Ubuntu: fix insecure access to CWD when looking up files

The logic wa sapparently to make sure that we can find the QML file when run
straight from the build dir. However, it is important to use the path to the
aplication binary instead of the $CWD because otherwise Trojita would do
extremely dumb thing when called from inside an attacker-controlled directory.

This commit also adds the path to the app's exec file to the list of paths to
perform the lookup in order to preserve the desired functionality.