Version in base suite: 4.1.5-1 Base version: qbittorrent_4.1.5-1 Target version: qbittorrent_4.1.5-1+deb10u1 Base file: /srv/ftp-master.debian.org/ftp/pool/main/q/qbittorrent/qbittorrent_4.1.5-1.dsc Target file: /srv/ftp-master.debian.org/policy/pool/main/q/qbittorrent/qbittorrent_4.1.5-1+deb10u1.dsc changelog | 8 ++ patches/Prevent-command-injection-via-Run-external-program-f.patch | 32 ++++++++++ patches/series | 1 3 files changed, 41 insertions(+) diff -Nru qbittorrent-4.1.5/debian/changelog qbittorrent-4.1.5/debian/changelog --- qbittorrent-4.1.5/debian/changelog 2018-12-30 21:09:08.000000000 +0000 +++ qbittorrent-4.1.5/debian/changelog 2020-03-29 16:14:15.000000000 +0000 @@ -1,3 +1,11 @@ +qbittorrent (4.1.5-1+deb10u1) buster-security; urgency=high + + * Non-maintainer upload by the Security Team. + * Prevent command injection via "Run external program" function + (CVE-2019-13640) (Closes: #932539) + + -- Salvatore Bonaccorso Sun, 29 Mar 2020 18:14:15 +0200 + qbittorrent (4.1.5-1) unstable; urgency=medium * New upstream release (Closes: #917265). diff -Nru qbittorrent-4.1.5/debian/patches/Prevent-command-injection-via-Run-external-program-f.patch qbittorrent-4.1.5/debian/patches/Prevent-command-injection-via-Run-external-program-f.patch --- qbittorrent-4.1.5/debian/patches/Prevent-command-injection-via-Run-external-program-f.patch 1970-01-01 00:00:00.000000000 +0000 +++ qbittorrent-4.1.5/debian/patches/Prevent-command-injection-via-Run-external-program-f.patch 2020-03-29 16:14:15.000000000 +0000 @@ -0,0 +1,32 @@ +From: Chocobo1 +Date: Thu, 18 Jul 2019 22:36:40 +0800 +Subject: Prevent command injection via "Run external program" function +Origin: https://github.com/qbittorrent/qBittorrent/commit/2ef96eb218f788c51870e0d68c737e62adbb25ff +Bug-Debian-Security: https://security-tracker.debian.org/tracker/CVE-2019-13640 +Bug-Debian: https://bugs.debian.org/932539 +Bug: https://github.com/qbittorrent/qBittorrent/issues/10925 + +--- + src/app/application.cpp | 6 +++++- + 1 file changed, 5 insertions(+), 1 deletion(-) + +diff --git a/src/app/application.cpp b/src/app/application.cpp +index 1f06340e48db..9ee888fa9819 100644 +--- a/src/app/application.cpp ++++ b/src/app/application.cpp +@@ -332,7 +332,11 @@ void Application::runExternalProgram(const BitTorrent::TorrentHandle *torrent) c + + ::LocalFree(args); + #else +- QProcess::startDetached(QLatin1String("/bin/sh"), {QLatin1String("-c"), program}); ++ // Cannot give users shell environment by default, as doing so could ++ // enable command injection via torrent name and other arguments ++ // (especially when some automated download mechanism has been setup). ++ // See: https://github.com/qbittorrent/qBittorrent/issues/10925 ++ QProcess::startDetached(program); + #endif + } + +-- +2.26.0 + diff -Nru qbittorrent-4.1.5/debian/patches/series qbittorrent-4.1.5/debian/patches/series --- qbittorrent-4.1.5/debian/patches/series 2017-09-03 17:46:12.000000000 +0000 +++ qbittorrent-4.1.5/debian/patches/series 2020-03-29 16:14:15.000000000 +0000 @@ -1,2 +1,3 @@ honor-buildflags.patch kfreebsd-detection.patch +Prevent-command-injection-via-Run-external-program-f.patch