Accepting request 966949 from KDE:Qt:6.2

- Add security fixes:
  * CVE-2022-0971-qtwebengine-5.15.patch (CVE-2022-0971, boo#1197163)
  * CVE-2022-1096-qtwebengine-5.15.patch (CVE-2022-1096, boo#1197552)

OBS-URL: https://build.opensuse.org/request/show/966949
OBS-URL: https://build.opensuse.org/package/show/KDE:Qt6/qt6-webengine?expand=0&rev=9

CVE-2022-0971-qtwebengine-5.15.patch

@@ -0,0 +1,157 @@
+From d13d0924c4e18ecc4b79adf0fec142ee9a9eaa14 Mon Sep 17 00:00:00 2001
+From: "liberato@chromium.org" <liberato@chromium.org>
+Date: Mon, 7 Mar 2022 20:17:13 +0000
+Subject: [Backport] CVE-2022-0971
+
+Don't use a deleted RenderFrameHost.
+
+Since we do not check for frame liveness, a RenderFrameHost might be
+deleted (in the use-after-free sense) without another call to
+RenderFrameDeleted.  So, WeakPtr it to avoid these cases.
+
+Bug: 1299422
+
+Task-number: QTBUG-101946
+Change-Id: Ie4fe85f88ef80f4e4c3d0452397c0e5050ed881c
+Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
+---
+ .../display_cutout/display_cutout_host_impl.cc     | 29 +++++++++++++---------
+ .../display_cutout/display_cutout_host_impl.h      | 10 ++++++--
+ 2 files changed, 25 insertions(+), 14 deletions(-)
+
+diff --git a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc
+index 1640ec83489..8f89cc24b5f 100644
+--- a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc
++++ b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc
+@@ -5,6 +5,7 @@
+ #include "content/browser/display_cutout/display_cutout_host_impl.h"
+ 
+ #include "content/browser/display_cutout/display_cutout_constants.h"
++#include "content/browser/renderer_host/render_frame_host_impl.h"
+ #include "content/browser/web_contents/web_contents_impl.h"
+ #include "content/public/browser/navigation_handle.h"
+ #include "mojo/public/cpp/bindings/associated_remote.h"
+@@ -33,7 +34,7 @@ void DisplayCutoutHostImpl::ViewportFitChangedForFrame(
+ 
+   // If we are the current |RenderFrameHost| frame then notify
+   // WebContentsObservers about the new value.
+-  if (current_rfh_ == rfh)
++  if (current_rfh_.get() == rfh)
+     web_contents_impl_->NotifyViewportFitChanged(value);
+ 
+   MaybeQueueUKMEvent(rfh);
+@@ -60,7 +61,9 @@ void DisplayCutoutHostImpl::DidFinishNavigation(
+ 
+   // If we finish a main frame navigation and the |WebDisplayMode| is
+   // fullscreen then we should make the main frame the current
+-  // |RenderFrameHost|.
++  // |RenderFrameHost|.  Note that this is probably not correct; we do not check
++  // that the navigation completed successfully, nor do we check if the main
++  // frame is still IsRenderFrameLive().
+   blink::mojom::DisplayMode mode = web_contents_impl_->GetDisplayMode();
+   if (mode == blink::mojom::DisplayMode::kFullscreen)
+     SetCurrentRenderFrameHost(web_contents_impl_->GetMainFrame());
+@@ -70,7 +73,7 @@ void DisplayCutoutHostImpl::RenderFrameDeleted(RenderFrameHost* rfh) {
+   values_.erase(rfh);
+ 
+   // If we were the current |RenderFrameHost| then we should clear that.
+-  if (current_rfh_ == rfh)
++  if (current_rfh_.get() == rfh)
+     SetCurrentRenderFrameHost(nullptr);
+ }
+ 
+@@ -87,7 +90,7 @@ void DisplayCutoutHostImpl::SetDisplayCutoutSafeArea(gfx::Insets insets) {
+   insets_ = insets;
+ 
+   if (current_rfh_)
+-    SendSafeAreaToFrame(current_rfh_, insets);
++    SendSafeAreaToFrame(current_rfh_.get(), insets);
+ 
+   // If we have a pending UKM event on the top of the stack that is |kAllowed|
+   // and we have a |current_rfh_| then we should update that UKM event as it
+@@ -100,26 +103,28 @@ void DisplayCutoutHostImpl::SetDisplayCutoutSafeArea(gfx::Insets insets) {
+ }
+ 
+ void DisplayCutoutHostImpl::SetCurrentRenderFrameHost(RenderFrameHost* rfh) {
+-  if (current_rfh_ == rfh)
++  if (current_rfh_.get() == rfh)
+     return;
+ 
+   // If we had a previous frame then we should clear the insets on that frame.
+   if (current_rfh_)
+-    SendSafeAreaToFrame(current_rfh_, gfx::Insets());
+-
+-  // Update the |current_rfh_| with the new frame.
+-  current_rfh_ = rfh;
++    SendSafeAreaToFrame(current_rfh_.get(), gfx::Insets());
+ 
+   // If the new RenderFrameHost is nullptr we should stop here and notify
+   // observers that the new viewport fit is kAuto (the default).
+   if (!rfh) {
++    current_rfh_ = nullptr;
+     web_contents_impl_->NotifyViewportFitChanged(
+         blink::mojom::ViewportFit::kAuto);
+     return;
+   }
+ 
++
++  // Update the |current_rfh_| with the new frame.
++  current_rfh_ = static_cast<RenderFrameHostImpl*>(rfh)->GetWeakPtr();
++
+   // Record a UKM event for the new frame.
+-  MaybeQueueUKMEvent(current_rfh_);
++  MaybeQueueUKMEvent(current_rfh_.get());
+ 
+   // Send the current safe area to the new frame.
+   SendSafeAreaToFrame(rfh, insets_);
+@@ -159,11 +164,11 @@ void DisplayCutoutHostImpl::MaybeQueueUKMEvent(RenderFrameHost* frame) {
+   blink::mojom::ViewportFit supplied_value = GetValueOrDefault(frame);
+   if (supplied_value == blink::mojom::ViewportFit::kAuto)
+     return;
+-  blink::mojom::ViewportFit applied_value = GetValueOrDefault(current_rfh_);
++  blink::mojom::ViewportFit applied_value = GetValueOrDefault(current_rfh_.get());
+ 
+   // Set the reason why this frame is not the current frame.
+   int ignored_reason = DisplayCutoutIgnoredReason::kAllowed;
+-  if (current_rfh_ != frame) {
++  if (current_rfh_.get() != frame) {
+     ignored_reason =
+         current_rfh_ == nullptr
+             ? DisplayCutoutIgnoredReason::kWebContentsNotFullscreen
+diff --git a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h
+index 56081029df0..2477a4bcd7d 100644
+--- a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h
++++ b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h
+@@ -5,12 +5,15 @@
+ #ifndef CONTENT_BROWSER_DISPLAY_CUTOUT_DISPLAY_CUTOUT_HOST_IMPL_H_
+ #define CONTENT_BROWSER_DISPLAY_CUTOUT_DISPLAY_CUTOUT_HOST_IMPL_H_
+ 
++#include "base/memory/weak_ptr.h"
+ #include "content/public/browser/web_contents_observer.h"
+ #include "content/public/browser/web_contents_receiver_set.h"
+ #include "third_party/blink/public/mojom/page/display_cutout.mojom.h"
+ 
+ namespace content {
+ 
++class RenderFrameHostImpl;
++
+ class DisplayCutoutHostImpl : public blink::mojom::DisplayCutoutHost {
+  public:
+   explicit DisplayCutoutHostImpl(WebContentsImpl*);
+@@ -74,8 +77,11 @@ class DisplayCutoutHostImpl : public blink::mojom::DisplayCutoutHost {
+   gfx::Insets insets_;
+ 
+   // Stores the current |RenderFrameHost| that has the applied safe area insets
+-  // and is controlling the viewport fit value.
+-  RenderFrameHost* current_rfh_ = nullptr;
++  // and is controlling the viewport fit value. This value is different than
++  // `WebContentsImpl::current_fullscreen_frame_` because it also considers
++  // browser side driven fullscreen mode, not just renderer side requested
++  // frames.
++  base::WeakPtr<RenderFrameHostImpl> current_rfh_;
+ 
+   // Stores a map of RenderFrameHosts and their current viewport fit values.
+   std::map<RenderFrameHost*, blink::mojom::ViewportFit> values_;
+-- 
+cgit v1.2.1
+

CVE-2022-1096-qtwebengine-6.2.patch

@@ -0,0 +1,33 @@
+From: Allan Sandfeld Jensen <allan.jensen@qt.io>
+Date: Tue, 29 Mar 2022 17:31:58 +0200
+Subject: [Backport] CVE-2022-1096
+
+[runtime] Fix handling of interceptors
+
+--- a/src/3rdparty/chromium/v8/src/objects/objects.cc
++++ b/src/3rdparty/chromium/v8/src/objects/objects.cc
+@@ -2513,6 +2513,12 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it,
+           Maybe<bool> result =
+               JSObject::SetPropertyWithInterceptor(it, should_throw, value);
+           if (result.IsNothing() || result.FromJust()) return result;
++          // Assuming that the callback have side effects, we use
++          // Object::SetSuperProperty() which works properly regardless on
++          // whether the property was present on the receiver or not when
++          // storing to the receiver.
++          // Proceed lookup from the next state.
++          it->Next();
+         } else {
+           Maybe<PropertyAttributes> maybe_attributes =
+               JSObject::GetPropertyAttributesWithInterceptor(it);
+@@ -2533,10 +2539,8 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it,
+             // property to the receiver.
+             it->NotFound();
+           }
+-          return Object::SetSuperProperty(it, value, store_origin,
+-                                          should_throw);
+         }
+-        break;
++        return Object::SetSuperProperty(it, value, store_origin, should_throw);
+       }
+
+       case LookupIterator::ACCESSOR: {

qt6-webengine.changes

@@ -1,3 +1,10 @@
+-------------------------------------------------------------------
+Mon Apr  4 20:41:16 UTC 2022 - Christophe Giboudeaux <christophe@krop.fr>
+
+- Add security fixes:
+  * CVE-2022-0971-qtwebengine-5.15.patch (CVE-2022-0971, boo#1197163)
+  * CVE-2022-1096-qtwebengine-5.15.patch (CVE-2022-1096, boo#1197552)
+
 -------------------------------------------------------------------
 Mon Mar 21 08:46:39 UTC 2022 - Christophe Giboudeaux <christophe@krop.fr>
 

qt6-webengine.spec

@@ -50,6 +50,8 @@ URL:            https://www.qt.io
 Source:         https://download.qt.io/official_releases/qt/%{short_version}/%{real_version}%{tar_suffix}/submodules/%{tar_name}-%{real_version}%{tar_suffix}.tar.xz
 Source99:       qt6-webengine-rpmlintrc
 # Patches 0-100 are upstream patches #
+Patch0:         CVE-2022-0971-qtwebengine-5.15.patch
+Patch1:         CVE-2022-1096-qtwebengine-6.2.patch
 # Patches 100-200 are openSUSE and/or non-upstream(able) patches #
 Patch100:       rtc-dont-use-h264.patch
 Patch101:       sandbox-statx-futex_time64.patch