Accepting request 590634 from KDE:Qt5

OBS-URL: https://build.opensuse.org/request/show/590634 OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libqt5-qtwebengine?expand=0&rev=31
2018-03-24 15:13:06 +00:00 · 2018-03-24 15:13:06 +00:00 · 7ea4d9fce9
commit 7ea4d9fce9
parent 8ee8f51abd
6 changed files with 1367 additions and 15 deletions
--- a/libqt5-qtwebengine.changes
+++ b/libqt5-qtwebengine.changes
@ -1,3 +1,29 @@
+-------------------------------------------------------------------
+Fri Mar 23 08:14:18 UTC 2018 - wbauer@tmo.at
+
+- Also adjust the minimum versions of the private-headers-devel
+  subpackage's requirements
+
+-------------------------------------------------------------------
+Thu Mar 22 22:40:32 UTC 2018 - kamikazow@opensuse.org
+
+- Apply a fix to make QtWE-using applications actually compile against it
+
+-------------------------------------------------------------------
+Sun Mar 18 22:57:09 UTC 2018 - kamikazow@opensuse.org
+
+- Forward-port security backports from 5.9.5 LTS (up to Chromium 65.0.3325.146)
+  * qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch from Fedora
+  * qtwebengine-everywhere-src-5.10.1-CVE-2018-6033.patch from Fedora
+
+-------------------------------------------------------------------
+Wed Feb 14 15:47:56 CET 2018 - fabian@ritter-vogt.de
+
+- Update to 5.10.1
+  * New bugfix release
+  * For more details please see:
+  * http://code.qt.io/cgit/qt/qtwebengine.git/plain/dist/changes-5.10.1/?h=v5.10.1
+
 -------------------------------------------------------------------
 Fri Feb  2 10:43:48 UTC 2018 - dimstar@opensuse.org

--- a/libqt5-qtwebengine.spec
+++ b/libqt5-qtwebengine.spec
@ -50,22 +50,27 @@
 %endif

 Name:           libqt5-qtwebengine
-Version:        5.10.0
+Version:        5.10.1
 Release:        0
 Summary:        Qt 5 WebEngine Library
 License:        LGPL-2.1-with-Qt-Company-Qt-exception-1.1 or LGPL-3.0-with-Qt-Company-Qt-exception-1.1
 Group:          Development/Libraries/X11
 Url:            https://www.qt.io
 %define base_name libqt5
-%define real_version 5.10.0
-%define so_version 5.10.0
-%define tar_version qtwebengine-everywhere-src-5.10.0
+%define real_version 5.10.1
+%define so_version 5.10.1
+%define tar_version qtwebengine-everywhere-src-5.10.1
 Source:         https://download.qt.io/official_releases/qt/5.10/%{real_version}/submodules/%{tar_version}.tar.xz
 Source1:        baselibs.conf
 # PATCH-FIX-UPSTREAM armv6-ffmpeg-no-thumb.patch - Fix ffmpeg configuration for armv6
 Patch1:         armv6-ffmpeg-no-thumb.patch
 # PATCH-FIX-UPSTREAM disable-gpu-when-using-nouveau-boo-1005323.diff
 Patch2:         disable-gpu-when-using-nouveau-boo-1005323.diff
+# PATCH-FIX-UPSTREAM qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch
+# - forward-port security backports from 5.9.5 LTS (up to Chromium 65.0.3325.146)
+#   see the patch metadata for the list of fixed CVEs and Chromium bug IDs
+Patch3:         qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch
+Patch4:         qtwebengine-everywhere-src-5.10.1-CVE-2018-6033.patch
 # PATCH-FIX-UPSTREAM harmony-fix.diff -- Show the patent-free LCD rendering. Without this patch, only grayscale rendering is used. (for freetype-2.8.1) boo#1061344
 Patch5:         harmony-fix.diff
 # http://www.chromium.org/blink not ported to PowerPC
@ -87,12 +92,12 @@ BuildRequires:  libgcrypt-devel
 BuildRequires:  libicu-devel
 BuildRequires:  libjpeg-devel
 BuildRequires:  libpng-devel
-BuildRequires:  libqt5-qtbase-private-headers-devel >= %{version}
-BuildRequires:  libqt5-qtdeclarative-private-headers-devel >= %{version}
-BuildRequires:  libqt5-qttools-private-headers-devel >= %{version}
-BuildRequires:  libqt5-qtlocation-private-headers-devel >= %{version}
-BuildRequires:  libqt5-qtwebchannel-private-headers-devel >= %{version}
-BuildRequires:  libqt5-qtxmlpatterns-private-headers-devel >= %{version}
+BuildRequires:  libqt5-qtbase-private-headers-devel >= 5.9
+BuildRequires:  libqt5-qtdeclarative-private-headers-devel >= 5.9
+BuildRequires:  libqt5-qttools-private-headers-devel >= 5.9
+BuildRequires:  libqt5-qtlocation-private-headers-devel >= 5.9
+BuildRequires:  libqt5-qtwebchannel-private-headers-devel >= 5.9
+BuildRequires:  libqt5-qtxmlpatterns-private-headers-devel >= 5.9
 BuildRequires:  libQt5QuickControls2-devel
 BuildRequires:  pam-devel
 BuildRequires:  pciutils-devel
@ -103,6 +108,7 @@ BuildRequires:  python-devel
 BuildRequires:  python-xml
 BuildRequires:  re2c
 BuildRequires:  re2-devel
+BuildRequires:  sed
 BuildRequires:  snappy-devel
 BuildRequires:  sqlite3-devel
 BuildRequires:  update-desktop-files
@ -219,8 +225,8 @@ Summary:        Non-ABI stable experimental API for the Qt5 WebEngine library
 Group:          Development/Libraries/C and C++
 BuildArch:      noarch
 Requires:       %{name}-devel = %{version}
-Requires:       libqt5-qtbase-private-headers-devel >= %{version}
-Requires:       libqt5-qtdeclarative-private-headers-devel >= %{version}
+%requires_ge    libqt5-qtbase-private-headers-devel
+%requires_ge    libqt5-qtdeclarative-private-headers-devel

 %description private-headers-devel
 This package provides private headers of libqt5-qtwebengine that are normally
@ -242,6 +248,8 @@ Examples for the libqt5-qtwebengine module.
 sed -i 's|$(STRIP)|strip|g' src/core/core_module.pro
 %patch1 -p1
 %patch2 -p1
+%patch3 -p1
+%patch4 -p1
 %patch5 -p1
 # QTBUG-61128
 sed -i -e '/toolprefix = /d' -e 's/\${toolprefix}//g' \
@ -310,6 +318,15 @@ rm -f %{buildroot}%{_libqt5_libdir}/lib*.la
 # webenginecore expects icudatl.dat at this location
 # ln -sf %{_datadir}/icu/*/icudt*l.dat %{buildroot}%{_datadir}/qt5/icudtl.dat

+# ---------- Workarounds for older Qt versions ---------
+## adjust cmake dep(s) to allow for using the same Qt5 that was used to build it
+sed -i -r '/ EXACT\)/d' \
+  %{buildroot}%{_libqt5_libdir}/cmake/Qt5WebEngine*/Qt5WebEngine*Config.cmake
+
+sed -i '/find_package/!b;n;s/'%{version}/$(rpm -q --qf %%{version} libQt5Core5)/ \
+  %{buildroot}%{_libqt5_libdir}/cmake/Qt5WebEngine*/Qt5WebEngine*Config.cmake
+# ------------------------------------------------------
+
 %post -p /sbin/ldconfig

 %postun -p /sbin/ldconfig
--- a/qtwebengine-everywhere-src-5.10.0.tar.xz
+++ b/qtwebengine-everywhere-src-5.10.0.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:a8bf5989ef847a249bbc1f391743a36971825b896747d073e30dbcdefc9567f9
-size 209737304
--- a/qtwebengine-everywhere-src-5.10.1-CVE-2018-6033.patch
+++ b/qtwebengine-everywhere-src-5.10.1-CVE-2018-6033.patch
@ -0,0 +1,64 @@
+From 1fd21185614dcae0c7a6e5647ba56cff0120f563 Mon Sep 17 00:00:00 2001
+Message-Id: <1fd21185614dcae0c7a6e5647ba56cff0120f563.1521386919.git.kevin.kofler@chello.at>
+From: Michal Klocek <michal.klocek@qt.io>
+Date: Wed, 7 Mar 2018 18:36:25 +0100
+Subject: [PATCH] Implement IsMostRecentDownloadItemAtFilePath call
+
+Implement IsMostRecentDownloadItemAtFilePath
+for download_manager_delegate_qt. This is required for
+CVE-2018-6033.
+
+Change-Id: I9f48dfa159d684f0fda894e68b81ff622aceaae2
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+---
+ src/core/download_manager_delegate_qt.cpp | 20 ++++++++++++++++++++
+ src/core/download_manager_delegate_qt.h   |  2 ++
+ 2 files changed, 22 insertions(+)
+
+diff --git a/src/core/download_manager_delegate_qt.cpp b/src/core/download_manager_delegate_qt.cpp
+index 40df9b3a..487a831e 100644
+--- a/src/core/download_manager_delegate_qt.cpp
+++ b/src/core/download_manager_delegate_qt.cpp
+@@ -293,6 +293,26 @@ void DownloadManagerDelegateQt::ChooseSavePath(content::WebContents *web_content
+                             m_weakPtrFactory.GetWeakPtr()));
+ }
+ 
+bool DownloadManagerDelegateQt::IsMostRecentDownloadItemAtFilePath(content::DownloadItem *download)
+{
+    content::BrowserContext *context = download->GetBrowserContext();
+    std::vector<content::DownloadItem*> all_downloads;
+
+    content::DownloadManager* manager =
+            content::BrowserContext::GetDownloadManager(context);
+    if (manager)
+        manager->GetAllDownloads(&all_downloads);
+
+    for (const auto* item : all_downloads) {
+        if (item->GetGuid() == download->GetGuid() ||
+                item->GetTargetFilePath() != download->GetTargetFilePath())
+            continue;
+        if (item->GetState() == content::DownloadItem::IN_PROGRESS)
+            return false;
+    }
+    return true;
+}
+
+ void DownloadManagerDelegateQt::savePackageDownloadCreated(content::DownloadItem *item)
+ {
+     OnDownloadUpdated(item);
+diff --git a/src/core/download_manager_delegate_qt.h b/src/core/download_manager_delegate_qt.h
+index df43211e..7563d5d3 100644
+--- a/src/core/download_manager_delegate_qt.h
+++ b/src/core/download_manager_delegate_qt.h
+@@ -81,6 +81,8 @@ public:
+                         const base::FilePath::StringType &default_extension,
+                         bool can_save_as_complete,
+                         const content::SavePackagePathPickedCallback &callback) override;
+    bool IsMostRecentDownloadItemAtFilePath(content::DownloadItem* download) override;
+
+ 
+     void cancelDownload(quint32 downloadId);
+     void pauseDownload(quint32 downloadId);
+-- 
+2.14.3
+
--- a/qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch
+++ b/qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch
--- a/qtwebengine-everywhere-src-5.10.1.tar.xz
+++ b/qtwebengine-everywhere-src-5.10.1.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:12644f8d2ba8354a2a533d5a7f3f5139c6ff168c2f51aa3e21b701db6dbc01de
+size 209844952