From ebec5ae57367c1257cc31eb068c5992658d4d503 Mon Sep 17 00:00:00 2001
From: Filpped <pennycng@outlook.com>
Date: Fri, 17 Jan 2025 17:01:57 +0800
Subject: [PATCH 1/2] fix CVE-2020-24741

---
 CVE-2020-24741.patch | 13 +++++++++++++
 qt.spec              |  9 ++++++++-
 2 files changed, 21 insertions(+), 1 deletion(-)
 create mode 100644 CVE-2020-24741.patch

diff --git a/CVE-2020-24741.patch b/CVE-2020-24741.patch
new file mode 100644
index 0000000..a57f090
--- /dev/null
+++ b/CVE-2020-24741.patch
@@ -0,0 +1,13 @@
+diff --git a/src/corelib/plugin/qlibrary_unix.cpp b/src/corelib/plugin/qlibrary_unix.cpp
+index f0de1010d7b..135b82cd378 100644
+--- a/src/corelib/plugin/qlibrary_unix.cpp
++++ b/src/corelib/plugin/qlibrary_unix.cpp
+@@ -209,6 +209,8 @@ bool QLibraryPrivate::load_sys()
+         for(int suffix = 0; retry && !pHnd && suffix < suffixes.size(); suffix++) {
+             if (!prefixes.at(prefix).isEmpty() && name.startsWith(prefixes.at(prefix)))
+                 continue;
++            if (path.isEmpty() && prefixes.at(prefix).contains(QLatin1Char('/')))
++                continue;
+             if (!suffixes.at(suffix).isEmpty() && name.endsWith(suffixes.at(suffix)))
+                 continue;
+             if (loadHints & QLibrary::LoadArchiveMemberHint) {
diff --git a/qt.spec b/qt.spec
index 36a4654..c6b40f8 100644
--- a/qt.spec
+++ b/qt.spec
@@ -13,7 +13,7 @@
 Name:           qt
 Epoch:          1
 Version:        4.8.7
-Release:        60
+Release:        61
 Summary:        A software toolkit for developing applications
 License:        (LGPLv2 with exceptions or GPLv3 with exceptions) and ASL 2.0 and BSD and FTL and MIT
 URL:            http://qt-project.org/
@@ -93,6 +93,7 @@ Patch6008:      qt-CVE-2023-34410.patch
 Patch6009:      qt-CVE-2023-38197.patch
 Patch6010:      qt-CVE-2023-37369.patch 
 Patch6011:      qt-CVE-2023-43114.patch 
+Patch6012:      CVE-2020-24741.patch 
 
 BuildRequires:  cups-devel desktop-file-utils gcc-c++ libjpeg-devel findutils libmng-devel libtiff-devel pkgconfig pkgconfig(alsa)
 BuildRequires:  pkgconfig(dbus-1) pkgconfig(fontconfig) pkgconfig(glib-2.0) pkgconfig(icu-i18n) openssl-devel pkgconfig(libpng)
@@ -470,6 +471,12 @@ fi
 %{_qt4_prefix}/examples/
 
 %changelog
+* Fri Jan 17 2025 pengjian <pengjian23@mails.ucas.ac.cn> - 1:4.8.7-61
+- Type:cves
+- ID:CVE-2020-24741
+- SUG:NA
+- DESC:fix CVE-2020-24741
+
 * Mon Nov 27 2023 hua_yadong<huayadong@kylinos.cn> - 1:4.8.7-60
 - Type:cves
 - ID:CVE-2023-43114
-- 
Gitee


From 61d3e9771d3aef90cba340b9c378bf27901643fd Mon Sep 17 00:00:00 2001
From: Filpped <pennycng@outlook.com>
Date: Fri, 17 Jan 2025 18:10:20 +0800
Subject: [PATCH 2/2] fix patch

---
 CVE-2020-24741.patch | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/CVE-2020-24741.patch b/CVE-2020-24741.patch
index a57f090..6e1bdcc 100644
--- a/CVE-2020-24741.patch
+++ b/CVE-2020-24741.patch
@@ -2,7 +2,7 @@ diff --git a/src/corelib/plugin/qlibrary_unix.cpp b/src/corelib/plugin/qlibrary_
 index f0de1010d7b..135b82cd378 100644
 --- a/src/corelib/plugin/qlibrary_unix.cpp
 +++ b/src/corelib/plugin/qlibrary_unix.cpp
-@@ -209,6 +209,8 @@ bool QLibraryPrivate::load_sys()
+@@ -218,6 +218,8 @@ bool QLibraryPrivate::load_sys()
          for(int suffix = 0; retry && !pHnd && suffix < suffixes.size(); suffix++) {
              if (!prefixes.at(prefix).isEmpty() && name.startsWith(prefixes.at(prefix)))
                  continue;
-- 
Gitee