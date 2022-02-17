Log in
    QTCOM   FI4000198031

QT GROUP OYJ

(QTCOM)
Real-time Estimate Quote. Real-time Estimate Cboe Europe - 02/17 05:27:20 am
105.1 EUR   +5.52%
Security advisory: QProcess

02/17/2022
Thursday February 17, 2022 by Andy Shaw | Comments

Recently, the Qt Project's security team was made aware of an issue regarding QProcess and determined it to be a security issue on Unix-based platforms only. We do not believe this to be a considerable risk for applications as the likelihood of it being triggered is minimal.

Specifically, the problem is around using QProcess to start an application without having an absolute path, and as a result, it depends on it finding it in the PATH environment variable. As a result, it may be possible for an attacker to place their copy of the executable in question inside the working/current directory for the QProcess and have it invoked that instead.

This situation is expected on Windows because it will search that directory first before the PATH environment variable finds the executable in question. However, it is not normal on Unix-based platforms to search the working/current directory if it cannot find it in the PATH environment variable. Therefore, it could enable an attacker to place a malicious executable there with the same name.

If you are using QProcess with an absolute or relative path, then this is not a problem; it will invoke that one specifically, but if you are using it like: 

QProcess p;

p.start("application", args);

it could run into this problem.

Patches are available for the currently supported versions of Qt and Qt 5.12 can be found here:

dev: https://codereview.qt-project.org/c/qt/qtbase/+/393113
Qt 6.2: https://codereview.qt-project.org/c/qt/qtbase/+/394914 or https://download.qt.io/official_releases/qt/6.2/CVE-2022-25255-qprocess6-2.diff
 Qt 5.15: https://codereview.qt-project.org/c/qt/tqtc-qtbase/+/394919 or https://download.qt.io/official_releases/qt/5.15/CVE-2022-25255-qprocess5-15.diff
Qt 5.12:https://codereview.qt-project.org/c/qt/qtbase/+/396020

If you prefer not to patch Qt, you can get around this by ensuring a complete path for your application instead of inside QProcess. You can utilize QStandardPaths::findExecutable() for this purpose as this will search your PATH environment variable and, as a result, will give you a safe path to use.

The official CVE report for this can be found here: https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25255

Disclaimer

Qt Group Oyj published this content on 17 February 2022 and is solely responsible for the information contained therein. Distributed by Public, unedited and unaltered, on 17 February 2022 10:15:07 UTC.


© Publicnow 2022
Financials
Sales 2021 121 M 138 M 138 M
Net income 2021 22,6 M 25,7 M 25,7 M
Net cash 2021 22,1 M 25,2 M 25,2 M
P/E ratio 2021 108x
Yield 2021 0,05%
Capitalization 2 473 M 2 812 M 2 812 M
EV / Sales 2021 20,2x
EV / Sales 2022 14,8x
Nbr of Employees 455
Free-Float 64,3%
Consensus
Sell
Buy
Mean consensus BUY
Number of Analysts 3
Last Close Price 99,60 €
Average target price 142,33 €
Spread / Average Target 42,9%
EPS Revisions
Managers and Directors
Juha Pekka Varelius Chief Executive Officer
Jouni Lintunen Chief Financial Officer
Carl Robert Ingman Chairman
Tuukka Turunen Senior Vice President-Research & Development
Leena Maria Saarinen Independent Director
Sector and Competitors
1st jan.Capi. (M$)
QT GROUP OYJ-25.45%2 812
MICROSOFT CORPORATION-10.95%2 245 311
ADOBE INC.-15.76%225 331
ORACLE CORPORATION-9.20%211 473
SAP SE-15.53%141 295
SERVICENOW INC.-8.97%118 178