Accepting request 1008306 from home:cgiboudeaux:qtwebengine-lts

Update to 5.15.11 OBS-URL: https://build.opensuse.org/request/show/1008306 OBS-URL: https://build.opensuse.org/package/show/KDE:Qt:5.15/libqt5-qtwebengine?expand=0&rev=46
2022-10-06 06:18:47 +00:00 · 2022-10-06 06:18:47 +00:00 · 1139623c96
commit 1139623c96
parent 7e03adad52
8 changed files with 118 additions and 53 deletions
--- a/4
+++ b/4
@ -1,11 +1,11 @@
 <services>
  <service name="tar_scm" mode="disabled">
   <param name="changesgenerate">enable</param>
-   <param name="version">5.15.10</param>
+   <param name="version">5.15.11</param>
   <param name="url">git://code.qt.io/qt/qtwebengine.git</param>
   <param name="scm">git</param>
   <param name="filename">qtwebengine-everywhere-src</param>
-   <param name="revision">v5.15.10-lts</param>
+   <param name="revision">v5.15.11-lts</param>
  </service>
  <service name="tar_scm" mode="disabled">
   <param name="changesgenerate">disable</param>
--- a/2
+++ b/2
@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">git://code.qt.io/qt/qtwebengine.git</param>
-              <param name="changesrevision">c7e716ef1ffd63a8ab1f4dbf879230849eb3b505</param></service></servicedata>
+              <param name="changesrevision">3d23b379a7c0a87922f9f5d9600fde8c4e58f1fd</param></service></servicedata>
--- a/libqt5-qtwebengine.changes
+++ b/libqt5-qtwebengine.changes
@ -1,3 +1,52 @@
 -------------------------------------------------------------------
 Wed Oct 05 17:28:40 UTC 2022 - christophe@krop.fr
 - Update to version 5.15.11:
  * Work-around GNOME bug misidentifying HTML content
  * Fix busy waiting on streaming QIODevice's
  * Add workaround for un-minimizing QWebEngineView under Gnome
  * Build the QtDesigner plugin in all configurations
  * Bump version to 5.15.11
  * Fix method check
  * Do not use the native dialog to show the color picker on macOS
  * FIXUP: Add workaround for unstable gn on macOS in ci
  * Fix top level build with no widget
  * Fix touch input for widget's delegate for html popup
  * Keep page's zoom level on loading new urls
  * Fix leak if loader error is seen first
  * Add workaround for unstable gn on macOS in ci
  * Pass archiver to gn build
  * Fix read-after-free on EGL extensions
  * Update Chromium:
  * FIXUP: Fix url_utils for QtWebEngine
  * FIXUP: Workaround MSVC2022 ICE in constexpr functions
  * Fixup: CVE-2022-0796: Use after free in Media
  * [Backport] CVE-2022-0796: Use after free in Media
  * [Backport] CVE-2022-1855: Use after free in Messaging
  * [Backport] CVE-2022-1857: Insufficient policy enforcement in
    File System API
  * [Backport] CVE-2022-2008: Out of bounds memory access in WebGL
  * [Backport] CVE-2022-2010: Out of bounds read in compositing
  * [Backport] CVE-2022-2158: Type Confusion in V8
  * [Backport] CVE-2022-2160: Insufficient policy enforcement
    in DevTools
  * [Backport] CVE-2022-2162: Insufficient policy enforcement in
    File System API
  * [Backport] CVE-2022-2294: Heap buffer overflow in WebRTC
  * [Backport] CVE-2022-2295: Type Confusion in V8
  * [Backport] CVE-2022-2477 : Use after free in Guest View
  * [Backport] CVE-2022-2610: Insufficient policy enforcement
    in Background Fetch
  * [Backport] CVE-2022-27404
  * [Backport] CVE-2022-27405
  * [Backport] CVE-2022-27406
  * [Backport] Linux sandbox: ENOSYS for some statx syscalls
  * [Backport] Security bug 1287804
  * [Backport] Security bug 1316578
  * [Backport] Security bug 1343889
 - Replace sandbox-statx-futex_time64.patch with upstream change:
  * sandbox_futex_time64.patch
 -------------------------------------------------------------------
 Mon Sep 26 14:35:08 UTC 2022 - Christophe Giboudeaux <christophe@krop.fr>
--- a/libqt5-qtwebengine.spec
+++ b/libqt5-qtwebengine.spec
@ -35,15 +35,15 @@
 %global _qtwebengine_dictionaries_dir %{_libqt5_datadir}/qtwebengine_dictionaries
 Name:           libqt5-qtwebengine
-Version:        5.15.10
+Version:        5.15.11
 Release:        0
 Summary:        Qt 5 WebEngine Library
 License:        LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
 Group:          Development/Libraries/X11
 URL:            https://www.qt.io
 %define base_name libqt5
-%define real_version 5.15.10
+%define real_version 5.15.11
-%define so_version 5.15.10
+%define so_version 5.15.11
 %define tar_version qtwebengine-everywhere-src-%{version}
 Source:         %{tar_version}.tar.xz
 # Use a git snapshot for catapult to build with python3 (git rev: b7e9d5899)
@ -53,15 +53,16 @@ Source99:       libqt5-qtwebengine-rpmlintrc
 Patch0:         armv6-ffmpeg-no-thumb.patch
 # PATCH-FIX-OPENSUSE disable-gpu-when-using-nouveau-boo-1005323.diff
 Patch1:         disable-gpu-when-using-nouveau-boo-1005323.diff
 Patch2:         sandbox-statx-futex_time64.patch
 # PATCH-FIX-OPENSUSE
-Patch3:         rtc-dont-use-h264.patch
+Patch2:         rtc-dont-use-h264.patch
 # PATCH-FIX-UPSTREAM
-Patch4:         0001-skia-Some-includes-to-fix-build-with-GCC-12.patch
+Patch3:         0001-skia-Some-includes-to-fix-build-with-GCC-12.patch
 # PATCH-FIX-UPSTREAM -- build with pipewire 0.3
-Patch5:         qtwebengine-pipewire-0.3.patch
+Patch4:         qtwebengine-pipewire-0.3.patch
 # PATCH-FIX-OPENSUSE -- build with python 3
-Patch6:        qtwebengine-python3.patch
+Patch5:         qtwebengine-python3.patch
 # PATCH-FIX-UPSTREAM -- handle futex_time64
 Patch6:         sandbox_futex_time64.patch
 ### Patch 50-99 are applied conditionally
 # PATCH-FIX-OPENSUSE -- allow building qtwebengine with ffmpeg5
 Patch50:        qtwebengine-ffmpeg5.patch
@ -304,6 +305,7 @@ Examples for the libqt5-qtpdf module.
 %patch4 -p1
 %patch5 -p1
 %patch6 -p1
 # Replace the whole catapult folder rather than picking individual changes
 pushd src/3rdparty/chromium/third_party
 rm -r catapult
--- a/qtwebengine-everywhere-src-5.15.10.tar.xz
+++ b/qtwebengine-everywhere-src-5.15.10.tar.xz
@ -1,3 +0,0 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:51e4e3b1b51f33297897b3c8ebf0ee12a3f8c46805891460bb1a3d9990ba74cc
 size 319349412
--- a/qtwebengine-everywhere-src-5.15.11.tar.xz
+++ b/qtwebengine-everywhere-src-5.15.11.tar.xz
@ -0,0 +1,3 @@
 version https://git-lfs.github.com/spec/v1
 oid sha256:d54a8eaf41ea3a47183b6a291c12b910abdd5c819880dddedd969b803ebf7ed0
 size 319327024
--- a/sandbox-statx-futex_time64.patch
+++ b/sandbox-statx-futex_time64.patch
@ -1,39 +0,0 @@
 From: Fabian Vogt <fabian@ritter-vogt.de>
 Subject: Sandbox: Handle statx and futex_time64
 glibc uses statx in some more places now (e.g stat64 -> __fstatat64_time64),
 but it's caught by the sandbox, which doesn't handle it and breaks.
 Return -ENOSYS instead to trigger the fallback in glibc.
 futex_time64 is also used internally in glibc, so handle that as well.
 The signature is identical where it matters.
 diff --git a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
 index 6f7768f7d..b3335e2bf 100644
 --- a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
 +++ b/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
@@ -203,6 +203,11 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
   if (sysno == __NR_futex)
     return RestrictFutex();
 +#if defined(__NR_futex_time64)
 +  if (sysno == __NR_futex_time64)
 +    return RestrictFutex();
 +#endif
 +
   if (sysno == __NR_set_robust_list)
     return Error(EPERM);
@@ -283,6 +288,12 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
     return RewriteFstatatSIGSYS(fs_denied_errno);
   }
 +#if defined(__NR_statx)
 +  if (sysno == __NR_statx) {
 +    return Error(ENOSYS);
 +  }
 +#endif
 +
   if (SyscallSets::IsFileSystem(sysno) ||
       SyscallSets::IsCurrentDirectory(sysno)) {
     return Error(fs_denied_errno);
--- a/sandbox_futex_time64.patch
+++ b/sandbox_futex_time64.patch
@ -0,0 +1,53 @@
 From 6abdfb1d7638c787081d16bb90022cde7a86309f Mon Sep 17 00:00:00 2001
 From: Matthew Denton <mpdenton@chromium.org>
 Date: Tue, 16 Mar 2021 06:38:05 +0000
 Subject: [PATCH] Linux sandbox: support futex_time64 on 32-bit platforms
 This updates futex-related syscall sets to include futex_time64, which
 is a version of the futex syscall which uses 64 bit time on 32-bit
 systems, to prepare for the Y2038 problem.
 Change-Id: Ie933d9fec221233bf837f00c08eb7daee204081d
 Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/2753571
 Commit-Queue: Matthew Denton <mpdenton@chromium.org>
 Reviewed-by: Robert Sesek <rsesek@chromium.org>
 Cr-Commit-Position: refs/heads/master@{#863166}
 ---
 sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc | 7 ++++++-
 sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc    | 3 +++
 2 files changed, 9 insertions(+), 1 deletion(-)
 diff --git a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc b/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
 index 5e650d93c4b..b37f082dd69 100644
 --- a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
 +++ b/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
@@ -198,8 +198,13 @@ ResultExpr EvaluateSyscallImpl(int fs_denied_errno,
   }
 #endif
 -  if (sysno == __NR_futex)
 +  if (sysno == __NR_futex
 +#if defined(__NR_futex_time64)
 +      || sysno == __NR_futex_time64
 +#endif
 +  ) {
     return RestrictFutex();
 +  }
   if (sysno == __NR_set_robust_list)
     return Error(EPERM);
 diff --git a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc b/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
 index d1ea8e99a1c..3a8a924cc0a 100644
 --- a/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
 +++ b/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
@@ -427,6 +427,9 @@ bool SyscallSets::IsAllowedFutex(int sysno) {
     case __NR_get_robust_list:
     case __NR_set_robust_list:
     case __NR_futex:
 +#if defined(__NR_futex_time64)
 +    case __NR_futex_time64:
 +#endif
     default:
       return false;
   }