1
0

Accepting request 966883 from KDE:Qt:5.15

- Add security fixes:
  * CVE-2022-0971-qtwebengine-5.15.patch (CVE-2022-0971, boo#1197163)
  * CVE-2022-1096-qtwebengine-5.15.patch (CVE-2022-1096, boo#1197552)

OBS-URL: https://build.opensuse.org/request/show/966883
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libqt5-qtwebengine?expand=0&rev=77
This commit is contained in:
Dominique Leuenberger 2022-04-07 22:26:31 +00:00 committed by Git OBS Bridge
commit 6ba6327b0e
4 changed files with 215 additions and 0 deletions

View File

@ -0,0 +1,157 @@
From d13d0924c4e18ecc4b79adf0fec142ee9a9eaa14 Mon Sep 17 00:00:00 2001
From: "liberato@chromium.org" <liberato@chromium.org>
Date: Mon, 7 Mar 2022 20:17:13 +0000
Subject: [Backport] CVE-2022-0971
Don't use a deleted RenderFrameHost.
Since we do not check for frame liveness, a RenderFrameHost might be
deleted (in the use-after-free sense) without another call to
RenderFrameDeleted. So, WeakPtr it to avoid these cases.
Bug: 1299422
Task-number: QTBUG-101946
Change-Id: Ie4fe85f88ef80f4e4c3d0452397c0e5050ed881c
Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
.../display_cutout/display_cutout_host_impl.cc | 29 +++++++++++++---------
.../display_cutout/display_cutout_host_impl.h | 10 ++++++--
2 files changed, 25 insertions(+), 14 deletions(-)
diff --git a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc
index 1640ec83489..8f89cc24b5f 100644
--- a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc
+++ b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc
@@ -5,6 +5,7 @@
#include "content/browser/display_cutout/display_cutout_host_impl.h"
#include "content/browser/display_cutout/display_cutout_constants.h"
+#include "content/browser/renderer_host/render_frame_host_impl.h"
#include "content/browser/web_contents/web_contents_impl.h"
#include "content/public/browser/navigation_handle.h"
#include "mojo/public/cpp/bindings/associated_remote.h"
@@ -33,7 +34,7 @@ void DisplayCutoutHostImpl::ViewportFitChangedForFrame(
// If we are the current |RenderFrameHost| frame then notify
// WebContentsObservers about the new value.
- if (current_rfh_ == rfh)
+ if (current_rfh_.get() == rfh)
web_contents_impl_->NotifyViewportFitChanged(value);
MaybeQueueUKMEvent(rfh);
@@ -60,7 +61,9 @@ void DisplayCutoutHostImpl::DidFinishNavigation(
// If we finish a main frame navigation and the |WebDisplayMode| is
// fullscreen then we should make the main frame the current
- // |RenderFrameHost|.
+ // |RenderFrameHost|. Note that this is probably not correct; we do not check
+ // that the navigation completed successfully, nor do we check if the main
+ // frame is still IsRenderFrameLive().
blink::mojom::DisplayMode mode = web_contents_impl_->GetDisplayMode();
if (mode == blink::mojom::DisplayMode::kFullscreen)
SetCurrentRenderFrameHost(web_contents_impl_->GetMainFrame());
@@ -70,7 +73,7 @@ void DisplayCutoutHostImpl::RenderFrameDeleted(RenderFrameHost* rfh) {
values_.erase(rfh);
// If we were the current |RenderFrameHost| then we should clear that.
- if (current_rfh_ == rfh)
+ if (current_rfh_.get() == rfh)
SetCurrentRenderFrameHost(nullptr);
}
@@ -87,7 +90,7 @@ void DisplayCutoutHostImpl::SetDisplayCutoutSafeArea(gfx::Insets insets) {
insets_ = insets;
if (current_rfh_)
- SendSafeAreaToFrame(current_rfh_, insets);
+ SendSafeAreaToFrame(current_rfh_.get(), insets);
// If we have a pending UKM event on the top of the stack that is |kAllowed|
// and we have a |current_rfh_| then we should update that UKM event as it
@@ -100,26 +103,28 @@ void DisplayCutoutHostImpl::SetDisplayCutoutSafeArea(gfx::Insets insets) {
}
void DisplayCutoutHostImpl::SetCurrentRenderFrameHost(RenderFrameHost* rfh) {
- if (current_rfh_ == rfh)
+ if (current_rfh_.get() == rfh)
return;
// If we had a previous frame then we should clear the insets on that frame.
if (current_rfh_)
- SendSafeAreaToFrame(current_rfh_, gfx::Insets());
-
- // Update the |current_rfh_| with the new frame.
- current_rfh_ = rfh;
+ SendSafeAreaToFrame(current_rfh_.get(), gfx::Insets());
// If the new RenderFrameHost is nullptr we should stop here and notify
// observers that the new viewport fit is kAuto (the default).
if (!rfh) {
+ current_rfh_ = nullptr;
web_contents_impl_->NotifyViewportFitChanged(
blink::mojom::ViewportFit::kAuto);
return;
}
+
+ // Update the |current_rfh_| with the new frame.
+ current_rfh_ = static_cast<RenderFrameHostImpl*>(rfh)->GetWeakPtr();
+
// Record a UKM event for the new frame.
- MaybeQueueUKMEvent(current_rfh_);
+ MaybeQueueUKMEvent(current_rfh_.get());
// Send the current safe area to the new frame.
SendSafeAreaToFrame(rfh, insets_);
@@ -159,11 +164,11 @@ void DisplayCutoutHostImpl::MaybeQueueUKMEvent(RenderFrameHost* frame) {
blink::mojom::ViewportFit supplied_value = GetValueOrDefault(frame);
if (supplied_value == blink::mojom::ViewportFit::kAuto)
return;
- blink::mojom::ViewportFit applied_value = GetValueOrDefault(current_rfh_);
+ blink::mojom::ViewportFit applied_value = GetValueOrDefault(current_rfh_.get());
// Set the reason why this frame is not the current frame.
int ignored_reason = DisplayCutoutIgnoredReason::kAllowed;
- if (current_rfh_ != frame) {
+ if (current_rfh_.get() != frame) {
ignored_reason =
current_rfh_ == nullptr
? DisplayCutoutIgnoredReason::kWebContentsNotFullscreen
diff --git a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h
index 56081029df0..2477a4bcd7d 100644
--- a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h
+++ b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h
@@ -5,12 +5,15 @@
#ifndef CONTENT_BROWSER_DISPLAY_CUTOUT_DISPLAY_CUTOUT_HOST_IMPL_H_
#define CONTENT_BROWSER_DISPLAY_CUTOUT_DISPLAY_CUTOUT_HOST_IMPL_H_
+#include "base/memory/weak_ptr.h"
#include "content/public/browser/web_contents_observer.h"
#include "content/public/browser/web_contents_receiver_set.h"
#include "third_party/blink/public/mojom/page/display_cutout.mojom.h"
namespace content {
+class RenderFrameHostImpl;
+
class DisplayCutoutHostImpl : public blink::mojom::DisplayCutoutHost {
public:
explicit DisplayCutoutHostImpl(WebContentsImpl*);
@@ -74,8 +77,11 @@ class DisplayCutoutHostImpl : public blink::mojom::DisplayCutoutHost {
gfx::Insets insets_;
// Stores the current |RenderFrameHost| that has the applied safe area insets
- // and is controlling the viewport fit value.
- RenderFrameHost* current_rfh_ = nullptr;
+ // and is controlling the viewport fit value. This value is different than
+ // `WebContentsImpl::current_fullscreen_frame_` because it also considers
+ // browser side driven fullscreen mode, not just renderer side requested
+ // frames.
+ base::WeakPtr<RenderFrameHostImpl> current_rfh_;
// Stores a map of RenderFrameHosts and their current viewport fit values.
std::map<RenderFrameHost*, blink::mojom::ViewportFit> values_;
--
cgit v1.2.1

View File

@ -0,0 +1,47 @@
From abb5119d0f307f7f98e59a5f3ee9872f3d286b37 Mon Sep 17 00:00:00 2001
From: Allan Sandfeld Jensen <allan.jensen@qt.io>
Date: Tue, 29 Mar 2022 17:31:58 +0200
Subject: [Backport] CVE-2022-1096
[runtime] Fix handling of interceptors
Change-Id: I36b218f25c0dff6f5a39931e7536c6588ff46eef
Reviewed-by: Igor Sheludko <ishell@chromium.org>
(cherry picked from commit b85cb23217f629522702c19381db9c65accc1fba)
Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
chromium/v8/src/objects/objects.cc | 10 +++++++---
1 file changed, 7 insertions(+), 3 deletions(-)
diff --git a/src/3rdparty/chromium/v8/src/objects/objects.cc b/src/3rdparty/chromium/v8/src/objects/objects.cc
index 43d835044de..f1d15d27c6e 100644
--- a/src/3rdparty/chromium/v8/src/objects/objects.cc
+++ b/src/3rdparty/chromium/v8/src/objects/objects.cc
@@ -2481,6 +2481,12 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it,
Maybe<bool> result =
JSObject::SetPropertyWithInterceptor(it, should_throw, value);
if (result.IsNothing() || result.FromJust()) return result;
+ // Assuming that the callback have side effects, we use
+ // Object::SetSuperProperty() which works properly regardless on
+ // whether the property was present on the receiver or not when
+ // storing to the receiver.
+ // Proceed lookup from the next state.
+ it->Next();
} else {
Maybe<PropertyAttributes> maybe_attributes =
JSObject::GetPropertyAttributesWithInterceptor(it);
@@ -2501,10 +2507,8 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it,
// property to the receiver.
it->NotFound();
}
- return Object::SetSuperProperty(it, value, store_origin,
- should_throw);
}
- break;
+ return Object::SetSuperProperty(it, value, store_origin, should_throw);
}
case LookupIterator::ACCESSOR: {
--
cgit v1.2.1

View File

@ -1,3 +1,10 @@
-------------------------------------------------------------------
Mon Apr 4 19:25:12 UTC 2022 - Christophe Giboudeaux <christophe@krop.fr>
- Add security fixes:
* CVE-2022-0971-qtwebengine-5.15.patch (CVE-2022-0971, boo#1197163)
* CVE-2022-1096-qtwebengine-5.15.patch (CVE-2022-1096, boo#1197552)
-------------------------------------------------------------------
Fri Mar 25 14:31:28 UTC 2022 - Fabian Vogt <fvogt@suse.com>

View File

@ -49,6 +49,10 @@ Patch2: sandbox-statx-futex_time64.patch
Patch3: rtc-dont-use-h264.patch
# PATCH-FIX-UPSTREAM
Patch4: 0001-skia-Some-includes-to-fix-build-with-GCC-12.patch
# PATCH-FIX-UPSTREAM
Patch5: CVE-2022-0971-qtwebengine-5.15.patch
# PATCH-FIX-UPSTREAM
Patch6: CVE-2022-1096-qtwebengine-5.15.patch
# http://www.chromium.org/blink is not ported to PowerPC & s390
ExcludeArch: ppc ppc64 ppc64le s390 s390x
# Try to fix i586 MemoryErrors with rpmlint