Candidate: CVE-2022-25255
PublicDate: 2022-02-16 19:15:00 UTC
References:
 https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25255
 https://download.qt.io/official_releases/qt/6.2/qprocess6-2.diff
 https://codereview.qt-project.org/c/qt/qtbase/+/393113
 https://download.qt.io/official_releases/qt/5.15/qprocess5-15.diff
 https://codereview.qt-project.org/c/qt/qtbase/+/396020
 https://codereview.qt-project.org/c/qt/qtbase/+/394914
Description:
 In Qt 5.9.x through 5.15.x before 5.15.9 and 6.x before 6.2.4 on Linux and
 UNIX, QProcess could execute a binary from the current working directory
 when not found in the PATH.
Ubuntu-Description:
Notes:
 mdeslaur> introduced by:
 mdeslaur> https://codereview.qt-project.org/gitweb?p=qt%2Fqtbase.git;a=commit;h=28666d167aa8e602c0bea25ebc4d51b55005db13
 mdeslaur> which seems to have been introduced in Qt 5.10, not 5.9 as the
 mdeslaur> CVE description suggests.
Mitigation:
Bugs:
Priority: medium
Discovered-by:
Assigned-to:
CVSS:
 nvd: CVSS:3.1/AV:L/AC:L/PR:L/UI:N/S:U/C:H/I:H/A:H [7.8 HIGH]


Patches_qt6-base:
upstream_qt6-base: needs-triage
trusty_qt6-base: ignored (out of standard support)
xenial_qt6-base: ignored (out of standard support)
jammy_qt6-base: needs-triage
devel_qt6-base: needs-triage

Patches_qtbase-opensource-src:
upstream_qtbase-opensource-src: needs-triage
esm-infra/xenial_qtbase-opensource-src: needs-triage
trusty_qtbase-opensource-src: ignored (out of standard support)
xenial_qtbase-opensource-src: ignored (out of standard support)
bionic_qtbase-opensource-src: not-affected (5.9.5+dfsg-0ubuntu2.6)
focal_qtbase-opensource-src: needed
impish_qtbase-opensource-src: needed
jammy_qtbase-opensource-src: needed
devel_qtbase-opensource-src: needed