Synv 20.03-lts to sp3

Signed-off-by: weidong <weidong@uniontech.com>
2022-01-11 13:54:55 +08:00 · 2022-01-11 13:54:55 +08:00 · 479ae2e67a
commit 479ae2e67a
parent 93d2e0c2bd
2 changed files with 57 additions and 3 deletions
--- a/CVE-2020-0570.patch
+++ b/CVE-2020-0570.patch
@ -0,0 +1,47 @@
+From 15d5017b8f61a4af9196ba8f802df75efb77a319 Mon Sep 17 00:00:00 2001
+From: Thiago Macieira <thiago.macieira@intel.com>
+Date: Fri, 10 Jan 2020 09:26:27 -0800
+Subject: QLibrary/Unix: do not attempt to load a library relative to $PWD
+
+I added the code in commit 5219c37f7c98f37f078fee00fe8ca35d83ff4f5d to
+find libraries in a haswell/ subdir of the main path, but we only need
+to do that transformation if the library is contains at least one
+directory seprator. That is, if the user asks to load "lib/foo", then we
+should try "lib/haswell/foo" (often, the path prefix will be absolute).
+
+When the library name the user requested has no directory separators, we
+let dlopen() do the transformation for us. Testing on Linux confirms
+glibc does so:
+
+$ LD_DEBUG=libs /lib64/ld-linux-x86-64.so.2 --inhibit-cache ./qml -help
+|& grep Xcurs or
+   1972475:     find library=libXcursor.so.1 [0]; searching
+   1972475:trying file=/usr/lib64/haswell/avx512_1/libXcursor.so.1
+   1972475:trying file=/usr/lib64/haswell/libXcursor.so.1
+   1972475:trying file=/usr/lib64/libXcursor.so.1
+   1972475:     calling init: /usr/lib64/libXcursor.so.1
+   1972475:     calling fini: /usr/lib64/libXcursor.so.1 [0]
+
+Fixes: QTBUG-81272
+Change-Id: I596aec77785a4e4e84d5fffd15e89689bb91ffbb
+Reviewed-by: Thiago Macieira <thiago.macieira@intel.com>
+---
+ src/corelib/plugin/qlibrary_unix.cpp | 2 ++
+ 1 file changed, 2 insertions(+)
+
+diff --git a/src/corelib/plugin/qlibrary_unix.cpp b/src/corelib/plugin/qlibrary_unix.cpp
+index 90797a49..99c646e1 100644
+--- a/src/corelib/plugin/qlibrary_unix.cpp
+++ b/src/corelib/plugin/qlibrary_unix.cpp
+@@ -209,6 +209,8 @@ bool QLibraryPrivate::load_sys()
+         for(int suffix = 0; retry && !pHnd && suffix < suffixes.size(); suffix++) {
+             if (!prefixes.at(prefix).isEmpty() && name.startsWith(prefixes.at(prefix)))
+                 continue;
+	    if (path.isEmpty() && prefixes.at(prefix).contains(QLatin1Char('/')))
+		continue;
+             if (!suffixes.at(suffix).isEmpty() && name.endsWith(suffixes.at(suffix)))
+                 continue;
+             if (loadHints & QLibrary::LoadArchiveMemberHint) {
+-- 
+2.23.0
+
--- a/qt.spec
+++ b/qt.spec
@ -13,7 +13,7 @@
 Name:           qt
 Epoch:          1
 Version:        4.8.7
-Release:        48
+Release:        50
 Summary:        A software toolkit for developing applications
 License:        (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
 URL:            http://qt-project.org/
@ -78,6 +78,7 @@ Patch6002:      CVE-2018-19871.patch
 Patch6003:      CVE-2018-19870.patch
 Patch6004:      CVE-2018-19873.patch
 Patch6005:      CVE-2020-17507.patch
+Patch6006:      CVE-2020-0570.patch

 BuildRequires:  cups-devel desktop-file-utils gcc-c++ libjpeg-devel findutils libmng-devel libtiff-devel pkgconfig pkgconfig(alsa)
 BuildRequires:  pkgconfig(dbus-1) pkgconfig(fontconfig) pkgconfig(glib-2.0) pkgconfig(icu-i18n) openssl-devel pkgconfig(libpng)
@ -444,8 +445,14 @@ fi
 %{_qt4_prefix}/examples/

 %changelog
-* Mon Sep 21 2020 shaoqiang kang <kangshaoqiang1@huawei.com> - 1:4.8.7-48
- fix CVE-2020-17507 and modify source0
+* Wed 14 Oct 2020 wangyue <wangyue92@huawei.com> - 1:4.8.7-50
+- fix CVE-2020-0570
+
+* Mon Sep 21 2020 shaoqiang kang <kangshaoqiang1@huawei.com> - 1:4.8.7-49
+- fix CVE-2020-17507
+
+* Tue Sep 15 2020 shaoqiang kang <kangshaoqiang1@huawei.com> - 1:4.8.7-48
+- Modify source

 * Thu Mar 19 2020 yanglijin <yanglijin@huawei.com> - 1:4.8.7-47
 - add stack protector