FreeBSD VuXML: Documenting security issues in FreeBSD and the FreeBSD Ports Collection

Qt5 -- QProcess unexpected search path

Affected packages
qt5-core < 5.15.2p263_1


VuXML ID 43ae57f6-92ab-11ec-81b4-2cf05d620ecc
Discovery 2022-02-17
Entry 2022-02-21

The Qt Company reports:

Recently, the Qt Project's security team was made aware of an issue regarding QProcess and determined it to be a security issue on Unix-based platforms only. We do not believe this to be a considerable risk for applications as the likelihood of it being triggered is minimal.

Specifically, the problem is around using QProcess to start an application without having an absolute path, and as a result, it depends on it finding it in the PATH environment variable. As a result, it may be possible for an attacker to place their copy of the executable in question inside the working/current directory for the QProcess and have it invoked that instead.


CVE Name CVE-2022-25255