diff --git a/CVE-2022-0971-qtwebengine-5.15.patch b/CVE-2022-0971-qtwebengine-5.15.patch deleted file mode 100644 index 55d527c..0000000 --- a/CVE-2022-0971-qtwebengine-5.15.patch +++ /dev/null @@ -1,157 +0,0 @@ -From d13d0924c4e18ecc4b79adf0fec142ee9a9eaa14 Mon Sep 17 00:00:00 2001 -From: "liberato@chromium.org" -Date: Mon, 7 Mar 2022 20:17:13 +0000 -Subject: [Backport] CVE-2022-0971 - -Don't use a deleted RenderFrameHost. - -Since we do not check for frame liveness, a RenderFrameHost might be -deleted (in the use-after-free sense) without another call to -RenderFrameDeleted. So, WeakPtr it to avoid these cases. - -Bug: 1299422 - -Task-number: QTBUG-101946 -Change-Id: Ie4fe85f88ef80f4e4c3d0452397c0e5050ed881c -Reviewed-by: Allan Sandfeld Jensen ---- - .../display_cutout/display_cutout_host_impl.cc | 29 +++++++++++++--------- - .../display_cutout/display_cutout_host_impl.h | 10 ++++++-- - 2 files changed, 25 insertions(+), 14 deletions(-) - -diff --git a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc -index 1640ec83489..8f89cc24b5f 100644 ---- a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc -+++ b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc -@@ -5,6 +5,7 @@ - #include "content/browser/display_cutout/display_cutout_host_impl.h" - - #include "content/browser/display_cutout/display_cutout_constants.h" -+#include "content/browser/renderer_host/render_frame_host_impl.h" - #include "content/browser/web_contents/web_contents_impl.h" - #include "content/public/browser/navigation_handle.h" - #include "mojo/public/cpp/bindings/associated_remote.h" -@@ -33,7 +34,7 @@ void DisplayCutoutHostImpl::ViewportFitChangedForFrame( - - // If we are the current |RenderFrameHost| frame then notify - // WebContentsObservers about the new value. -- if (current_rfh_ == rfh) -+ if (current_rfh_.get() == rfh) - web_contents_impl_->NotifyViewportFitChanged(value); - - MaybeQueueUKMEvent(rfh); -@@ -60,7 +61,9 @@ void DisplayCutoutHostImpl::DidFinishNavigation( - - // If we finish a main frame navigation and the |WebDisplayMode| is - // fullscreen then we should make the main frame the current -- // |RenderFrameHost|. -+ // |RenderFrameHost|. Note that this is probably not correct; we do not check -+ // that the navigation completed successfully, nor do we check if the main -+ // frame is still IsRenderFrameLive(). - blink::mojom::DisplayMode mode = web_contents_impl_->GetDisplayMode(); - if (mode == blink::mojom::DisplayMode::kFullscreen) - SetCurrentRenderFrameHost(web_contents_impl_->GetMainFrame()); -@@ -70,7 +73,7 @@ void DisplayCutoutHostImpl::RenderFrameDeleted(RenderFrameHost* rfh) { - values_.erase(rfh); - - // If we were the current |RenderFrameHost| then we should clear that. -- if (current_rfh_ == rfh) -+ if (current_rfh_.get() == rfh) - SetCurrentRenderFrameHost(nullptr); - } - -@@ -87,7 +90,7 @@ void DisplayCutoutHostImpl::SetDisplayCutoutSafeArea(gfx::Insets insets) { - insets_ = insets; - - if (current_rfh_) -- SendSafeAreaToFrame(current_rfh_, insets); -+ SendSafeAreaToFrame(current_rfh_.get(), insets); - - // If we have a pending UKM event on the top of the stack that is |kAllowed| - // and we have a |current_rfh_| then we should update that UKM event as it -@@ -100,26 +103,28 @@ void DisplayCutoutHostImpl::SetDisplayCutoutSafeArea(gfx::Insets insets) { - } - - void DisplayCutoutHostImpl::SetCurrentRenderFrameHost(RenderFrameHost* rfh) { -- if (current_rfh_ == rfh) -+ if (current_rfh_.get() == rfh) - return; - - // If we had a previous frame then we should clear the insets on that frame. - if (current_rfh_) -- SendSafeAreaToFrame(current_rfh_, gfx::Insets()); -- -- // Update the |current_rfh_| with the new frame. -- current_rfh_ = rfh; -+ SendSafeAreaToFrame(current_rfh_.get(), gfx::Insets()); - - // If the new RenderFrameHost is nullptr we should stop here and notify - // observers that the new viewport fit is kAuto (the default). - if (!rfh) { -+ current_rfh_ = nullptr; - web_contents_impl_->NotifyViewportFitChanged( - blink::mojom::ViewportFit::kAuto); - return; - } - -+ -+ // Update the |current_rfh_| with the new frame. -+ current_rfh_ = static_cast(rfh)->GetWeakPtr(); -+ - // Record a UKM event for the new frame. -- MaybeQueueUKMEvent(current_rfh_); -+ MaybeQueueUKMEvent(current_rfh_.get()); - - // Send the current safe area to the new frame. - SendSafeAreaToFrame(rfh, insets_); -@@ -159,11 +164,11 @@ void DisplayCutoutHostImpl::MaybeQueueUKMEvent(RenderFrameHost* frame) { - blink::mojom::ViewportFit supplied_value = GetValueOrDefault(frame); - if (supplied_value == blink::mojom::ViewportFit::kAuto) - return; -- blink::mojom::ViewportFit applied_value = GetValueOrDefault(current_rfh_); -+ blink::mojom::ViewportFit applied_value = GetValueOrDefault(current_rfh_.get()); - - // Set the reason why this frame is not the current frame. - int ignored_reason = DisplayCutoutIgnoredReason::kAllowed; -- if (current_rfh_ != frame) { -+ if (current_rfh_.get() != frame) { - ignored_reason = - current_rfh_ == nullptr - ? DisplayCutoutIgnoredReason::kWebContentsNotFullscreen -diff --git a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h -index 56081029df0..2477a4bcd7d 100644 ---- a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h -+++ b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h -@@ -5,12 +5,15 @@ - #ifndef CONTENT_BROWSER_DISPLAY_CUTOUT_DISPLAY_CUTOUT_HOST_IMPL_H_ - #define CONTENT_BROWSER_DISPLAY_CUTOUT_DISPLAY_CUTOUT_HOST_IMPL_H_ - -+#include "base/memory/weak_ptr.h" - #include "content/public/browser/web_contents_observer.h" - #include "content/public/browser/web_contents_receiver_set.h" - #include "third_party/blink/public/mojom/page/display_cutout.mojom.h" - - namespace content { - -+class RenderFrameHostImpl; -+ - class DisplayCutoutHostImpl : public blink::mojom::DisplayCutoutHost { - public: - explicit DisplayCutoutHostImpl(WebContentsImpl*); -@@ -74,8 +77,11 @@ class DisplayCutoutHostImpl : public blink::mojom::DisplayCutoutHost { - gfx::Insets insets_; - - // Stores the current |RenderFrameHost| that has the applied safe area insets -- // and is controlling the viewport fit value. -- RenderFrameHost* current_rfh_ = nullptr; -+ // and is controlling the viewport fit value. This value is different than -+ // `WebContentsImpl::current_fullscreen_frame_` because it also considers -+ // browser side driven fullscreen mode, not just renderer side requested -+ // frames. -+ base::WeakPtr current_rfh_; - - // Stores a map of RenderFrameHosts and their current viewport fit values. - std::map values_; --- -cgit v1.2.1 - diff --git a/CVE-2022-1096-qtwebengine-5.15.patch b/CVE-2022-1096-qtwebengine-5.15.patch deleted file mode 100644 index 4254fba..0000000 --- a/CVE-2022-1096-qtwebengine-5.15.patch +++ /dev/null @@ -1,47 +0,0 @@ -From abb5119d0f307f7f98e59a5f3ee9872f3d286b37 Mon Sep 17 00:00:00 2001 -From: Allan Sandfeld Jensen -Date: Tue, 29 Mar 2022 17:31:58 +0200 -Subject: [Backport] CVE-2022-1096 - -[runtime] Fix handling of interceptors - -Change-Id: I36b218f25c0dff6f5a39931e7536c6588ff46eef -Reviewed-by: Igor Sheludko -(cherry picked from commit b85cb23217f629522702c19381db9c65accc1fba) -Reviewed-by: Michal Klocek ---- - chromium/v8/src/objects/objects.cc | 10 +++++++--- - 1 file changed, 7 insertions(+), 3 deletions(-) - -diff --git a/src/3rdparty/chromium/v8/src/objects/objects.cc b/src/3rdparty/chromium/v8/src/objects/objects.cc -index 43d835044de..f1d15d27c6e 100644 ---- a/src/3rdparty/chromium/v8/src/objects/objects.cc -+++ b/src/3rdparty/chromium/v8/src/objects/objects.cc -@@ -2481,6 +2481,12 @@ Maybe Object::SetPropertyInternal(LookupIterator* it, - Maybe result = - JSObject::SetPropertyWithInterceptor(it, should_throw, value); - if (result.IsNothing() || result.FromJust()) return result; -+ // Assuming that the callback have side effects, we use -+ // Object::SetSuperProperty() which works properly regardless on -+ // whether the property was present on the receiver or not when -+ // storing to the receiver. -+ // Proceed lookup from the next state. -+ it->Next(); - } else { - Maybe maybe_attributes = - JSObject::GetPropertyAttributesWithInterceptor(it); -@@ -2501,10 +2507,8 @@ Maybe Object::SetPropertyInternal(LookupIterator* it, - // property to the receiver. - it->NotFound(); - } -- return Object::SetSuperProperty(it, value, store_origin, -- should_throw); - } -- break; -+ return Object::SetSuperProperty(it, value, store_origin, should_throw); - } - - case LookupIterator::ACCESSOR: { --- -cgit v1.2.1 - diff --git a/_service b/_service index 05e61e3..1f45a71 100644 --- a/_service +++ b/_service @@ -1,11 +1,11 @@ enable - 5.15.8 + 5.15.9 git://code.qt.io/qt/qtwebengine.git git qtwebengine-everywhere-src - v5.15.8-lts + v5.15.9-lts *.tar diff --git a/_servicedata b/_servicedata index ce3bf3b..800a85e 100644 --- a/_servicedata +++ b/_servicedata @@ -1,4 +1,4 @@ git://code.qt.io/qt/qtwebengine.git - 96e932d73057c3e705b849249fb02e1837b7576d \ No newline at end of file + 4f570bd7add21725d66ac8396dcf21917c3a603f \ No newline at end of file diff --git a/libqt5-qtwebengine.changes b/libqt5-qtwebengine.changes index c97ae89..a54ee3b 100644 --- a/libqt5-qtwebengine.changes +++ b/libqt5-qtwebengine.changes @@ -1,3 +1,76 @@ +------------------------------------------------------------------- +Wed Apr 06 14:41:04 UTC 2022 - christophe@krop.fr + +- Update to version 5.15.9: + * QPdfView: scale page rendering according to devicePixelRatio + * Update documented Chromium version + * Use IsSameDocument() rather than IsLoadingToDifferentDocument() + * Update module-split for installer + * Fix printing PDF files + * Do not override signal handlers + * Avoid using xkbcommon in non-X11 builds + * Update documentation + * Update Chromium: + * Bump V8_PATCH_LEVEL + * Do not overwrite signal handlers in the browser process. + * Replace base::ranges::set_union with std::set_union to fix + MSVC2017 build + * [Backport] CVE-2022-0100: Heap buffer overflow in Media + streams API + * [Backport] CVE-2022-0102: Type Confusion in V8 + * [Backport] CVE-2022-0103: Use after free in SwiftShader + * [Backport] CVE-2022-0104: Heap buffer overflow in ANGLE + * [Backport] CVE-2022-0108: Inappropriate implementation + in Navigation + * [Backport] CVE-2022-0109: Inappropriate implementation + in Autofill + * [Backport] CVE-2022-0111 and CVE-2022-0117 + * [Backport] CVE-2022-0113: Inappropriate implementatio + n in Blink + * [Backport] CVE-2022-0116: Inappropriate implementation + in Compositing + * [Backport] CVE-2022-0289: Use after free in Safe browsing + * [Backport] CVE-2022-0291: Inappropriate implementation + in Storage + * [Backport] CVE-2022-0293: Use after free in Web packaging + * [Backport] CVE-2022-0298: Use after free in Scheduling + * [Backport] CVE-2022-0305: Inappropriate implementation in + Service Worker API + * [Backport] CVE-2022-0306: Heap buffer overflow in PDFium + * [Backport] CVE-2022-0310 and CVE-0311: Heap buffer overflow + in Task Manager + * [Backport] CVE-2022-0456: Use after free in Web Search + * [Backport] CVE-2022-0459: Use after free in Screen Capture + * [Backport] CVE-2022-0460: Use after free in Window Dialog + * [Backport] CVE-2022-0461: Policy bypass in COOP + * [Backport] CVE-2022-0606: Use after free in ANGLE + * [Backport] CVE-2022-0607: Use after free in GPU + * [Backport] CVE-2022-0608: Integer overflow in Mojo + * [Backport] CVE-2022-0609: Use after free in Animation + * [Backport] CVE-2022-0610: Inappropriate implementation + in Gamepad API + * [Backport] CVE-2022-0971 (boo#1197163) + * [Backport] CVE-2022-1096 (boo#1197552) + * [Backport] CVE-2022-23852 + * [Backport] Copy 'name_' member during StyleRuleProperty::Copy + * [Backport] Security bug 1256885 + * [Backport] Security bug 1258603 + * [Backport] Security bug 1259557 + * [Backport] Security bug 1261415 + * [Backport] Security bug 1265570 + * [Backport] Security bug 1268448 + * [Backport] Security bug 1270014 + * [Backport] Security bug 1274113 + * [Backport] Security bug 1276331 + * [Backport] Security bug 1280743 + * [Backport] Security bug 1289394 + * [Backport] Security bug 1292537 + * [Backport] sandbox: build if glibc 2.34+ dynamic stack size + is enabled +- Drop patches, now upstream: + * CVE-2022-0971-qtwebengine-5.15.patch + * CVE-2022-1096-qtwebengine-5.15.patch + ------------------------------------------------------------------- Mon Apr 4 19:25:12 UTC 2022 - Christophe Giboudeaux diff --git a/libqt5-qtwebengine.spec b/libqt5-qtwebengine.spec index 96a2abf..b5b74a5 100644 --- a/libqt5-qtwebengine.spec +++ b/libqt5-qtwebengine.spec @@ -29,15 +29,15 @@ %global _qtwebengine_dictionaries_dir %{_libqt5_datadir}/qtwebengine_dictionaries Name: libqt5-qtwebengine -Version: 5.15.8 +Version: 5.15.9 Release: 0 Summary: Qt 5 WebEngine Library License: LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only Group: Development/Libraries/X11 URL: https://www.qt.io %define base_name libqt5 -%define real_version 5.15.8 -%define so_version 5.15.8 +%define real_version 5.15.9 +%define so_version 5.15.9 %define tar_version qtwebengine-everywhere-src-%{version} Source: %{tar_version}.tar.xz # PATCH-FIX-UPSTREAM armv6-ffmpeg-no-thumb.patch - Fix ffmpeg configuration for armv6 @@ -49,10 +49,6 @@ Patch2: sandbox-statx-futex_time64.patch Patch3: rtc-dont-use-h264.patch # PATCH-FIX-UPSTREAM Patch4: 0001-skia-Some-includes-to-fix-build-with-GCC-12.patch -# PATCH-FIX-UPSTREAM -Patch5: CVE-2022-0971-qtwebengine-5.15.patch -# PATCH-FIX-UPSTREAM -Patch6: CVE-2022-1096-qtwebengine-5.15.patch # http://www.chromium.org/blink is not ported to PowerPC & s390 ExcludeArch: ppc ppc64 ppc64le s390 s390x # Try to fix i586 MemoryErrors with rpmlint diff --git a/qtwebengine-everywhere-src-5.15.8.tar.xz b/qtwebengine-everywhere-src-5.15.8.tar.xz deleted file mode 100644 index 0f20b61..0000000 --- a/qtwebengine-everywhere-src-5.15.8.tar.xz +++ /dev/null @@ -1,3 +0,0 @@ -version https://git-lfs.github.com/spec/v1 -oid sha256:acb9be08d9ef4ab59274953235c364181aab58d06feb4bff1845d43a70406975 -size 319364220 diff --git a/qtwebengine-everywhere-src-5.15.9.tar.xz b/qtwebengine-everywhere-src-5.15.9.tar.xz new file mode 100644 index 0000000..6b1fc35 --- /dev/null +++ b/qtwebengine-everywhere-src-5.15.9.tar.xz @@ -0,0 +1,3 @@ +version https://git-lfs.github.com/spec/v1 +oid sha256:863ec90692ecc649044af8b8613446ad813c4f50c7bcb8c24892ba70e51cc5cd +size 314298796