Opened 4 years ago

Closed 4 years ago

Last modified 4 years ago

#13067 closed enhancement (fixed)

qt-everywhere-src-5.14.1 qtwebengine-5.14.1

Reported by: Douglas R. Reno Owned by: ken@…
Priority: high Milestone: 9.1
Component: BOOK Version: SVN
Severity: normal Keywords:


New versions of Qt components

Change History (5)

comment:1 by Douglas R. Reno, 4 years ago

Priority: normalhigh

It looks like this contains some security fixes:

Compared to Qt 5.14.0, the new Qt 5.14.1 contains around 220 bug fixes including security issue fixes for both Qt (CVE-2020-0570) and 3rd party components (CVE-2019-19244, CVE-2019-19603, CVE-2019-19242, CVE-2019-19645, CVE-2019-19646 & CVE-2019-19880). Also in QtWebEngine there are many CVE fixes from Chromium. For details of the most important changes, please check the Change files of Qt 5.14.1.

For the QtWebEngine ones:

Qt 5.14.1 is a bug-fix release. It maintains both forward and backward
compatibility (source and binary) with Qt 5.14.0.

For more details, refer to the online documentation included in this
distribution. The documentation is also available online:

The Qt version 5.14 series is binary compatible with the 5.13.x series.
Applications compiled for 5.13 will continue to run with 5.14.

Some of the changes listed in this file include issue tracking numbers
corresponding to tasks in the Qt Bug Tracker:

Each of these identifiers can be entered in the bug tracker to obtain more
information about a particular change.

*                              Qt 5.14.1 Changes                           *

Important changes

  - [QTBUG-51170] Sandbox is now enabled by default on Windows like on
    other platforms. If it causes any trouble it can be disabled with
    --no-sandbox on the command line or in QTWEBENGINE_CHROMIUM_FLAGS.


  - [QTBUG-74602] Fixed builds with -no-gui
  - [QTBUG-76564] Now supports accept attribute in file input
  - [QTBUG-77442] Added macOS entitlements to
  - [QTBUG-80089] Fixed touch flinging in multithreaded OpenGL mode
  - [QTBUG-80566] Fixed setDownloadDirectory, so order compared to
    setDownloadFilename doesn't matter
  - [QTBUG-80893] Fixed crash when handling QEvent::TouchCancel
  - Fixed clang-cl build
  - Fixed youtube in linux ltcg builds


 - Security fixes from Chromium up to version 79.0.3945.117, including:

    * CVE-2019-13701
    * CVE-2019-13727
    * CVE-2019-13728
    * CVE-2019-13730
    * CVE-2019-13732
    * CVE-2019-13734
    * CVE-2019-13735
    * CVE-2019-13736
    * CVE-2019-13737
    * CVE-2019-13738
    * CVE-2019-13739
    * CVE-2019-13741
    * CVE-2019-13745
    * CVE-2019-13746
    * CVE-2019-13747
    * CVE-2019-13754
    * CVE-2019-13755
    * CVE-2019-13757
    * CVE-2019-13758
    * CVE-2019-13761
    * CVE-2019-13762
    * CVE-2019-13764
    * CVE-2020-6377
    * Security bug 889276
    * Security bug 974375
    * Security bug 1016703
    * Security bug 1017020
    * Security bug 1017961
    * Security bug 1025089
    * Security bug 1027905
    * Security bug 1028191
    * Security bug 1033260

comment:2 by ken@…, 4 years ago

Owner: changed from blfs-book to ken@…
Status: newassigned

Builds ok with existing instructions.

comment:3 by ken@…, 4 years ago

NB I wasn't using the wayland patch, that has almost all been applied in this version.

comment:4 by ken@…, 4 years ago

Resolution: fixed
Status: assignedclosed

comment:5 by Douglas R. Reno, 4 years ago

Some additional information on the QLibrary vulnerability:

Issue 2) CVE-2020-0570
Score: 7.3 (High) - CVSS:3.0/AV:L/AC:L/PR:L/UI:R/S:U/C:H/I:H/A:H/E:F/RL:O/RC:C
* Vendor: Qt Project
* Product: Qt
* Versions affected: 5.12.0 through 5.14.0
* Versions fixed: 5.14.1 (released), 5.12.7, 5.9.10 (future)
* Issue: local attack, loading and execution of untrusted code
* Scope: class QLibrary (qtbase/src/corelib/plugin)
* Reference:
* Description:
QLibrary in Qt versions 5.12.0 through 5.14.0, on certain x86 machines, would 
search for certain libraries and plugins relative to current working directory 
of the application, which allows an attacker that can place files in the file 
system and influence the working directory of Qt-based applications to load 
and execute malicious code. This issue was verified on Linux and probably 
affects all Unix operating systems, other than macOS (Darwin). This issue does 
not affect Windows.
Note: See TracTickets for help on using tickets.