diff options
| author | J0WI <J0WI@users.noreply.github.com> | 2019-08-30 01:26:25 +0200 |
|---|---|---|
| committer | Leo <thinkabit.ukim@gmail.com> | 2019-08-29 20:59:38 -0300 |
| commit | 6745381a2cb7575498af9170c2e54648d297633e (patch) | |
| tree | e7e159ae96ab2e4e710e8b46e8688dd873f2af19 /testing/qbittorrent-nox | |
| parent | 19abb7bb2c68ae9ed87a81bec158fd16f08cab97 (diff) | |
| download | aports-6745381a2cb7575498af9170c2e54648d297633e.tar.bz2 aports-6745381a2cb7575498af9170c2e54648d297633e.tar.xz | |
testing/qbittorrent-nox: security patch for CVE-2019-13640
Diffstat (limited to 'testing/qbittorrent-nox')
| -rw-r--r-- | testing/qbittorrent-nox/APKBUILD | 10 | ||||
| -rw-r--r-- | testing/qbittorrent-nox/CVE-2019-13640.patch | 27 |
2 files changed, 35 insertions, 2 deletions
diff --git a/testing/qbittorrent-nox/APKBUILD b/testing/qbittorrent-nox/APKBUILD index 3944bc95fc..f60f56cd50 100644 --- a/testing/qbittorrent-nox/APKBUILD +++ b/testing/qbittorrent-nox/APKBUILD @@ -2,7 +2,7 @@ # Maintainer: Jan Tatje <jan@jnt.io> pkgname=qbittorrent-nox pkgver=4.1.6 -pkgrel=2 +pkgrel=3 _commit=1831f71cc452b164224d8b6399a8130d6d5b1c24 pkgdesc="qBittorrent client (webui only)" url="https://www.qbittorrent.org/" @@ -17,9 +17,14 @@ source=" qbittorrent-nox.initd qbittorrent-nox.confd https://github.com/qbittorrent/qBittorrent/archive/$_commit.tar.gz + CVE-2019-13640.patch " builddir="$srcdir/qBittorrent-$_commit" +# secfixes: +# 4.1.6-r3: +# - CVE-2019-13640 + build() { ./configure --disable-gui --disable-qt-dbus --prefix=/usr make @@ -36,4 +41,5 @@ package() { sha512sums="310df13ca8249e2ed57b7490ffa8f6beb0b273d856a62eeb87d47b7c20c531224c03c07124c3b9ac287c00dd9c139180c39933ee33dcb1a8a6ec1f67605dcede qbittorrent-nox.initd 999e58bcf0a528f88655611cb7d0ec2bd5f0a1aed1696b71be27e24a1708112540afa7fb37688ec865de1d9c7af6e7a2293773790bd8941bb94a1dc1f9ebe95e qbittorrent-nox.confd -5f6abfd8a9345e9972554ee55d79c2263ca80880ad3357540f13c6bd9337780d836a0b1c287b6c051f466eb98e380e6cee5b9381a1f2430cbc37643cd2386a40 1831f71cc452b164224d8b6399a8130d6d5b1c24.tar.gz" +5f6abfd8a9345e9972554ee55d79c2263ca80880ad3357540f13c6bd9337780d836a0b1c287b6c051f466eb98e380e6cee5b9381a1f2430cbc37643cd2386a40 1831f71cc452b164224d8b6399a8130d6d5b1c24.tar.gz +7fdaa5d0984e072db0f29b0904e19a43999f4766a4342da525ef793443a9f66329cf2822932d8547ef381af08906a72cf5426a47b1a01878c52dba9414d5a5cc CVE-2019-13640.patch" diff --git a/testing/qbittorrent-nox/CVE-2019-13640.patch b/testing/qbittorrent-nox/CVE-2019-13640.patch new file mode 100644 index 0000000000..2f938bd820 --- /dev/null +++ b/testing/qbittorrent-nox/CVE-2019-13640.patch @@ -0,0 +1,27 @@ +From a610c8567e55516231d199b551e0e7e2dca70cbf Mon Sep 17 00:00:00 2001 +From: Chocobo1 <Chocobo1@users.noreply.github.com> +Date: Thu, 18 Jul 2019 22:36:40 +0800 +Subject: [PATCH] Prevent command injection via "Run external program" function + +Closes #10925. +--- + src/app/application.cpp | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/app/application.cpp b/src/app/application.cpp +index a124f2a3d9..19b8823d22 100644 +--- a/src/app/application.cpp ++++ b/src/app/application.cpp +@@ -335,7 +335,11 @@ void Application::runExternalProgram(const BitTorrent::TorrentHandle *torrent) c + + ::LocalFree(args); + #else +- QProcess::startDetached(QLatin1String("/bin/sh"), {QLatin1String("-c"), program}); ++ // Cannot give users shell environment by default, as doing so could ++ // enable command injection via torrent name and other arguments ++ // (especially when some automated download mechanism has been setup). ++ // See: https://github.com/qbittorrent/qBittorrent/issues/10925 ++ QProcess::startDetached(program); + #endif + } + |