:08:04 CET 
Debian has issued an advisory for this on February 3:
https://www.debian.org/security/2020/dsa-4617
Thomas Backlund 2020-02-09 19:15:40 CET

Keywords: (none) => advisory

Comment 12 Mageia Robot 2020-02-09 20:15:10 CET 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2020-0080.html

Resolution: (none) => FIXED
Status: NEW => RESOLVED
Note You need to log in before you can comment on or make changes to this bug.