CVE-2020-24742

NameCVE-2020-24742
DescriptionAn issue has been fixed in Qt versions 5.14.0 where QPluginLoader attempts to load plugins relative to the working directory, allowing attackers to execute arbitrary code via crafted files.
SourceCVE (at NVD; CERT, LWN, oss-sec, fulldisc, Red Hat, Ubuntu, Gentoo, SUSE bugzilla/CVE, GitHub advisories/code/issues, web search, more)
ReferencesDSA-4617-1

Vulnerable and fixed packages

The table below lists information on source packages.

Source PackageReleaseVersionStatus
qt4-x11 (PTS)buster4:4.8.7+dfsg-18+deb10u1fixed
buster (security)4:4.8.7+dfsg-18+deb10u2fixed
qtbase-opensource-src (PTS)buster5.11.3+dfsg1-1+deb10u5fixed
buster (security)5.11.3+dfsg1-1+deb10u6fixed
bullseye5.15.2+dfsg-9fixed
bookworm5.15.8+dfsg-11fixed
sid, trixie5.15.10+dfsg-7.2fixed
qtbase-opensource-src-gles (PTS)bullseye5.15.2+dfsg-4fixed
bookworm5.15.8+dfsg-3fixed
sid, trixie5.15.10+dfsg-6fixed

The information below is based on the following data on fixed versions.

PackageTypeReleaseFixed VersionUrgencyOriginDebian Bugs
qt4-x11source(unstable)(not affected)
qtbase-opensource-srcsourcestretch5.7.1+dfsg-3+deb9u2DSA-4617-1
qtbase-opensource-srcsourcebuster5.11.3+dfsg1-1+deb10u3DSA-4617-1
qtbase-opensource-srcsource(unstable)5.12.5+dfsg-8
qtbase-opensource-src-glessource(unstable)5.14.2+dfsg-3

Notes

- qt4-x11 <not-affected> (Vulnerable code introduced later)
https://codereview.qt-project.org/c/qt/qtbase/+/280730
Introduced in https://codereview.qt-project.org/gitweb?p=qt/qtbase.git;a=commitdiff;h=3146dadb42cb36aff83a62e831b8b4f4dc1562a7 (v5.6.0-alpha1)
Fixed by: https://codereview.qt-project.org/gitweb?p=qt/qtbase.git;a=commitdiff;h=bf131e8d2181b3404f5293546ed390999f760404 (v5.14.0-rc1)
Same fix as CVE-2020-0569
Search for package or bug name: Reporting problems