qtwebengine-5.15.9

[ken@…]

The expected release date of paid-for qt-5.15.9 was March. It seems that the updates for qtwebengine were completed by 30th March, although the latest commit to merge chromium changes did not hit 5.15 until this week (merged by a bot).

Unusually, the build fixes patch from 5.15.8 all applies.

Even more unusually, one of the upstream patches for qtwebengine itself broke my build ​https://code.qt.io/cgit/qt/qtwebengine.git/commit/?h=5.15.9&id=34b5b4b19c510aa6d701119d9c594a754bd21afc - that adds one line,

contentMainParams.setup_signal_handlers = false;

with a comment "We used to have this, but it got dropped at some point in an adaptions."

In my build, that causes

/scratch/working/qtwebengine-5.15.9/src/core/web_engine_context.cpp:799:23: error: 'struct content::ContentMainParams' has no member named 'setup_signal_handlers'
  799 |     contentMainParams.setup_signal_handlers = false;
      |                       ^~~~~~~~~~~~~~~~~~~~~

and that is the ONLY reference to setup_signal_handlers that I can find (and nothing at all in full qt-5.15.2, nor in the modules for which I have pulled kf5 patches.

Looking at the bug it is intended to fix, ​https://bugreports.qt.io/browse/QTBUG-99263 the bug was reported against 6.2 on macOS. I've seen a previous oddity in one of the kf5 patches re macOS (public 5.15.2 didn't seem to include what was being patched). Whatever, it apparently built in qt's own testing but it doesn't build for me, so I've dropped it.

There are 30 new CVEs since 5.15.8 - with the exception of picking up the expat fix ('Critical'), maximum severity seems to be High although some are not yet public, and at least one of the High ones has been reported to be actively exploited.

[ken@…]

Paid-for release happened today, so what is in 5.15 git is complete.

[ken@…]

I had hoped to get my own scripts up to date and test this in a fresh build with current versions of everything, but I'm still some way away from that. Dropping it in now (seems ok on BLFS-11.1 and earlier), tarball is on anduin and patch has been rolled forward and pushed.

The Security Advisory will probably be delayed (I've been unwell in the last 12 hours), so in the meantime I'll copy the CVE fixes here from the CVE-fixes file in the tarball.

CVE-2022-23852 Signed integer overflow in expat before 2.4.4            Critical †
CVE-2022-1096 Fix handling of interceptors                              Not yet public
CVE-2022-0971 Don't use a deleted RenderFrameHost                       Not yet public
CVE-2022-0610 Inappropriate implementation in Gamepad API               Not yet public
CVE-2022-0609 Use after free in Animation                               Not yet public
CVE-2022-0608 Integer overflow in Mojo                                  Not yet public
CVE-2022-0607 Use after free in GPU                                     Not yet public
CVE-2022-0606 Use after free in ANGLE                                   Not yet public
CVE-2022-0461 Policy btpass in COOP                                     Not yet public
CVE-2022-0460 Use after free in Window Dialog                           Not yet public
CVE-2022-0459 Use after free in Screen                                  Not yet public
CVE-2022-0456 Use after free in Web Search                              Not yet public
CVE-2022-0311 Heap buffer overflow in Task Manager                      High
CVE-2022-0310 Heap buffer overflow in Task Manager                      High
CVE-2022-0306 Heap buffer overflow in PDFium                            High
CVE-2022-0305 Inappropriate implementation in Service Worker API        Medium
CVE-2022-0298 Use after free in Scheduling                              High
CVE-2022-0293 Use after free in Web                                     High
CVE-2022-0291 Inappropriate implementation in Storage                   Medium
CVE-2022-0289 Use after free in Safe browsing                           High
CVE-2022-0117 Policy bypass in Service Workers                          Medium
CVE-2022-0116 Inappropriate implementation in Compositing               Medium
CVE-2022-0113 Inappropriate implementation in Blink                     Medium
CVE-2022-0111 Inappropriate implementation in Navigation                Medium
CVE-2022-0109 Inappropriate implementation in Autofill                  Medium
CVE-2022-0108 Inappropriate implementaion in Navigation                 Medium
CVE-2022-0104 Heap buffer overflow in ANGLE                             High
CVE-2022-0103 Use after free in SwiftShader                             High
CVE-2022-0102 Type Confusion in V8                                      High
CVE-2022-0100 Heap buffer overflow in Media streams API                 High

† LFS provides system expat, therefore the shipped version in qtwebengine is not
  used.  See LFS Security Advisories SA 11.068 and the later SA 11.086 if you are
  using a version of LFS before 11.1, and ensure you have upgraded to at least
  expat-2.4.5.

[ken@…]

Book updated in @47d5b8be541aca3fd9b31b90c5862d31fdcdb4cf 11.1-242

[ken@…]

The following CVEs are now listed at NVD: CVE-2022-0610, CVE-2022-0609, CVE-2022-0608, CVE-2022-0607, CVE-2022-0606, CVE-2022-0460, CVE-2022-0459, CVE-2022-0456 all rated as High.

CVE-2022-0461 is awaiting analysis.

Advisory SA 11.1-020 created.