qtwebengine-5.15.6

[ken@…]

It seems that commercial lts qt-5.15.6 is close to release (expected for nominally August). As part of that, the public changes for qtwebengine-5.15.6 appear to be complete.

In the big distros, both fedora (rawhide) and debian (sid) have produced versions in the last two or three months labelled as 5.15.5. I therefore propose to upload the new tarball as qtwebengine-5.15.6 rather than using a date in the name. Please note that it will continue to be installed as 5.15.2 to match the installed version of Qt.

The following new backported CVE fixes are in this version (status from nvd):

CVE-2021-30604: Use after free in ANGLE                          Not yet public
CVE-2021-30603: Race in WebAudio                                 Not yet public
CVE-2021-30602: Use after free in WebRTC                         Not yet public
CVE-2021-30599: Type Confusion in V8                             Not yet public
CVE-2021-30598: Type Confusion in V8                             Not yet public
CVE-2021-30588: Type Confusion in V8                             High
CVE-2021-30587: Inappropriate implementation in Compositing      Medium
CVE-2021-30585: Use after free in sensor handling                High
CVE-2021-30573: Use after free in GPU                            High
CVE-2021-30569: Use after free in sqlite                         High
CVE-2021-30568: Heap buffer overflow in WebGL                    High
CVE-2021-30563: Type Confusion in V8                             High
CVE-2021-30560: Use after free in Blink XSLT                     High
CVE-2021-30559: Out of bounds write in ANGLE                     High
CVE-2021-30556: Use after free in WebAudio                       High
CVE-2021-30554: Use after free in WebGL                          High
CVE-2021-30553: Use after free in Network service                High
CVE-2021-30551: Type Confusion in V8                             High
CVE-2021-30548: Use after free in Loader                         High
CVE-2021-30547: Out of bounds write in ANGLE                     High
CVE-2021-30544: Use after free in BFCache                        High
CVE-2021-30541: Use after free in V8                             High
CVE-2021-30536: Out of bounds read in V8                         High
CVE-2021-30535: Double free in ICU                               High
CVE-2021-30534: Insufficient policy enforcement in iFrameSandbox Medium
CVE-2021-30533: Insufficient policy enforcement in PopupBlocker  Medium
CVE-2021-30530: Out of bounds memory access in WebAudio          High
CVE-2021-30523: Use after free in WebRTC                         High
CVE-2021-30522: Use after free in WebAudio                       High

Tarball and patch at ​https://www.linuxfromscratch.org/~ken/test/ - tested on 11.0rc2

[Douglas R. Reno]

I'm not sure I'd mark this one as Elevated considering the amount of High severity issues.

[ken@…]

Commit @d8853887d2de5d325bfa1f18710c4b88e1e133b0 and merge @10e2d5f1364a9fd88237e8fb097ed019a613979b

[ken@…]

Updates at NVD:

CVE-2021-30604: Use after free in ANGLE                          High
CVE-2021-30603: Race in WebAudio                                 High
CVE-2021-30602: Use after free in WebRTC                         High
CVE-2021-30599: Type Confusion in V8                             High
CVE-2021-30598: Type Confusion in V8                             High

[ken@…]

Security Advisory SA 10.1-103.