From e94a951862b7860c15e219dce48e60c9dc1dc3d2 Mon Sep 17 00:00:00 2001 From: Magdalena Stojek Date: Tue, 3 Jun 2025 15:22:23 +0200 Subject: [PATCH] Mark qtbase/src/corelib/plugin files as security-critical - quuid.cpp parses the string representation of a UUID - qfactoryloader.cpp parses metadata from loaded plugin - qcoffpeparser.cpp, qelfparser_p.cpp and qmachparser.cpp as they are binary object files parsers - qlibrary.cpp, qlibrary_unix.cpp, qlibrary_win.cpp, qpluginloader.cpp are responsible for finding and loading plugins from untrusted locations. Fixes: QTBUG-135193 Change-Id: Ibbcefeab80e7455225ade620bdba45dbc592c581 Reviewed-by: Edward Welbourne Reviewed-by: Matthias Rauter --- src/corelib/plugin/qcoffpeparser.cpp | 1 + src/corelib/plugin/qelfparser_p.cpp | 1 + src/corelib/plugin/qfactoryloader.cpp | 1 + src/corelib/plugin/qlibrary.cpp | 2 ++ src/corelib/plugin/qlibrary_unix.cpp | 1 + src/corelib/plugin/qlibrary_win.cpp | 1 + src/corelib/plugin/qmachparser.cpp | 1 + src/corelib/plugin/qpluginloader.cpp | 1 + src/corelib/plugin/quuid.cpp | 1 + 9 files changed, 10 insertions(+) diff --git a/src/corelib/plugin/qcoffpeparser.cpp b/src/corelib/plugin/qcoffpeparser.cpp index 8fef53a41a5..aad87858fe7 100644 --- a/src/corelib/plugin/qcoffpeparser.cpp +++ b/src/corelib/plugin/qcoffpeparser.cpp @@ -1,5 +1,6 @@ // Copyright (C) 2021 Intel Corporation. // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only +// Qt-Security score:critical reason:data-parser #include "qcoffpeparser_p.h" diff --git a/src/corelib/plugin/qelfparser_p.cpp b/src/corelib/plugin/qelfparser_p.cpp index 78c9be0e563..d3cdb389d03 100644 --- a/src/corelib/plugin/qelfparser_p.cpp +++ b/src/corelib/plugin/qelfparser_p.cpp @@ -1,6 +1,7 @@ // Copyright (C) 2017 The Qt Company Ltd. // Copyright (C) 2021 Intel Corporation. // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only +// Qt-Security score:critical reason:data-parser #include "qelfparser_p.h" diff --git a/src/corelib/plugin/qfactoryloader.cpp b/src/corelib/plugin/qfactoryloader.cpp index 31abed73cf9..70429bfa6f4 100644 --- a/src/corelib/plugin/qfactoryloader.cpp +++ b/src/corelib/plugin/qfactoryloader.cpp @@ -1,6 +1,7 @@ // Copyright (C) 2021 The Qt Company Ltd. // Copyright (C) 2022 Intel Corporation. // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only +// Qt-Security score:critical reason:data-parser #include "qfactoryloader_p.h" diff --git a/src/corelib/plugin/qlibrary.cpp b/src/corelib/plugin/qlibrary.cpp index 854d375c72f..957b42ebfc9 100644 --- a/src/corelib/plugin/qlibrary.cpp +++ b/src/corelib/plugin/qlibrary.cpp @@ -1,6 +1,8 @@ // Copyright (C) 2020 The Qt Company Ltd. // Copyright (C) 2021 Intel Corporation. // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only +// Qt-Security score:critical reason:execute-external-code + #include "qlibrary.h" #include "qlibrary_p.h" diff --git a/src/corelib/plugin/qlibrary_unix.cpp b/src/corelib/plugin/qlibrary_unix.cpp index f03eba3bffa..a223b295e63 100644 --- a/src/corelib/plugin/qlibrary_unix.cpp +++ b/src/corelib/plugin/qlibrary_unix.cpp @@ -1,6 +1,7 @@ // Copyright (C) 2016 The Qt Company Ltd. // Copyright (C) 2020 Intel Corporation // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only +// Qt-Security score:critical reason:execute-external-code #include "qplatformdefs.h" diff --git a/src/corelib/plugin/qlibrary_win.cpp b/src/corelib/plugin/qlibrary_win.cpp index 98c5a4af06c..ab2bc0c7a98 100644 --- a/src/corelib/plugin/qlibrary_win.cpp +++ b/src/corelib/plugin/qlibrary_win.cpp @@ -1,5 +1,6 @@ // Copyright (C) 2016 The Qt Company Ltd. // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only +// Qt-Security score:critical reason:execute-external-code #include "qplatformdefs.h" #include "qlibrary_p.h" diff --git a/src/corelib/plugin/qmachparser.cpp b/src/corelib/plugin/qmachparser.cpp index 7a82b84cb36..2b0deb506bb 100644 --- a/src/corelib/plugin/qmachparser.cpp +++ b/src/corelib/plugin/qmachparser.cpp @@ -1,5 +1,6 @@ // Copyright (C) 2016 Intel Corporation. // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only +// Qt-Security score:critical reason:data-parser #include "qmachparser_p.h" diff --git a/src/corelib/plugin/qpluginloader.cpp b/src/corelib/plugin/qpluginloader.cpp index df154f7e8dd..78c6999b3c8 100644 --- a/src/corelib/plugin/qpluginloader.cpp +++ b/src/corelib/plugin/qpluginloader.cpp @@ -1,6 +1,7 @@ // Copyright (C) 2016 The Qt Company Ltd. // Copyright (C) 2018 Intel Corporation. // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only +// Qt-Security score:critical reason:execute-external-code #include "qpluginloader.h" diff --git a/src/corelib/plugin/quuid.cpp b/src/corelib/plugin/quuid.cpp index e0e395ab1a0..b1265f7a809 100644 --- a/src/corelib/plugin/quuid.cpp +++ b/src/corelib/plugin/quuid.cpp @@ -1,6 +1,7 @@ // Copyright (C) 2020 The Qt Company Ltd. // Copyright (C) 2017 Klarälvdalens Datakonsult AB, a KDAB Group company, info@kdab.com, author Marc Mutz // SPDX-License-Identifier: LicenseRef-Qt-Commercial OR LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only +// Qt-Security score:critical reason:data-parser #include "quuid.h" #include "quuid_p.h"