Opened 11 months ago

Closed 11 months ago

Last modified 9 months ago

#21341 closed enhancement (fixed)

qt6-6.8.3 qtwebengine-6.8.3

Reported by: Bruce Dubbs Owned by: Bruce Dubbs
Priority: high Milestone: 12.4
Component: BOOK Version: git
Severity: critical Keywords:
Cc:

Description

New point version.

Change History (5)

comment:1 by Bruce Dubbs, 11 months ago

Owner: changed from blfs-book to Bruce Dubbs
Status: newassigned

comment:2 by Douglas R. Reno, 11 months ago

Priority: normalhigh
Severity: normalcritical

The great news is that Qt6 itself doesn't have any security fixes.

QtWebEngine on the other hand though is always a different story.

QtWebEngine

  • CVE-2024-11477: 7.8 High, it's a vulnerability in the bundled 7zip code that allows for remote code execution
  • CVE-2025-1426: Heap buffer overflow in GPU - RCE (8.8 High)
  • CVE-2025-1006: Use after free in Network - RCE (8.8 High)
  • CVE-2025-0999: Heap buffer overflow in V8 - RCE (8.8 High)
  • CVE-2025-0996: Inappropriate implementation in Browser UI - UI Spoofing (5.4 Medium)
  • CVE-2025-0998: Out of bounds memory access in V8 - Arbitrary Code Execution and Sandbox Escape (9.6 Critical)
  • CVE-2025-0762: Use after free in DevTools - RCE (8.8 High)
  • CVE-2025-1919: Out of bounds read in Media - RCE (8.8 High)
  • CVE-2025-1921: Inappropriate implementation in Media Stream - Sensitive System Data Exfiltration (6.5 Medium)
  • CVE-2025-1918: Out of bounds read in PDFium - RCE (8.8 High)
  • CVE-2025-24201: Sandbox escape - known to be exploited in the wild, same as WebKit. 8.8 High
  • CVE-2025-2136: Use after free in Inspector - RCE (8.8 High)

This update should be done ASAP

comment:4 by Bruce Dubbs, 11 months ago

Resolution: fixed
Status: assignedclosed

Fixed at commit f864d5e6ba.

comment:5 by Douglas R. Reno, 9 months ago

SA-12.3-012 issued for QtWebEngine

Note: See TracTickets for help on using tickets.