Version in base suite: 5.11.3+dfsg1-1+deb10u1
Version in overlay suite: 5.11.3+dfsg1-1+deb10u2

Base version: qtbase-opensource-src_5.11.3+dfsg1-1+deb10u2
Target version: qtbase-opensource-src_5.11.3+dfsg1-1+deb10u3
Base file: /srv/ftp-master.debian.org/ftp/pool/main/q/qtbase-opensource-src/qtbase-opensource-src_5.11.3+dfsg1-1+deb10u2.dsc
Target file: /srv/ftp-master.debian.org/policy/pool/main/q/qtbase-opensource-src/qtbase-opensource-src_5.11.3+dfsg1-1+deb10u3.dsc

 changelog                  |    9 +++++++++
 patches/CVE-2020-0569.diff |   14 ++++++++++++++
 patches/CVE-2020-0570.diff |   32 ++++++++++++++++++++++++++++++++
 patches/series             |    2 ++
 4 files changed, 57 insertions(+)

diff -Nru qtbase-opensource-src-5.11.3+dfsg1/debian/changelog qtbase-opensource-src-5.11.3+dfsg1/debian/changelog
--- qtbase-opensource-src-5.11.3+dfsg1/debian/changelog	2019-11-24 17:34:59.000000000 +0000
+++ qtbase-opensource-src-5.11.3+dfsg1/debian/changelog	2020-01-30 13:42:01.000000000 +0000
@@ -1,3 +1,12 @@
+qtbase-opensource-src (5.11.3+dfsg1-1+deb10u3) buster-security; urgency=high
+
+  [ Dmitry Shachnev ]
+  * Backport fixes for two vulnerabilities:
+    - CVE-2020-0569: Do not load plugin from the CWD.
+    - CVE-2020-0570: Qt tries to load invalid library from CWD.
+
+ -- Lisandro Damián Nicanor Pérez Meyer <lisandro@debian.org>  Thu, 30 Jan 2020 10:42:01 -0300
+
 qtbase-opensource-src (5.11.3+dfsg1-1+deb10u2) buster; urgency=medium
 
   [ Dmitry Shachnev ]
diff -Nru qtbase-opensource-src-5.11.3+dfsg1/debian/patches/CVE-2020-0569.diff qtbase-opensource-src-5.11.3+dfsg1/debian/patches/CVE-2020-0569.diff
--- qtbase-opensource-src-5.11.3+dfsg1/debian/patches/CVE-2020-0569.diff	1970-01-01 00:00:00.000000000 +0000
+++ qtbase-opensource-src-5.11.3+dfsg1/debian/patches/CVE-2020-0569.diff	2020-01-30 13:42:01.000000000 +0000
@@ -0,0 +1,14 @@
+Description: do not load plugin from the $PWD
+Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=bf131e8d2181b340
+Last-Update: 2020-01-30
+
+--- a/src/corelib/plugin/qpluginloader.cpp
++++ b/src/corelib/plugin/qpluginloader.cpp
+@@ -305,7 +305,6 @@ static QString locatePlugin(const QStrin
+         paths.append(fileName.left(slash)); // don't include the '/'
+     } else {
+         paths = QCoreApplication::libraryPaths();
+-        paths.prepend(QStringLiteral(".")); // search in current dir first
+     }
+ 
+     for (const QString &path : qAsConst(paths)) {
diff -Nru qtbase-opensource-src-5.11.3+dfsg1/debian/patches/CVE-2020-0570.diff qtbase-opensource-src-5.11.3+dfsg1/debian/patches/CVE-2020-0570.diff
--- qtbase-opensource-src-5.11.3+dfsg1/debian/patches/CVE-2020-0570.diff	1970-01-01 00:00:00.000000000 +0000
+++ qtbase-opensource-src-5.11.3+dfsg1/debian/patches/CVE-2020-0570.diff	2020-01-30 13:42:01.000000000 +0000
@@ -0,0 +1,32 @@
+Description: QLibrary/Unix: do not attempt to load a library relative to $PWD
+ I added the code in commit 5219c37f7c98f37f078fee00fe8ca35d83ff4f5d to
+ find libraries in a haswell/ subdir of the main path, but we only need
+ to do that transformation if the library is contains at least one
+ directory separator. That is, if the user asks to load "lib/foo", then we
+ should try "lib/haswell/foo" (often, the path prefix will be absolute).
+ .
+ When the library name the user requested has no directory separators, we
+ let dlopen() do the transformation for us. Testing on Linux confirms
+ glibc does so:
+ .
+ $ LD_DEBUG=libs /lib64/ld-linux-x86-64.so.2 --inhibit-cache ./qml -help |& grep Xcursor
+    1972475:     find library=libXcursor.so.1 [0]; searching
+    1972475:       trying file=/usr/lib64/haswell/avx512_1/libXcursor.so.1
+    1972475:       trying file=/usr/lib64/haswell/libXcursor.so.1
+    1972475:       trying file=/usr/lib64/libXcursor.so.1
+    1972475:     calling init: /usr/lib64/libXcursor.so.1
+    1972475:     calling fini: /usr/lib64/libXcursor.so.1 [0]
+Origin: upstream, https://code.qt.io/cgit/qt/qtbase.git/commit/?id=e6f1fde24f77f63f
+Last-Update: 2020-01-30
+
+--- a/src/corelib/plugin/qlibrary_unix.cpp
++++ b/src/corelib/plugin/qlibrary_unix.cpp
+@@ -208,6 +208,8 @@ bool QLibraryPrivate::load_sys()
+         for(int suffix = 0; retry && !pHnd && suffix < suffixes.size(); suffix++) {
+             if (!prefixes.at(prefix).isEmpty() && name.startsWith(prefixes.at(prefix)))
+                 continue;
++            if (path.isEmpty() && prefixes.at(prefix).contains(QLatin1Char('/')))
++                continue;
+             if (!suffixes.at(suffix).isEmpty() && name.endsWith(suffixes.at(suffix)))
+                 continue;
+             if (loadHints & QLibrary::LoadArchiveMemberHint) {
diff -Nru qtbase-opensource-src-5.11.3+dfsg1/debian/patches/series qtbase-opensource-src-5.11.3+dfsg1/debian/patches/series
--- qtbase-opensource-src-5.11.3+dfsg1/debian/patches/series	2019-11-24 17:34:59.000000000 +0000
+++ qtbase-opensource-src-5.11.3+dfsg1/debian/patches/series	2020-01-30 13:42:01.000000000 +0000
@@ -8,6 +8,8 @@
 raw_printers.diff
 ensure-qtabletevent-is-not-pre-accepted.patch
 repolish_run_on_direct_children.diff
+CVE-2020-0569.diff
+CVE-2020-0570.diff
 
 # Debian specific.
 gnukfreebsd.diff