#12723 closed enhancement (fixed)

Create sed to fix CVE-2019-13720 (qtwebengine)

Reported by: Douglas R. Reno Owned by: Douglas R. Reno
Priority: highest Milestone: 9.1
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

Earlier today, I was made aware of a security vulnerability that is leading to arbitrary code execution via Chromium's audio layer, which affects QtWebEngine (and thus Falkon, which I'll test). The patch looks as if we can add a sed.

Arch Linux Security Advisory ASA-201911-2
=========================================

Severity: Critical
Date    : 2019-11-02
CVE-ID  : CVE-2019-13720
Package : qt5-webengine
Type    : arbitrary code execution
Remote  : Yes
Link    : https://security.archlinux.org/AVG-1059

Summary
=======

The package qt5-webengine before version 5.13.2-2 is vulnerable to
arbitrary code execution.

Resolution
==========

Upgrade to 5.13.2-2.

# pacman -Syu "qt5-webengine>=5.13.2-2"

The problem has been fixed upstream but no release is available yet.

Workaround
==========

None.

Description
===========

A use-after-free vulnerability has been found in the audio component of
the chromium browser before 78.0.3904.87. Google is aware of reports
that an exploit for this vulnerability exists in the wild.

Impact
======

A remote attacker can execute arbitrary code on the affected host.

References
==========

https://bugs.archlinux.org/task/64347
https://code.qt.io/cgit/qt/qtwebengine-chromium.git/patch/?id=d6e5fc10e417efdf8665d9fba57c269f0534072f
https://chromereleases.googleblog.com/2019/10/stable-channel-update-for-desktop_31.html
https://crbug.com/1019226
https://security.archlinux.org/CVE-2019-13720

Change History (6)

comment:1 by Douglas R. Reno, 21 months ago

Owner: changed from blfs-book to Douglas R. Reno
Status: newassigned

comment:2 by Douglas R. Reno, 21 months ago

Please note that this vulnerability is getting a lot of media attention as well

comment:3 by Douglas R. Reno, 21 months ago

The sed I'm testing:

sed -i '/if (!buffer) {/a \

BaseAudioContext::GraphAutoLocker context_locker(Context()); \n \ MutexLocker locker(process_lock_);' src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/convolver_node.cc

comment:4 by Bruce Dubbs, 21 months ago

Doesn't look quite right. Compare with:

sed -e '/!buffer/a \
\    BaseAudioContext::GraphAutoLocker context_locker(Context()); \
\    MutexLocker locker(process_lock_);' \
    -i src/3rdparty/chromium/third_party/blink/renderer/modules/webaudio/convolver_node.cc

comment:5 by Douglas R. Reno, 21 months ago

Tested Falkon and everything seems to be good. Rendering the book and committing.

comment:6 by Douglas R. Reno, 21 months ago

Resolution: fixed
Status: assignedclosed

Fixed at r22346

Note: See TracTickets for help on using tickets.