Hello community, here is the log from the commit of package libqt5-qtbase for openSUSE:Leap:15.2 checked in at 2020-02-10 16:41:27 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Leap:15.2/libqt5-qtbase (Old) and /work/SRC/openSUSE:Leap:15.2/.libqt5-qtbase.new.26092 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libqt5-qtbase" Mon Feb 10 16:41:27 2020 rev:63 rq:772480 version:5.12.7 Changes: -------- --- /work/SRC/openSUSE:Leap:15.2/libqt5-qtbase/libqt5-qtbase.changes 2020-01-15 15:24:11.802535490 +0100 +++ /work/SRC/openSUSE:Leap:15.2/.libqt5-qtbase.new.26092/libqt5-qtbase.changes 2020-02-10 16:41:32.475707044 +0100 @@ -1,0 +2,22 @@ +Fri Jan 31 11:37:10 UTC 2020 - Fabian Vogt <fab...@ritter-vogt.de> + +- Update to 5.12.7: + * New bugfix release + * For more details please see: + http://code.qt.io/cgit/qt/qtbase.git/plain/dist/changes-5.12.7/?h=v5.12.7 +- Drop patches, now upstream: + * 0001-Do-not-load-plugin-from-the-PWD.patch + * 0003-QLibrary-Unix-do-not-attempt-to-load-a-library-relat.patch +- Refresh patches: + * 0002-Revert-qtlite-Fix-build-libs-with-no-feature-regular.patch + +------------------------------------------------------------------- +Thu Jan 30 10:57:44 UTC 2020 - Fabian Vogt <fab...@ritter-vogt.de> + +- Add patches to avoid loading plugins from CWD (bsc#1161167, CVE-2020-0569): + * 0001-Do-not-load-plugin-from-the-PWD.patch + * 0002-Doc-QPluginLoader-remove-the-claim-we-search-the-cur.patch +- Same again, just in a different place (bsc#1162191, CVE-2020-0570): + * 0003-QLibrary-Unix-do-not-attempt-to-load-a-library-relat.patch + +------------------------------------------------------------------- Old: ---- qtbase-everywhere-src-5.12.6.tar.xz New: ---- 0002-Doc-QPluginLoader-remove-the-claim-we-search-the-cur.patch qtbase-everywhere-src-5.12.7.tar.xz ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libqt5-qtbase.spec ++++++ --- /var/tmp/diff_new_pack.YO6N0v/_old 2020-02-10 16:41:34.731708635 +0100 +++ /var/tmp/diff_new_pack.YO6N0v/_new 2020-02-10 16:41:34.731708635 +0100 @@ -36,16 +36,16 @@ %endif Name: libqt5-qtbase -Version: 5.12.6 +Version: 5.12.7 Release: 0 Summary: C++ Program Library, Core Components License: LGPL-2.1-with-Qt-Company-Qt-exception-1.1 or LGPL-3.0-only Group: System/Libraries Url: https://www.qt.io %define base_name libqt5 -%define real_version 5.12.6 -%define so_version 5.12.6 -%define tar_version qtbase-everywhere-src-5.12.6 +%define real_version 5.12.7 +%define so_version 5.12.7 +%define tar_version qtbase-everywhere-src-5.12.7 Source: https://download.qt.io/official_releases/qt/5.12/%{real_version}/submodules/%{tar_version}.tar.xz # to get mtime of file: Source1: libqt5-qtbase.changes @@ -75,6 +75,7 @@ Patch23: 0003-Revert-White-list-more-recent-Mesa-version-for-multi.patch Patch24: fix-fixqt4headers.patch # patches 1000-2000 and above from upstream 5.12 branch # +Patch1001: 0002-Doc-QPluginLoader-remove-the-claim-we-search-the-cur.patch # patches 2000-3000 and above from upstream 5.13/dev branch # Patch2000: reproducible-qrc-time.patch Patch2001: 0001-Fix-notification-of-QDockWidget-when-it-gets-undocke.patch ++++++ 0002-Doc-QPluginLoader-remove-the-claim-we-search-the-cur.patch ++++++ >From 3c80bf2bc2fdfa523b6eaefd495affd19d83d48c Mon Sep 17 00:00:00 2001 From: Thiago Macieira <thiago.macie...@intel.com> Date: Wed, 15 Jan 2020 10:56:03 -0800 Subject: [PATCH 2/3] Doc: QPluginLoader: remove the claim we search the current dir Commit bf131e8d2181b3404f5293546ed390999f760404 removed it and it's a good thing. Change-Id: Idc3fae4d0f614c389d27fffd15ea245420035e66 Reviewed-by: Jani Heikkinen <jani.heikki...@qt.io> --- src/corelib/plugin/qpluginloader.cpp | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/corelib/plugin/qpluginloader.cpp b/src/corelib/plugin/qpluginloader.cpp index 1bb4457594..7ac30a6eec 100644 --- a/src/corelib/plugin/qpluginloader.cpp +++ b/src/corelib/plugin/qpluginloader.cpp @@ -332,7 +332,7 @@ static QString locatePlugin(const QString& fileName) QPluginLoader will automatically look for the file with the appropriate suffix (see QLibrary::isLibrary()). - When loading the plugin, QPluginLoader searches in the current directory and + When loading the plugin, QPluginLoader searches in all plugin locations specified by QCoreApplication::libraryPaths(), unless the file name has an absolute path. After loading the plugin successfully, fileName() returns the fully-qualified file name of -- 2.23.0 ++++++ 0002-Revert-qtlite-Fix-build-libs-with-no-feature-regular.patch ++++++ --- /var/tmp/diff_new_pack.YO6N0v/_old 2020-02-10 16:41:34.763708657 +0100 +++ /var/tmp/diff_new_pack.YO6N0v/_new 2020-02-10 16:41:34.763708657 +0100 @@ -5,12 +5,13 @@ -no-feature-regularexpression" This reverts commit 3b514f853595c686d4ed8830567c1f27ea533faf. + +Adjusted to apply on top of v5.12.7. --- src/corelib/kernel/qvariant.cpp | 4 ---- src/corelib/serialization/qcborvalue.cpp | 12 ------------ src/corelib/serialization/qcborvalue.h | 10 +--------- src/corelib/serialization/qjsoncbor.cpp | 7 ------- - .../platforms/eglfs/api/qeglfsdeviceintegration.cpp | 4 +--- .../xcb/gl_integrations/xcb_glx/qglxintegration.cpp | 6 +----- src/testlib/qtaptestlogger.cpp | 11 +---------- 7 files changed, 4 insertions(+), 50 deletions(-) @@ -195,21 +196,6 @@ case QMetaType::QJsonValue: return fromJsonValue(variant.toJsonValue()); case QMetaType::QJsonObject: -diff --git a/src/plugins/platforms/eglfs/api/qeglfsdeviceintegration.cpp b/src/plugins/platforms/eglfs/api/qeglfsdeviceintegration.cpp -index 81bad45c..60ad63ef 100644 ---- a/src/plugins/platforms/eglfs/api/qeglfsdeviceintegration.cpp -+++ b/src/plugins/platforms/eglfs/api/qeglfsdeviceintegration.cpp -@@ -51,9 +51,7 @@ - #include <private/qguiapplication_p.h> - #include <QScreen> - #include <QDir> --#if QT_CONFIG(regularexpression) --# include <QRegularExpression> --#endif -+#include <QRegularExpression> - #include <QLoggingCategory> - - #if defined(Q_OS_LINUX) diff --git a/src/plugins/platforms/xcb/gl_integrations/xcb_glx/qglxintegration.cpp b/src/plugins/platforms/xcb/gl_integrations/xcb_glx/qglxintegration.cpp index cdce77f5..70f83a07 100644 --- a/src/plugins/platforms/xcb/gl_integrations/xcb_glx/qglxintegration.cpp ++++++ qtbase-everywhere-src-5.12.6.tar.xz -> qtbase-everywhere-src-5.12.7.tar.xz ++++++ /work/SRC/openSUSE:Leap:15.2/libqt5-qtbase/qtbase-everywhere-src-5.12.6.tar.xz /work/SRC/openSUSE:Leap:15.2/.libqt5-qtbase.new.26092/qtbase-everywhere-src-5.12.7.tar.xz differ: char 25, line 1