File 0012-Restrict-QProcess--ProcessChannelMode-to-two-used-values.patch of Package kpmcore

From 5d1c03b9d8eae4d36d408fd59afa5abf0c10da3b Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?Andrius=20=C5=A0tikonas?= <andrius@stikonas.eu>
Date: Sat, 5 Feb 2022 13:24:38 +0000
Subject: [PATCH] Restrict QProcess::ProcessChannelMode to two used values.

Casting and passing the processChannel argument unfiltered to QProcess
could pose a security issue if future additions are made to
QProcess that introduce new behaviour.
---
 src/util/externalcommandhelper.cpp | 5 +++++
 1 file changed, 5 insertions(+)

diff --git a/src/util/externalcommandhelper.cpp b/src/util/externalcommandhelper.cpp
index 84a1e97..614cc33 100644
--- a/src/util/externalcommandhelper.cpp
+++ b/src/util/externalcommandhelper.cpp
@@ -334,6 +334,11 @@ QVariantMap ExternalCommandHelper::RunCommand(const QString& command, const QStr
 
     QProcess cmd;
     cmd.setEnvironment( { QStringLiteral("LVM_SUPPRESS_FD_WARNINGS=1") } );
+
+    if((processChannelMode != QProcess::SeparateChannels) && (processChannelMode != QProcess::MergedChannels)) {
+        reply[QStringLiteral("success")] = false;
+        return reply;
+    }
     cmd.setProcessChannelMode(static_cast<QProcess::ProcessChannelMode>(processChannelMode));
     cmd.start(command, arguments);
     cmd.write(input);
-- 
GitLab