Opened 6 months ago

Closed 6 months ago

Last modified 6 months ago

#20454 closed enhancement (fixed)

qt6-6.7.3 qtwebengine-6.7.3

Reported by: Bruce Dubbs Owned by: Bruce Dubbs
Priority: high Milestone: 12.3
Component: BOOK Version: git
Severity: normal Keywords:
Cc:

Description

New point version.

Change History (7)

comment:1 by Bruce Dubbs, 6 months ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:2 by Bruce Dubbs, 6 months ago 

diff --git a/qt/6.7.3/release-note.md b/qt/6.7.3/release-note.md
index 2db6bbc..061a6da 100644
--- a/qt/6.7.3/release-note.md
+++ b/qt/6.7.3/release-note.md
@@ -31,6 +31,9 @@ https://doc.qt.io/qt-6/portingguide.html
 Important Changes
 -----------------
 
+### Security fixes
+* CVE-2024-39936 in qtbase
+
 ### qtbase
 * c794263de0b Update public suffix list
 Updated the public suffix list to upstream SHA
@@ -952,6 +955,16 @@ package "Qt6InsightTracker"  is considered to be NOT FOUND
 Known Issues
 
+* Check that your system meets Qt's requirements:
+https://doc.qt.io/qt-6.7/supported-platforms.html
+* RTA reported issues from Qt 6.7
+https://bugreports.qt.io/issues/?filter=25756
+* See Qt 6.7 known issues from:
+https://wiki.qt.io/Qt_6.7_Known_Issues
+* Qt 6.7.3 Open issues in Jira:
+https://bugreports.qt.io/issues/?filter=26522

comment:3 by Bruce Dubbs, 6 months ago

Resolution: fixed
Status: assignedclosed

Fixed at commits 

253ae3ffd8 Update to LibRaw-0.21.3.
a67b4d72a3 Update to bluefish-2.2.16.
e25267094d Update to git-2.46.2.
dabc860d61 Update to fribidi-1.0.16.
ac4cf9a4eb Update to glslang-15.0.0.
3a910c72d2 Update to php-8.3.12.
84e1f8f4da Update to qt6 and QtWebEngine-6.7.3

comment:4 by Douglas R. Reno, 6 months ago

SA-12.2-016 issued for Qt6. Now off to QtWebEngine...

comment:5 by Douglas R. Reno, 6 months ago

Priority: normalhigh

comment:6 by Douglas R. Reno, 6 months ago

QtWebEngine has a lot of vulnerability fixes from upstream Chromium this time around. Let's document them...

  • CVE-2024-7532: Out of bounds memory access in ANGLE (Critical, RCE)
  • CVE-2024-7550: Type Confusion in V8 (High, RCE)
  • CVE-2024-7536: Use after free in WebAudio (High, RCE)
  • CVE-2024-7535: Inappropriate implementation in V8 (High, RCE)
  • CVE-2024-6996: Race in Frames (Low, UI Spoofing)
  • CVE-2024-7000: Use after free in CSS (High, RCE)
  • CVE-2024-6999: Inappropriate implementation in FedCM (Medium, UI Spoofing)
  • CVE-2024-6992: Out of bounds memory access in ANGLE (High, RCE)
  • CVE-2024-6991: Use after free in Dawn (High, RCE)
  • CVE-2024-6989: Use after free in Loader (High, RCE)
  • CVE-2024-6779: Out of bounds memory access in V8 (High, sandbox escape)
  • CVE-2024-6777: Use after free in Navigation (High, RCE via malicious extension)
  • CVE-2024-6774: Use after free in Screen Capture (High, RCE)
  • CVE-2024-6101: Inappropriate implementation in WebAssembly (High, Information Disclosure and RCE)
  • CVE-2024-6103: Use after free in Dawn (High, RCE)
  • CVE-2024-5836: Inappropriate Implementation in DevTools (High, RCE via malicious extension)
  • CVE-2024-6291: Use after free in Swiftshader (High, RCE and Remote DoS)
  • CVE-2024-6293: Use after free in Dawn (High, RCE)
  • CVE-2024-6292: Use after free in Dawn (High, RCE)
  • CVE-2024-6290: Use after free in Dawn (High, RCE)
  • CVE-2024-5840: Policy Bypass in CORS (Medium, policy bypass)
  • CVE-2024-5841: Use after free in V8 (High, RCE)
  • CVE-2024-5845: Use after free in Audio (High, RCE via malicious PDF file)
  • CVE-2024-5847: Use after free in PDFium (High, RCE via malicious PDF file)
  • CVE-2024-5846: Use after free in PDFium (High, RCE via malicious PDF file)
  • CVE-2024-5831: Use after free in Dawn (High, RCE)
  • CVE-2024-5832: Use after free in Dawn (High, RCE)
  • CVE-2024-8362: Use after free in WebAudio (High, RCE)
  • CVE-2024-8198: Heap buffer overflow in Skia (High, RCE)
  • CVE-2024-8193: Heap buffer overflow in Skia (High, RCE)
  • CVE-2024-7969: Type Confusion in V8 (High, RCE)
  • CVE-2024-7972: Inappropriate implementation in V8 (High, RCE and Information Disclosure)
  • CVE-2024-7974: Insufficient data validation in V8 API (High, RCE via malicious Chrome extension)
  • CVE-2024-7975: Inappropriate implementation in Permissions (Medium, UI Spoofing)
  • CVE-2024-7966: Out of bounds memory access in Skia (High, RCE and Information Disclosure)
  • CVE-2024-7973: Heap buffer overflow in PDFium (High, information disclosure via crafted PDF file)
  • CVE-2024-7967: Heap buffer overflow in Fonts (High, RCE)
  • CVE-2024-7971: Type confusion in V8 (High, RCE)
  • CVE-2024-7965: Inappropriate implementation in V8 (High, RCE)
  • CVE-2024-8636: Heap buffer overflow in Skia (High, RCE)
  • CVE-2024-8905: Inappropriate implementation in V8 (Medium, remote DoS)
  • CVE-2024-5160: Heap buffer overflow in Dawn (High, RCE)
  • CVE-2024-5159: Heap buffer overflow in ANGLE (High, RCE)
  • CVE-2024-5158: Type Confusion in V8 (High, arbitrary file read/write)
  • CVE-2024-5157: Use after free in Scheduling (High, RCE inside of sandbox)

comment:7 by Douglas R. Reno, 6 months ago

SA-12.2-017 issued for QtWebEngine

Note: See TracTickets for help on using tickets.