The Qt Company reports:
Recently, the Qt Project's security team was made aware of an issue regarding
QProcess and determined it to be a security issue on Unix-based platforms only.
We do not believe this to be a considerable risk for applications as the
likelihood of it being triggered is minimal.
Specifically, the problem is around using QProcess to start an application
without having an absolute path, and as a result, it depends on it finding it
in the PATH environment variable. As a result, it may be possible for an
attacker to place their copy of the executable in question inside the
working/current directory for the QProcess and have it invoked that instead.
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2022-25255
This is the patch linked from the announcement:
https://lists.qt-project.org/pipermail/announce/2022-February/000333.html
7e2eedd0d4