devel/qt5-core: add upstream security patch

2 files changed, 64 insertions, 0 deletions

diff --git a/devel/qt5-core/Makefile b/devel/qt5-core/Makefile
index d2b938e1f768..32440f6a5882 100644
--- a/devel/qt5-core/Makefile
+++ b/devel/qt5-core/Makefile
@@ -1,5 +1,6 @@
 PORTNAME=	core
 PORTVERSION=	${QT5_VERSION}${QT5_KDE_PATCH}
+PORTREVISION=	1
 CATEGORIES=	devel
 PKGNAMEPREFIX=	qt5-
 
diff --git a/devel/qt5-core/files/patch-CVE-2022-25255-qprocess5-15.diff b/devel/qt5-core/files/patch-CVE-2022-25255-qprocess5-15.diff
new file mode 100644
index 000000000000..538ab4ead6db
--- /dev/null
+++ b/devel/qt5-core/files/patch-CVE-2022-25255-qprocess5-15.diff
@@ -0,0 +1,63 @@
+This is the patch linked from the announcement
+	https://lists.qt-project.org/pipermail/announce/2022-February/000333.html
+with two changes: in our sources, the copyright year for the
+Qt Company is 2016, the upstream patch says 2021. Changed that
+to make the patch apply. The upstream patch is fetched with
+CRLF line-endings, changed to plain LF.
+
+--- src/corelib/io/qprocess_unix.cpp
++++ src/corelib/io/qprocess_unix.cpp
+@@ -1,7 +1,7 @@
+ /****************************************************************************
+ **
+ ** Copyright (C) 2016 The Qt Company Ltd.
+-** Copyright (C) 2016 Intel Corporation.
++** Copyright (C) 2022 Intel Corporation.
+ ** Contact: https://www.qt.io/licensing/
+ **
+ ** This file is part of the QtCore module of the Qt Toolkit.
+@@ -422,14 +422,15 @@ void QProcessPrivate::startProcess()
+     // Add the program name to the argument list.
+     argv[0] = nullptr;
+     if (!program.contains(QLatin1Char('/'))) {
++        // findExecutable() returns its argument if it's an absolute path,
++        // otherwise it searches $PATH; returns empty if not found (we handle
++        // that case much later)
+         const QString &exeFilePath = QStandardPaths::findExecutable(program);
+-        if (!exeFilePath.isEmpty()) {
+-            const QByteArray &tmp = QFile::encodeName(exeFilePath);
+-            argv[0] = ::strdup(tmp.constData());
+-        }
+-    }
+-    if (!argv[0])
++        const QByteArray &tmp = QFile::encodeName(exeFilePath);
++        argv[0] = ::strdup(tmp.constData());
++    } else {
+         argv[0] = ::strdup(encodedProgramName.constData());
++    }
+
+     // Add every argument to the list
+     for (int i = 0; i < arguments.count(); ++i)
+@@ -983,15 +984,16 @@ bool QProcessPrivate::startDetached(qint64 *pid)
+                 envp = _q_dupEnvironment(environment.d.constData()->vars, &envc);
+             }
+
+-            QByteArray tmp;
+             if (!program.contains(QLatin1Char('/'))) {
++                // findExecutable() returns its argument if it's an absolute path,
++                // otherwise it searches $PATH; returns empty if not found (we handle
++                // that case much later)
+                 const QString &exeFilePath = QStandardPaths::findExecutable(program);
+-                if (!exeFilePath.isEmpty())
+-                    tmp = QFile::encodeName(exeFilePath);
++                const QByteArray &tmp = QFile::encodeName(exeFilePath);
++                argv[0] = ::strdup(tmp.constData());
++            } else {
++                argv[0] = ::strdup(QFile::encodeName(program));
+             }
+-            if (tmp.isEmpty())
+-                tmp = QFile::encodeName(program);
+-            argv[0] = tmp.data();
+
+             if (envp)
+                 qt_safe_execve(argv[0], argv, envp);