Accepting request 967609 from home:cgiboudeaux:qtwebengine-lts

Update to 5.15.9 OBS-URL: https://build.opensuse.org/request/show/967609 OBS-URL: https://build.opensuse.org/package/show/KDE:Qt:5.15/libqt5-qtwebengine?expand=0&rev=39
2022-04-08 09:40:17 +00:00 · 2022-04-08 09:40:17 +00:00 · f542421725
commit f542421725
parent 078276d461
8 changed files with 82 additions and 217 deletions
--- a/CVE-2022-0971-qtwebengine-5.15.patch
+++ b/CVE-2022-0971-qtwebengine-5.15.patch
@ -1,157 +0,0 @@
-From d13d0924c4e18ecc4b79adf0fec142ee9a9eaa14 Mon Sep 17 00:00:00 2001
-From: "liberato@chromium.org" <liberato@chromium.org>
-Date: Mon, 7 Mar 2022 20:17:13 +0000
-Subject: [Backport] CVE-2022-0971
-
-Don't use a deleted RenderFrameHost.
-
-Since we do not check for frame liveness, a RenderFrameHost might be
-deleted (in the use-after-free sense) without another call to
-RenderFrameDeleted.  So, WeakPtr it to avoid these cases.
-
-Bug: 1299422
-
-Task-number: QTBUG-101946
-Change-Id: Ie4fe85f88ef80f4e4c3d0452397c0e5050ed881c
-Reviewed-by: Allan Sandfeld Jensen <allan.jensen@qt.io>
---
- .../display_cutout/display_cutout_host_impl.cc     | 29 +++++++++++++---------
- .../display_cutout/display_cutout_host_impl.h      | 10 ++++++--
- 2 files changed, 25 insertions(+), 14 deletions(-)
-
-diff --git a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc
-index 1640ec83489..8f89cc24b5f 100644
--- a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc
-+++ b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc
-@@ -5,6 +5,7 @@
- #include "content/browser/display_cutout/display_cutout_host_impl.h"
- 
- #include "content/browser/display_cutout/display_cutout_constants.h"
-+#include "content/browser/renderer_host/render_frame_host_impl.h"
- #include "content/browser/web_contents/web_contents_impl.h"
- #include "content/public/browser/navigation_handle.h"
- #include "mojo/public/cpp/bindings/associated_remote.h"
-@@ -33,7 +34,7 @@ void DisplayCutoutHostImpl::ViewportFitChangedForFrame(
- 
-   // If we are the current |RenderFrameHost| frame then notify
-   // WebContentsObservers about the new value.
-  if (current_rfh_ == rfh)
-+  if (current_rfh_.get() == rfh)
-     web_contents_impl_->NotifyViewportFitChanged(value);
- 
-   MaybeQueueUKMEvent(rfh);
-@@ -60,7 +61,9 @@ void DisplayCutoutHostImpl::DidFinishNavigation(
- 
-   // If we finish a main frame navigation and the |WebDisplayMode| is
-   // fullscreen then we should make the main frame the current
-  // |RenderFrameHost|.
-+  // |RenderFrameHost|.  Note that this is probably not correct; we do not check
-+  // that the navigation completed successfully, nor do we check if the main
-+  // frame is still IsRenderFrameLive().
-   blink::mojom::DisplayMode mode = web_contents_impl_->GetDisplayMode();
-   if (mode == blink::mojom::DisplayMode::kFullscreen)
-     SetCurrentRenderFrameHost(web_contents_impl_->GetMainFrame());
-@@ -70,7 +73,7 @@ void DisplayCutoutHostImpl::RenderFrameDeleted(RenderFrameHost* rfh) {
-   values_.erase(rfh);
- 
-   // If we were the current |RenderFrameHost| then we should clear that.
-  if (current_rfh_ == rfh)
-+  if (current_rfh_.get() == rfh)
-     SetCurrentRenderFrameHost(nullptr);
- }
- 
-@@ -87,7 +90,7 @@ void DisplayCutoutHostImpl::SetDisplayCutoutSafeArea(gfx::Insets insets) {
-   insets_ = insets;
- 
-   if (current_rfh_)
-    SendSafeAreaToFrame(current_rfh_, insets);
-+    SendSafeAreaToFrame(current_rfh_.get(), insets);
- 
-   // If we have a pending UKM event on the top of the stack that is |kAllowed|
-   // and we have a |current_rfh_| then we should update that UKM event as it
-@@ -100,26 +103,28 @@ void DisplayCutoutHostImpl::SetDisplayCutoutSafeArea(gfx::Insets insets) {
- }
- 
- void DisplayCutoutHostImpl::SetCurrentRenderFrameHost(RenderFrameHost* rfh) {
-  if (current_rfh_ == rfh)
-+  if (current_rfh_.get() == rfh)
-     return;
- 
-   // If we had a previous frame then we should clear the insets on that frame.
-   if (current_rfh_)
-    SendSafeAreaToFrame(current_rfh_, gfx::Insets());
-
-  // Update the |current_rfh_| with the new frame.
-  current_rfh_ = rfh;
-+    SendSafeAreaToFrame(current_rfh_.get(), gfx::Insets());
- 
-   // If the new RenderFrameHost is nullptr we should stop here and notify
-   // observers that the new viewport fit is kAuto (the default).
-   if (!rfh) {
-+    current_rfh_ = nullptr;
-     web_contents_impl_->NotifyViewportFitChanged(
-         blink::mojom::ViewportFit::kAuto);
-     return;
-   }
- 
-+
-+  // Update the |current_rfh_| with the new frame.
-+  current_rfh_ = static_cast<RenderFrameHostImpl*>(rfh)->GetWeakPtr();
-+
-   // Record a UKM event for the new frame.
-  MaybeQueueUKMEvent(current_rfh_);
-+  MaybeQueueUKMEvent(current_rfh_.get());
- 
-   // Send the current safe area to the new frame.
-   SendSafeAreaToFrame(rfh, insets_);
-@@ -159,11 +164,11 @@ void DisplayCutoutHostImpl::MaybeQueueUKMEvent(RenderFrameHost* frame) {
-   blink::mojom::ViewportFit supplied_value = GetValueOrDefault(frame);
-   if (supplied_value == blink::mojom::ViewportFit::kAuto)
-     return;
-  blink::mojom::ViewportFit applied_value = GetValueOrDefault(current_rfh_);
-+  blink::mojom::ViewportFit applied_value = GetValueOrDefault(current_rfh_.get());
- 
-   // Set the reason why this frame is not the current frame.
-   int ignored_reason = DisplayCutoutIgnoredReason::kAllowed;
-  if (current_rfh_ != frame) {
-+  if (current_rfh_.get() != frame) {
-     ignored_reason =
-         current_rfh_ == nullptr
-             ? DisplayCutoutIgnoredReason::kWebContentsNotFullscreen
-diff --git a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h
-index 56081029df0..2477a4bcd7d 100644
--- a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h
-+++ b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h
-@@ -5,12 +5,15 @@
- #ifndef CONTENT_BROWSER_DISPLAY_CUTOUT_DISPLAY_CUTOUT_HOST_IMPL_H_
- #define CONTENT_BROWSER_DISPLAY_CUTOUT_DISPLAY_CUTOUT_HOST_IMPL_H_
- 
-+#include "base/memory/weak_ptr.h"
- #include "content/public/browser/web_contents_observer.h"
- #include "content/public/browser/web_contents_receiver_set.h"
- #include "third_party/blink/public/mojom/page/display_cutout.mojom.h"
- 
- namespace content {
- 
-+class RenderFrameHostImpl;
-+
- class DisplayCutoutHostImpl : public blink::mojom::DisplayCutoutHost {
-  public:
-   explicit DisplayCutoutHostImpl(WebContentsImpl*);
-@@ -74,8 +77,11 @@ class DisplayCutoutHostImpl : public blink::mojom::DisplayCutoutHost {
-   gfx::Insets insets_;
- 
-   // Stores the current |RenderFrameHost| that has the applied safe area insets
-  // and is controlling the viewport fit value.
-  RenderFrameHost* current_rfh_ = nullptr;
-+  // and is controlling the viewport fit value. This value is different than
-+  // `WebContentsImpl::current_fullscreen_frame_` because it also considers
-+  // browser side driven fullscreen mode, not just renderer side requested
-+  // frames.
-+  base::WeakPtr<RenderFrameHostImpl> current_rfh_;
- 
-   // Stores a map of RenderFrameHosts and their current viewport fit values.
-   std::map<RenderFrameHost*, blink::mojom::ViewportFit> values_;
-- 
-cgit v1.2.1
-
--- a/CVE-2022-1096-qtwebengine-5.15.patch
+++ b/CVE-2022-1096-qtwebengine-5.15.patch
@ -1,47 +0,0 @@
-From abb5119d0f307f7f98e59a5f3ee9872f3d286b37 Mon Sep 17 00:00:00 2001
-From: Allan Sandfeld Jensen <allan.jensen@qt.io>
-Date: Tue, 29 Mar 2022 17:31:58 +0200
-Subject: [Backport] CVE-2022-1096
-
-[runtime] Fix handling of interceptors
-
-Change-Id: I36b218f25c0dff6f5a39931e7536c6588ff46eef
-Reviewed-by: Igor Sheludko <ishell@chromium.org>
-(cherry picked from commit b85cb23217f629522702c19381db9c65accc1fba)
-Reviewed-by: Michal Klocek <michal.klocek@qt.io>
---
- chromium/v8/src/objects/objects.cc | 10 +++++++---
- 1 file changed, 7 insertions(+), 3 deletions(-)
-
-diff --git a/src/3rdparty/chromium/v8/src/objects/objects.cc b/src/3rdparty/chromium/v8/src/objects/objects.cc
-index 43d835044de..f1d15d27c6e 100644
--- a/src/3rdparty/chromium/v8/src/objects/objects.cc
-+++ b/src/3rdparty/chromium/v8/src/objects/objects.cc
-@@ -2481,6 +2481,12 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it,
-           Maybe<bool> result =
-               JSObject::SetPropertyWithInterceptor(it, should_throw, value);
-           if (result.IsNothing() || result.FromJust()) return result;
-+          // Assuming that the callback have side effects, we use
-+          // Object::SetSuperProperty() which works properly regardless on
-+          // whether the property was present on the receiver or not when
-+          // storing to the receiver.
-+          // Proceed lookup from the next state.
-+          it->Next();
-         } else {
-           Maybe<PropertyAttributes> maybe_attributes =
-               JSObject::GetPropertyAttributesWithInterceptor(it);
-@@ -2501,10 +2507,8 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it,
-             // property to the receiver.
-             it->NotFound();
-           }
-          return Object::SetSuperProperty(it, value, store_origin,
-                                          should_throw);
-         }
-        break;
-+        return Object::SetSuperProperty(it, value, store_origin, should_throw);
-       }
- 
-       case LookupIterator::ACCESSOR: {
-- 
-cgit v1.2.1
-
--- a/4
+++ b/4
@ -1,11 +1,11 @@
 <services>
  <service name="tar_scm" mode="disabled">
   <param name="changesgenerate">enable</param>
-   <param name="version">5.15.8</param>
+   <param name="version">5.15.9</param>
   <param name="url">git://code.qt.io/qt/qtwebengine.git</param>
   <param name="scm">git</param>
   <param name="filename">qtwebengine-everywhere-src</param>
-   <param name="revision">v5.15.8-lts</param>
+   <param name="revision">v5.15.9-lts</param>
  </service>
  <service name="recompress" mode="disabled">
   <param name="file">*.tar</param>
--- a/2
+++ b/2
@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                <param name="url">git://code.qt.io/qt/qtwebengine.git</param>
-              <param name="changesrevision">96e932d73057c3e705b849249fb02e1837b7576d</param></service></servicedata>
+              <param name="changesrevision">4f570bd7add21725d66ac8396dcf21917c3a603f</param></service></servicedata>
--- a/libqt5-qtwebengine.changes
+++ b/libqt5-qtwebengine.changes
@ -1,3 +1,76 @@
+-------------------------------------------------------------------
+Wed Apr 06 14:41:04 UTC 2022 - christophe@krop.fr
+
+- Update to version 5.15.9:
+  * QPdfView: scale page rendering according to devicePixelRatio
+  * Update documented Chromium version
+  * Use IsSameDocument() rather than IsLoadingToDifferentDocument()
+  * Update module-split for installer
+  * Fix printing PDF files
+  * Do not override signal handlers
+  * Avoid using xkbcommon in non-X11 builds
+  * Update documentation
+  * Update Chromium:
+    * Bump V8_PATCH_LEVEL
+    * Do not overwrite signal handlers in the browser process.
+    * Replace base::ranges::set_union with std::set_union to fix
+      MSVC2017 build
+    * [Backport] CVE-2022-0100: Heap buffer overflow in Media
+      streams API
+    * [Backport] CVE-2022-0102: Type Confusion in V8
+    * [Backport] CVE-2022-0103: Use after free in SwiftShader
+    * [Backport] CVE-2022-0104: Heap buffer overflow in ANGLE
+    * [Backport] CVE-2022-0108: Inappropriate implementation
+      in Navigation
+    * [Backport] CVE-2022-0109: Inappropriate implementation
+      in Autofill
+    * [Backport] CVE-2022-0111 and CVE-2022-0117
+    * [Backport] CVE-2022-0113: Inappropriate implementatio
+      n in Blink
+    * [Backport] CVE-2022-0116: Inappropriate implementation
+      in Compositing
+    * [Backport] CVE-2022-0289: Use after free in Safe browsing
+    * [Backport] CVE-2022-0291: Inappropriate implementation
+      in Storage
+    * [Backport] CVE-2022-0293: Use after free in Web packaging
+    * [Backport] CVE-2022-0298: Use after free in Scheduling
+    * [Backport] CVE-2022-0305: Inappropriate implementation in
+      Service Worker API
+    * [Backport] CVE-2022-0306: Heap buffer overflow in PDFium
+    * [Backport] CVE-2022-0310 and CVE-0311: Heap buffer overflow
+      in Task Manager
+    * [Backport] CVE-2022-0456: Use after free in Web Search
+    * [Backport] CVE-2022-0459: Use after free in Screen Capture
+    * [Backport] CVE-2022-0460: Use after free in Window Dialog
+    * [Backport] CVE-2022-0461: Policy bypass in COOP
+    * [Backport] CVE-2022-0606: Use after free in ANGLE
+    * [Backport] CVE-2022-0607: Use after free in GPU
+    * [Backport] CVE-2022-0608: Integer overflow in Mojo
+    * [Backport] CVE-2022-0609: Use after free in Animation
+    * [Backport] CVE-2022-0610: Inappropriate implementation
+      in Gamepad API
+    * [Backport] CVE-2022-0971 (boo#1197163)
+    * [Backport] CVE-2022-1096 (boo#1197552)
+    * [Backport] CVE-2022-23852
+    * [Backport] Copy 'name_' member during StyleRuleProperty::Copy
+    * [Backport] Security bug 1256885
+    * [Backport] Security bug 1258603
+    * [Backport] Security bug 1259557
+    * [Backport] Security bug 1261415
+    * [Backport] Security bug 1265570
+    * [Backport] Security bug 1268448
+    * [Backport] Security bug 1270014
+    * [Backport] Security bug 1274113
+    * [Backport] Security bug 1276331
+    * [Backport] Security bug 1280743
+    * [Backport] Security bug 1289394
+    * [Backport] Security bug 1292537
+    * [Backport] sandbox: build if glibc 2.34+ dynamic stack size
+      is enabled
+- Drop patches, now upstream:
+  * CVE-2022-0971-qtwebengine-5.15.patch
+  * CVE-2022-1096-qtwebengine-5.15.patch
+
 -------------------------------------------------------------------
 Mon Apr  4 19:25:12 UTC 2022 - Christophe Giboudeaux <christophe@krop.fr>

--- a/libqt5-qtwebengine.spec
+++ b/libqt5-qtwebengine.spec
@ -29,15 +29,15 @@
 %global _qtwebengine_dictionaries_dir %{_libqt5_datadir}/qtwebengine_dictionaries

 Name:           libqt5-qtwebengine
-Version:        5.15.8
+Version:        5.15.9
 Release:        0
 Summary:        Qt 5 WebEngine Library
 License:        LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
 Group:          Development/Libraries/X11
 URL:            https://www.qt.io
 %define base_name libqt5
-%define real_version 5.15.8
-%define so_version 5.15.8
+%define real_version 5.15.9
+%define so_version 5.15.9
 %define tar_version qtwebengine-everywhere-src-%{version}
 Source:         %{tar_version}.tar.xz
 # PATCH-FIX-UPSTREAM armv6-ffmpeg-no-thumb.patch - Fix ffmpeg configuration for armv6
@ -49,10 +49,6 @@ Patch2:         sandbox-statx-futex_time64.patch
 Patch3:         rtc-dont-use-h264.patch
 # PATCH-FIX-UPSTREAM
 Patch4:         0001-skia-Some-includes-to-fix-build-with-GCC-12.patch
-# PATCH-FIX-UPSTREAM
-Patch5:         CVE-2022-0971-qtwebengine-5.15.patch
-# PATCH-FIX-UPSTREAM
-Patch6:         CVE-2022-1096-qtwebengine-5.15.patch
 # http://www.chromium.org/blink is not ported to PowerPC & s390
 ExcludeArch:    ppc ppc64 ppc64le s390 s390x
 # Try to fix i586 MemoryErrors with rpmlint
--- a/qtwebengine-everywhere-src-5.15.8.tar.xz
+++ b/qtwebengine-everywhere-src-5.15.8.tar.xz
@ -1,3 +0,0 @@
-version https://git-lfs.github.com/spec/v1
-oid sha256:acb9be08d9ef4ab59274953235c364181aab58d06feb4bff1845d43a70406975
-size 319364220
--- a/qtwebengine-everywhere-src-5.15.9.tar.xz
+++ b/qtwebengine-everywhere-src-5.15.9.tar.xz
@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:863ec90692ecc649044af8b8613446ad813c4f50c7bcb8c24892ba70e51cc5cd
+size 314298796