Opened 18 months ago

Closed 18 months ago

Last modified 18 months ago

#13067 closed enhancement (fixed)

qt-everywhere-src-5.14.1 qtwebengine-5.14.1

Reported by: Douglas R. Reno Owned by: ken@…
Priority: high Milestone: 9.1
Component: BOOK Version: SVN
Severity: normal Keywords:
Cc:

Description

New versions of Qt components

Change History (5)

comment:1 by Douglas R. Reno, 18 months ago

Priority: normalhigh

It looks like this contains some security fixes:

Compared to Qt 5.14.0, the new Qt 5.14.1 contains around 220 bug fixes including security issue fixes for both Qt (CVE-2020-0570) and 3rd party components (CVE-2019-19244, CVE-2019-19603, CVE-2019-19242, CVE-2019-19645, CVE-2019-19646 & CVE-2019-19880). Also in QtWebEngine there are many CVE fixes from Chromium. For details of the most important changes, please check the Change files of Qt 5.14.1.

For the QtWebEngine ones:

Qt 5.14.1 is a bug-fix release. It maintains both forward and backward
compatibility (source and binary) with Qt 5.14.0.

For more details, refer to the online documentation included in this
distribution. The documentation is also available online:

https://doc.qt.io/qt-5/index.html

The Qt version 5.14 series is binary compatible with the 5.13.x series.
Applications compiled for 5.13 will continue to run with 5.14.

Some of the changes listed in this file include issue tracking numbers
corresponding to tasks in the Qt Bug Tracker:

https://bugreports.qt.io/

Each of these identifiers can be entered in the bug tracker to obtain more
information about a particular change.

****************************************************************************
*                              Qt 5.14.1 Changes                           *
****************************************************************************

Important changes
-----------------

  - [QTBUG-51170] Sandbox is now enabled by default on Windows like on
    other platforms. If it causes any trouble it can be disabled with
    --no-sandbox on the command line or in QTWEBENGINE_CHROMIUM_FLAGS.

General
-------

  - [QTBUG-74602] Fixed builds with -no-gui
  - [QTBUG-76564] Now supports accept attribute in file input
  - [QTBUG-77442] Added macOS entitlements to QtWebEngineProcess.app
  - [QTBUG-80089] Fixed touch flinging in multithreaded OpenGL mode
  - [QTBUG-80566] Fixed setDownloadDirectory, so order compared to
    setDownloadFilename doesn't matter
  - [QTBUG-80893] Fixed crash when handling QEvent::TouchCancel
  - Fixed clang-cl build
  - Fixed youtube in linux ltcg builds


Chromium
--------

 - Security fixes from Chromium up to version 79.0.3945.117, including:

    * CVE-2019-13701
    * CVE-2019-13727
    * CVE-2019-13728
    * CVE-2019-13730
    * CVE-2019-13732
    * CVE-2019-13734
    * CVE-2019-13735
    * CVE-2019-13736
    * CVE-2019-13737
    * CVE-2019-13738
    * CVE-2019-13739
    * CVE-2019-13741
    * CVE-2019-13745
    * CVE-2019-13746
    * CVE-2019-13747
    * CVE-2019-13754
    * CVE-2019-13755
    * CVE-2019-13757
    * CVE-2019-13758
    * CVE-2019-13761
    * CVE-2019-13762
    * CVE-2019-13764
    * CVE-2020-6377
    * Security bug 889276
    * Security bug 974375
    * Security bug 1016703
    * Security bug 1017020
    * Security bug 1017961
    * Security bug 1025089
    * Security bug 1027905
    * Security bug 1028191
    * Security bug 1033260

comment:2 by ken@…, 18 months ago

Owner: changed from blfs-book to ken@…
Status: newassigned

Builds ok with existing instructions.

comment:3 by ken@…, 18 months ago

NB I wasn't using the wayland patch, that has almost all been applied in this version.

comment:4 by ken@…, 18 months ago

Resolution: fixed
Status: assignedclosed

comment:5 by Douglas R. Reno, 18 months ago

Some additional information on the QLibrary vulnerability:

Issue 2) CVE-2020-0570
Score: 7.3 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
* Vendor: Qt Project
* Product: Qt
* Versions affected: 5.12.0 through 5.14.0
* Versions fixed: 5.14.1 (released), 5.12.7, 5.9.10 (future)
* Issue: local attack, loading and execution of untrusted code
* Scope: class QLibrary (qtbase/src/corelib/plugin)
* Reference: https://bugreports.qt.io/browse/QTBUG-81272
* Description:
QLibrary in Qt versions 5.12.0 through 5.14.0, on certain x86 machines, would 
search for certain libraries and plugins relative to current working directory 
of the application, which allows an attacker that can place files in the file 
system and influence the working directory of Qt-based applications to load 
and execute malicious code. This issue was verified on Linux and probably 
affects all Unix operating systems, other than macOS (Darwin). This issue does 
not affect Windows.
Note: See TracTickets for help on using tickets.