Accepting request 1302714 from KDE:Qt:5.15

- Change the way we pin to ffmpeg-7: set maximum versions for the
  libav* buildrequires insteaf of hardcoding ffmpeg-7-*devel. This
  allows OBS to still shortcut through the mini packages. (forwarded request 1302712 from dimstar)

OBS-URL: https://build.opensuse.org/request/show/1302714
OBS-URL: https://build.opensuse.org/package/show/openSUSE:Factory/libqt5-qtwebengine?expand=0&rev=107

_service

@@ -1,11 +1,12 @@
 <services>
   <service name="tar_scm" mode="disabled">
    <param name="changesgenerate">enable</param>
-   <param name="version">5.15.17</param>
+   <!-- submodule from 85337c28b to 6d29e9cfc -->
+   <param name="version">5.15.19</param>
    <param name="url">git://code.qt.io/qt/qtwebengine.git</param>
    <param name="scm">git</param>
    <param name="filename">qtwebengine-everywhere-src</param>
-   <param name="revision">v5.15.17-lts</param>
+   <param name="revision">v5.15.19-lts</param>
   </service>
   <service name="recompress" mode="disabled">
    <param name="file">*.tar</param>

_servicedata

@@ -1,4 +1,4 @@
 <servicedata>
 <service name="tar_scm">
                 <param name="url">git://code.qt.io/qt/qtwebengine.git</param>
-              <param name="changesrevision">17fd3176988586168bee8654008a097a5f23ec1d</param></service></servicedata>
+              <param name="changesrevision">a5d11cd6f8c487443c15c7e3a6cd8090b65cb313</param></service></servicedata>

libqt5-qtwebengine.changes

@@ -1,3 +1,115 @@
+-------------------------------------------------------------------
+Thu Sep  4 09:03:35 UTC 2025 - Dominique Leuenberger <dimstar@opensuse.org>
+
+- Change the way we pin to ffmpeg-7: set maximum versions for the
+  libav* buildrequires insteaf of hardcoding ffmpeg-7-*devel. This
+  allows OBS to still shortcut through the mini packages.
+
+-------------------------------------------------------------------
+Tue Sep 02 07:23:24 UTC 2025 - Christophe Marin <christophe@krop.fr>
+
+- Update to version 5.15.19:
+  * Bump version to 5.15.19
+  * qmake: Fix qmake2cmake parsing issue for 5.15 SBOM
+  * Update Chromium (patched with security updates up to
+    135.0.7049.95):
+  * [Backport] CVE-2024-10229: Inappropriate implementation in Extensions
+  * [Backport] CVE-2024-10827: Use after free in Serial
+  * [Backport] Security bug 378701682
+  * [Backport] CVE-2024-12694: Use after free in Compositing
+  * [Backport] Security bug 382135228
+  * [Backport] Security bug 384565015
+  * [Backport] CVE-2025-0436: Integer overflow in Skia
+  * [Backport] CVE-2024-11477 / Security bug 383772517
+  * [Backport] CVE-2025-0996: Inappropriate implementation in Browser UI
+  * [Backport] CVE-2025-1426: Heap buffer overflow in GPU
+  * [Backport] Security bug 396481096
+  * [Backport] CVE-2025-0762: Use after free in DevTools
+  * [Backport] CVE-2025-0999: Heap buffer overflow in V8
+  * [Backport] CVE-2024-55549: Fix UAF related to excluded namespaces
+  * [Backport] CVE-2025-24855 Fix use-after-free of XPath context node
+  * [backport] CVE-2025-1919
+  * [Backport] CVE-2025-2783: Incorrect handle provided in
+    unspecified circumstances in Mojo on Windows
+  * [backport] CVE-2025-24201
+  * [backport] CVE-2025-2136
+  * [Backport] Security bug 399002829
+  * [Backport] Security bug 396460489
+  * [Backport] CVE-2025-3619
+  * Various python fixes
+- Drop patches:
+  * python3.12-imp.patch
+  * python3.12-six.patch
+  * python3.13-pipes.patch
+- Don't try to build with ffmpeg >= 8 on factory
+
+-------------------------------------------------------------------
+Thu Apr 24 21:13:27 UTC 2025 - Friedrich Haubensak <hsk17@mail.de>
+
+- Add some backported upstream changes to fix gcc-15 compile time
+  errors:
+  * qtwebengine-5.15.18-gcc15-cstdint.patch
+
+-------------------------------------------------------------------
+Wed Mar 12 08:39:57 UTC 2025 - Fabian Vogt <fvogt@suse.com>
+
+- Add patch to fix the sandbox on 32-bit x86:
+  * sandbox_recvmsg.patch
+
+-------------------------------------------------------------------
+Fri Feb 14 16:17:54 UTC 2025 - Christophe Marin <christophe@krop.fr>
+
+- Add patches:
+  * python3.12-imp.patch
+  * python3.12-six.patch
+  * python3.13-pipes.patch
+
+-------------------------------------------------------------------
+Tue Dec 03 13:23:13 UTC 2024 - christophe@krop.fr
+
+- Update to version 5.15.18:
+  * Bump version to 5.15.18
+  * Fix build errors with -no-opengl configuration
+  * Fixup "Add option to chose python version for building 5.15 WebEngine"
+  * [Backport] CVE-2024-9602: Type Confusion in V8
+  * [Backport] CVE-2024-9603: Type Confusion in V8
+  * FIXUP: [Backport] CVE-2024-7965: Inappropriate implementation in V8
+  * [Backport] CVE-2024-45492 / Security bug 364778067
+  * [Backport] CVE-2024-9123: Integer overflow in Skia
+  * [Backport] CVE-2024-5158: Type Confusion in V8
+  * [Backport] CVE-2024-7971: Type confusion in V8
+  * [Backport] CVE-2024-4761: Out of bounds write in V8
+  * [Backport] CVE-2024-8636: Heap buffer overflow in Skia
+  * [Backport] CVE-2024-8198: Heap buffer overflow in Skia
+  * [Backport] Security bug 346799730
+  * [Backport] CVE-2024-7967: Heap buffer overflow in Fonts
+  * [Backport] CVE-2024-7965: Inappropriate implementation in V8
+  * [Backport] CVE-2024-7532: Out of bounds memory access in ANGLE
+  * Fix build with GCC 15
+  * [Backport] CVE-2024-7536: Use after free in WebAudio
+  * [Backport] Dependency for CVE-2024-7536
+  * [Backport] Security bug 338574384
+  * [Backport] CVE-2024-6996: Race in Frames
+  * [Backport] CVE-2024-6989: Use after free in Loader
+  * [Backport] CVE-2024-6291: Use after free in Swiftshader
+  * [Backport] CVE-2024-5846: Use after free in PDFium
+  * [Backport] Security bug 340606786
+  * [Backport] CVE-2024-5496: Use after free in Media Session
+  * [Backport] Dependency for CVE-2024-3914
+  * [Backport] Security bug 329699609
+  * [Backport] CVE-2024-3914: Use after free in V8
+  * [Backport] CVE-2024-4558: Use after free in ANGLE
+  * [Backport] Security bug 327698060
+  * [Backport] CVE-2024-4058: Type Confusion in ANGLE
+  * [Backport] Security bug 40940917
+  * [Backport] CVE-2024-3837: Use after free in QUIC
+  * [Backport] CVE-2024-3839: Out of bounds read in Fonts
+  * Fix dependecy when compiling content/browser
+  * [Backport] CVE-2024-3516: Heap buffer overflow in ANGLE
+  * [Backport] CVE-2024-3157: Out of bounds write in Compositing
+  * [Backport] Security bug 329674887
+  * Prevent duplicate definition of blink::ResolveColor in jumbo builds
+
 -------------------------------------------------------------------
 Wed Sep  4 14:27:07 UTC 2024 - Guillaume GARDET <guillaume.gardet@opensuse.org>
 

libqt5-qtwebengine.spec

@@ -1,7 +1,7 @@
 #
 # spec file for package libqt5-qtwebengine
 #
-# Copyright (c) 2024 SUSE LLC
+# Copyright (c) 2025 SUSE LLC and contributors
 #
 # All modifications and additions to the file contributed by third parties
 # remain the property of their copyright owners, unless otherwise agreed
@@ -22,6 +22,7 @@
 %bcond_without system_ffmpeg
 %bcond_without system_minizip
 %bcond_without pipewire
+
 # The default python version is too old on Leap 15
 %{?sle15_python_module_pythons}
 %if 0%{?suse_version} == 1500
@@ -35,15 +36,15 @@
 %global _qtwebengine_dictionaries_dir %{_libqt5_datadir}/qtwebengine_dictionaries
 
 Name:           libqt5-qtwebengine
-Version:        5.15.17
+Version:        5.15.19
 Release:        0
 Summary:        Qt 5 WebEngine Library
 License:        LGPL-3.0-only OR GPL-2.0-only OR GPL-3.0-only
 Group:          Development/Libraries/X11
 URL:            https://www.qt.io
 %define base_name libqt5
-%define real_version 5.15.17
-%define so_version 5.15.17
+%define real_version 5.15.19
+%define so_version 5.15.19
 %define tar_version qtwebengine-everywhere-src-%{version}
 Source:         %{tar_version}.tar.xz
 Source99:       libqt5-qtwebengine-rpmlintrc
@@ -64,8 +65,12 @@ Patch6:         Add-missing-dependencies.patch
 # PATCH-FIX-UPSTREAM -- ICU 75 compatibility
 Patch7:         qt5-webengine-icu-75.patch
 Patch8:         0001-Use-default-constructor-in-place-of-self-delegation-.patch
+# PATCH-FIX-UPSTREAM https://bugreports.qt.io/browse/QTBUG-57709?focusedId=427082#comment-427082
+Patch9:         sandbox_recvmsg.patch
+# PATCH-FIX-UPSTREAM -- selected backported upstream changes to support gcc-15
+Patch10:        qtwebengine-5.15.18-gcc15-cstdint.patch
 ### Patch 50-99 are applied conditionally
-# PATCH-FIX-OPENSUSE -- allow building qtwebengine with ffmpeg5
+# PATCH-FIX-UPSTREAM -- allow building qtwebengine with ffmpeg 5
 Patch50:        qtwebengine-ffmpeg5.patch
 Patch51:        qt5-webengine-ffmpeg7.patch
 ###
@@ -146,9 +151,9 @@ BuildRequires:  pkgconfig(icu-uc) >= 65.0
 BuildRequires:  pkgconfig(jsoncpp)
 BuildRequires:  pkgconfig(lcms2)
 %if %{with system_ffmpeg}
-BuildRequires:  pkgconfig(libavcodec)
-BuildRequires:  pkgconfig(libavformat)
-BuildRequires:  pkgconfig(libavutil)
+BuildRequires:  pkgconfig(libavcodec) < 62
+BuildRequires:  pkgconfig(libavformat) < 62
+BuildRequires:  pkgconfig(libavutil) < 60
 %endif
 BuildRequires:  pkgconfig(libcrypto)
 BuildRequires:  pkgconfig(libdrm)
@@ -304,6 +309,8 @@ Examples for the libqt5-qtpdf module.
 %patch -P6 -p1
 %patch -P7 -p1
 %patch -P8 -p1
+%patch -P9 -p1
+%patch -P10 -p1
 
 # FFmpeg 5
 %if %{with system_ffmpeg}

qtwebengine-5.15.18-gcc15-cstdint.patch

@@ -0,0 +1,175 @@
+
+changes backported from upstream to fix gcc-15 compile time errors
+
+this patch file is borrowed from gentoo
+
+--- a/src/3rdparty/chromium/third_party/webrtc/api/task_queue/task_queue_base.h
++++ b/src/3rdparty/chromium/third_party/webrtc/api/task_queue/task_queue_base.h
+@@ -10,6 +10,7 @@
+ #ifndef API_TASK_QUEUE_TASK_QUEUE_BASE_H_
+ #define API_TASK_QUEUE_TASK_QUEUE_BASE_H_
+ 
++#include <cstdint>
+ #include <memory>
+ 
+ #include "api/task_queue/queued_task.h"
+--- a/src/3rdparty/chromium/third_party/perfetto/src/trace_processor/importers/gzip/gzip_utils.h
++++ b/src/3rdparty/chromium/third_party/perfetto/src/trace_processor/importers/gzip/gzip_utils.h
+@@ -17,6 +17,7 @@
+ #ifndef SRC_TRACE_PROCESSOR_IMPORTERS_GZIP_GZIP_UTILS_H_
+ #define SRC_TRACE_PROCESSOR_IMPORTERS_GZIP_GZIP_UTILS_H_
+ 
++#include <cstdint>
+ #include <memory>
+ 
+ struct z_stream_s;
+--- a/src/3rdparty/chromium/third_party/perfetto/include/perfetto/ext/tracing/core/slice.h
++++ b/src/3rdparty/chromium/third_party/perfetto/include/perfetto/ext/tracing/core/slice.h
+@@ -20,6 +20,7 @@
+ #include <stddef.h>
+ #include <string.h>
+ 
++#include <cstdint>
+ #include <memory>
+ #include <string>
+ #include <vector>
+--- a/src/3rdparty/chromium/cc/input/main_thread_scrolling_reason.h
++++ b/src/3rdparty/chromium/cc/input/main_thread_scrolling_reason.h
+@@ -5,6 +5,7 @@
+ #ifndef CC_INPUT_MAIN_THREAD_SCROLLING_REASON_H_
+ #define CC_INPUT_MAIN_THREAD_SCROLLING_REASON_H_
+ 
++#include <cstdint>
+ #include <memory>
+ #include <string>
+ #include "cc/cc_export.h"
+--- a/src/3rdparty/chromium/gpu/command_buffer/common/skia_utils.h
++++ b/src/3rdparty/chromium/gpu/command_buffer/common/skia_utils.h
+@@ -5,6 +5,7 @@
+ #ifndef GPU_COMMAND_BUFFER_COMMON_SKIA_UTILS_H_
+ #define GPU_COMMAND_BUFFER_COMMON_SKIA_UTILS_H_
+ 
++#include <cstdint>
+ #include <memory>
+ 
+ #include "base/optional.h"
+--- a/src/3rdparty/chromium/gpu/command_buffer/service/gpu_fence_manager.h
++++ b/src/3rdparty/chromium/gpu/command_buffer/service/gpu_fence_manager.h
+@@ -5,6 +5,7 @@
+ #ifndef GPU_COMMAND_BUFFER_SERVICE_GPU_FENCE_MANAGER_H_
+ #define GPU_COMMAND_BUFFER_SERVICE_GPU_FENCE_MANAGER_H_
+ 
++#include <cstdint>
+ #include <memory>
+ #include <vector>
+ 
+--- a/src/3rdparty/chromium/net/tools/huffman_trie/trie_entry.h
++++ b/src/3rdparty/chromium/net/tools/huffman_trie/trie_entry.h
+@@ -5,6 +5,7 @@
+ #ifndef NET_TOOLS_HUFFMAN_TRIE_TRIE_ENTRY_H_
+ #define NET_TOOLS_HUFFMAN_TRIE_TRIE_ENTRY_H_
+ 
++#include <cstdint>
+ #include <memory>
+ #include <string>
+ #include <vector>
+--- a/src/3rdparty/chromium/third_party/pdfium/core/fpdfapi/page/cpdf_function.h
++++ b/src/3rdparty/chromium/third_party/pdfium/core/fpdfapi/page/cpdf_function.h
+@@ -7,6 +7,7 @@
+ #ifndef CORE_FPDFAPI_PAGE_CPDF_FUNCTION_H_
+ #define CORE_FPDFAPI_PAGE_CPDF_FUNCTION_H_
+ 
++#include <cstdint>
+ #include <memory>
+ #include <set>
+ #include <vector>
+--- a/src/3rdparty/chromium/third_party/pdfium/core/fxcodec/jbig2/JBig2_DocumentContext.h
++++ b/src/3rdparty/chromium/third_party/pdfium/core/fxcodec/jbig2/JBig2_DocumentContext.h
+@@ -7,6 +7,7 @@
+ #ifndef CORE_FXCODEC_JBIG2_JBIG2_DOCUMENTCONTEXT_H_
+ #define CORE_FXCODEC_JBIG2_JBIG2_DOCUMENTCONTEXT_H_
+ 
++#include <cstdint>
+ #include <list>
+ #include <memory>
+ #include <utility>
+--- a/src/3rdparty/chromium/third_party/pdfium/third_party/base/span.h
++++ b/src/3rdparty/chromium/third_party/pdfium/third_party/base/span.h
+@@ -9,6 +9,7 @@
+ 
+ #include <algorithm>
+ #include <array>
++#include <cstdint>
+ #include <iterator>
+ #include <type_traits>
+ #include <utility>
+--- a/src/3rdparty/chromium/third_party/perfetto/include/perfetto/tracing/tracing_backend.h
++++ b/src/3rdparty/chromium/third_party/perfetto/include/perfetto/tracing/tracing_backend.h
+@@ -17,6 +17,7 @@
+ #ifndef INCLUDE_PERFETTO_TRACING_TRACING_BACKEND_H_
+ #define INCLUDE_PERFETTO_TRACING_TRACING_BACKEND_H_
+ 
++#include <cstdint>
+ #include <memory>
+ #include <string>
+ 
+--- a/src/3rdparty/chromium/third_party/webrtc/api/fec_controller.h
++++ b/src/3rdparty/chromium/third_party/webrtc/api/fec_controller.h
+@@ -11,6 +11,7 @@
+ #ifndef API_FEC_CONTROLLER_H_
+ #define API_FEC_CONTROLLER_H_
+ 
++#include <cstdint>
+ #include <memory>
+ #include <vector>
+ 
+--- a/src/3rdparty/chromium/third_party/webrtc/api/network_state_predictor.h
++++ b/src/3rdparty/chromium/third_party/webrtc/api/network_state_predictor.h
+@@ -11,6 +11,7 @@
+ #ifndef API_NETWORK_STATE_PREDICTOR_H_
+ #define API_NETWORK_STATE_PREDICTOR_H_
+ 
++#include <cstdint>
+ #include <memory>
+ #include <vector>
+ 
+--- a/src/3rdparty/chromium/third_party/webrtc/modules/video_coding/timestamp_map.h
++++ b/src/3rdparty/chromium/third_party/webrtc/modules/video_coding/timestamp_map.h
+@@ -11,6 +11,7 @@
+ #ifndef MODULES_VIDEO_CODING_TIMESTAMP_MAP_H_
+ #define MODULES_VIDEO_CODING_TIMESTAMP_MAP_H_
+ 
++#include <cstdint>
+ #include <memory>
+ 
+ namespace webrtc {
+--- a/src/3rdparty/chromium/third_party/webrtc/video/stats_counter.h
++++ b/src/3rdparty/chromium/third_party/webrtc/video/stats_counter.h
+@@ -11,6 +11,7 @@
+ #ifndef VIDEO_STATS_COUNTER_H_
+ #define VIDEO_STATS_COUNTER_H_
+ 
++#include <cstdint>
+ #include <memory>
+ #include <string>
+ 
+--- a/src/3rdparty/chromium/third_party/woff2/include/woff2/output.h
++++ b/src/3rdparty/chromium/third_party/woff2/include/woff2/output.h
+@@ -10,6 +10,7 @@
+ #define WOFF2_WOFF2_OUT_H_
+ 
+ #include <algorithm>
++#include <cstdint>
+ #include <cstring>
+ #include <memory>
+ #include <string>
+--- a/src/3rdparty/chromium/base/task/thread_pool.h
++++ b/src/3rdparty/chromium/base/task/thread_pool.h
+@@ -5,6 +5,7 @@
+ #ifndef BASE_TASK_THREAD_POOL_H_
+ #define BASE_TASK_THREAD_POOL_H_
+ 
++#include <cstdint>
+ #include <memory>
+ #include <utility>
+ 

qtwebengine-everywhere-src-5.15.19.tar.xz

@@ -0,0 +1,3 @@
+version https://git-lfs.github.com/spec/v1
+oid sha256:c127bb77eeb25ce405749facbf9db5165bd8a8972d4bfafdbeee9a0235b04382
+size 322353208

sandbox_recvmsg.patch

@@ -0,0 +1,74 @@
+From: Allan Sandfeld Jensen
+Subject: Allow recvfrom and recvmsg on 32-bit x86
+
+From https://bugreports.qt.io/browse/QTBUG-57709
+
+Edited by fvogt@suse.com to include even more stuff.
+
+Index: qtwebengine-everywhere-src-5.15.18/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+===================================================================
+--- qtwebengine-everywhere-src-5.15.18.orig/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
++++ qtwebengine-everywhere-src-5.15.18/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/syscall_sets.cc
+@@ -363,7 +363,7 @@ bool SyscallSets::IsAllowedOperationOnFd
+ #endif
+     case __NR_dup3:
+ #if defined(__x86_64__) || defined(__arm__) || defined(__mips__) || \
+-    defined(__aarch64__)
++    defined(__aarch64__) || defined(__i386__)
+     case __NR_shutdown:
+ #endif
+       return true;
+@@ -465,7 +465,7 @@ bool SyscallSets::IsAllowedGetOrModifySo
+       return true;
+     default:
+ #if defined(__x86_64__) || defined(__arm__) || defined(__mips__) || \
+-    defined(__aarch64__)
++    defined(__aarch64__) || defined(__i386__)
+     case __NR_socketpair:  // We will want to inspect its argument.
+ #endif
+       return false;
+@@ -483,6 +483,13 @@ bool SyscallSets::IsDeniedGetOrModifySoc
+     case __NR_socket:
+     case __NR_listen:
+       return true;
++#elif defined(__i386__)
++    case __NR_accept4:
++    case __NR_bind:
++    case __NR_connect:
++    case __NR_socket:
++    case __NR_listen:
++      return true;
+ #endif
+     default:
+       return false;
+@@ -575,7 +582,7 @@ bool SyscallSets::IsAllowedGeneralIo(int
+     case __NR_recv:
+ #endif
+ #if defined(__x86_64__) || defined(__arm__) || defined(__mips__) || \
+-    defined(__aarch64__)
++    defined(__aarch64__) || defined(__i386__)
+     case __NR_recvfrom:  // Could specify source.
+     case __NR_recvmsg:   // Could specify source.
+ #endif
+@@ -590,7 +597,7 @@ bool SyscallSets::IsAllowedGeneralIo(int
+     case __NR_send:
+ #endif
+ #if defined(__x86_64__) || defined(__arm__) || defined(__mips__) || \
+-    defined(__aarch64__)
++    defined(__aarch64__) || defined(__i386__)
+     case __NR_sendmsg:  // Could specify destination.
+     case __NR_sendto:   // Could specify destination.
+ #endif
+Index: qtwebengine-everywhere-src-5.15.18/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+===================================================================
+--- qtwebengine-everywhere-src-5.15.18.orig/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
++++ qtwebengine-everywhere-src-5.15.18/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+@@ -249,7 +249,7 @@ ResultExpr EvaluateSyscallImpl(int fs_de
+     return RestrictPrctl();
+ 
+ #if defined(__x86_64__) || defined(__arm__) || defined(__mips__) || \
+-    defined(__aarch64__)
++    defined(__aarch64__) || defined(__i386__)
+   if (sysno == __NR_socketpair) {
+     // Only allow AF_UNIX, PF_UNIX. Crash if anything else is seen.
+     static_assert(AF_UNIX == PF_UNIX,