qt6-6.9.2 qtwebengine-6.9.2

[Bruce Dubbs]

New point version.

[Douglas R. Reno]

The changes can be found at ​https://code.qt.io/cgit/qt/qtreleasenotes.git/about/qt/6.9.2/release-note.md

The two security issues mentioned in qtbase don't apply to us. The patch that's currently in BLFS 12.4 fixes CVE-2025-5992, and CVE-2025-6338 is Windows specific.

Now though we get to QtWebEngine. This is very serious, especially given the sandbox escape vulnerability which can significantly increase the impact of the vulnerabilities in this list. As an example, the sandbox escape vulnerability (CVE-2025-6558) could hypothetically allow CVE-2025-6554 to read a file from a user's system, or write one to an attacker controlled location. This combo is under active exploitation, and other distros such as Arch bumped their Qt packages to fix this in July.

QtWebEngine Security Fixes

• CVE-2025-5283: Use after free in libvpx (Medium, heap corruption via a crafted HTML page)
• CVE-2025-5281: Inappropriate implementation in BFCache (Medium, unauthorized user information disclosure via a crafted HTML page)
• CVE-2025-5280: Out of bounds write in V8 (8.8 High, heap corruption leading to remote code execution via crafted HTML page according to writeup)
• CVE-2025-5064: Inappropriate implementation in Background Fetch (Medium, cross-origin information leak)
• CVE-2025-5065: Inappropriate implementation in FileSystemAccess API (Medium, UI Spoofing)
• CVE-2025-5063: Use after free in Compositing (8.8 High, heap corruption leading to remote code execution via crafted HTML page according to writeup)
• CVE-2025-8010: Type Confusion in V8 (8.8 High, RCE via heap corruption)
• CVE-2025-6558: Incorrect validation of untrusted input in ANGLE and GPU (8.8 High, sandbox escape via crafted HTML page)
• CVE-2025-7657: Use after free in WebRTC (8.8 High, RCE via heap corruption)
• CVE-2025-7656: Integer overflow in V8 (8.8 High, RCE via heap corruption)
• CVE-2025-6554: Type Confusion in V8 (8.8 High, arbitrary file read/write via a crafted HTML page)
• CVE-2025-6557: Insufficient data validation in DevTools (Medium, allows attackers to trick users into executing arbitrary code when in the developer tools)
• CVE-2025-6556: Insufficient policy enforcement in Loader (Medium, content security policy bypass)
• CVE-2025-6192: Use after free in Profiler (8.8 High, RCE via heap corruption)
• CVE-2025-6191: Integer overflow in V8 (8.8 High, out of bounds memory access via crafted HTML page)
• CVE-2025-5068: Use after free in Blink (8.8 High, RCE via heap corruption)
• CVE-2025-5419: Out of bounds read and write in V8 (8.8 High, RCE via heap corruption)
• CVE-2025-8582: Insufficient validation of untrusted input in DOM (Medium, allows attackers to spoof the address bar)
• CVE-2025-8580: Inappropriate implementation in Filesystems (Medium, UI spoofing)
• CVE-2025-8578: Use after free in Cast (8.8 High, RCE via heap corruption)
• CVE-2025-8576: Use after free in Extensions (8.8 High, RCE via crafted Chrome extension)

In total, we have:

• Medium rating vulnerabilities
• High rating vulnerabilities

• 1 Sandbox Escape
• 1 Unauthorized User Information Disclosure
• 1 Cross origin information leak
• 12 Remote Code Execution
• 3 UI Spoofing
• 1 Arbitrary File Read/Write
• 1 Arbitrary Code Execution
• 1 Content Security Policy Bypass

21 total vulnerabilities

I want to again re-emphasize CVE-2025-6558. This vulnerability is being actively exploited in the wild, and in our case we are severely vulnerable when using Falkon or other qtwebengine users such as khelpcenter. CVE-2025-6558 significantly increases the severity of the 12 remote code execution vulnerabilities, the arbitrary file read/write vulnerability, and the arbitrary code execution vulnerability... and can be exploited by visiting a crafted webpage or viewing crafted content, such as an advertisement or multimedia. ​https://thehackernews.com/2025/07/urgent-google-releases-critical-chrome.html is an article relating to that. Breaking out of the sandbox rips away most of the security layer that prevents vulnerabilities from damaging the underlying system. CVE-2025-6554 (the arbitrary file read/write vulnerability) is also known to be under active exploitation. ​https://thehackernews.com/2025/07/google-patches-critical-zero-day-flaw.html

It's worth noting as well that Arch bumped their version of Chromium for QtWebEngine on July 22nd to resolve several of these vulnerabilities as they get chained together.

I'm not entirely sure what to do about this. It can lead to severe consequences if the exploit chain occurs on a system running Falkon, and potentially in khelpcenter too if you somehow get a malicious HTML file to read through it's Online Help feature, which does connect to the internet and spins up it's own browser context. I don't know exactly how Plasma uses it, but kdeplasma-addons and plasma-nm use it.

Still though, if we update Qt6, we would need to retag:

general/graphlib/poppler.xml:      <xref linkend="qt6"/>
general/sysutils/sysmon3.xml:      <xref linkend="qt6"/> (or qt5)
general/genutils/highlight.xml:      <xref linkend="qt6"/> (to build the GUI front-end)
general/genutils/graphviz.xml:      <xref linkend="qt6"/>, and
general/genlib/qca.xml:    <xref linkend="qt6"/>, and
general/genlib/appstream.xml:      <xref linkend="qt6"/>,
general/genlib/qcoro.xml:      <xref linkend="qt6"/>
general/genlib/libportal.xml:      <xref linkend="qt6"/>, and
general/prog/cmake.xml:      <xref linkend="qt6"/> (for the Qt-based GUI),
general/prog/doxygen.xml:      <xref linkend="qt6"/> (for doxywizard)
kde/extra-cmake-modules.xml:      <xref linkend="qt6"/>
kde/polkit-qt.xml:      <xref linkend="qt6"/>
kde/phonon.xml:      <xref linkend="qt6"/>
lxqt/desktop/libqtxdg.xml:      <xref linkend="qt6"/>
lxqt/desktop/libfm-qt.xml:      <xref linkend="qt6"/>
lxqt/desktop/obconf-qt.xml:      <xref linkend="qt6"/>
lxqt/desktop/lxqt-kwayland.xml:      <xref linkend="qt6"/>
lxqt/desktop/lxqt-libkscreen.xml:      <xref linkend="qt6"/> 
lxqt/desktop/lxqt-kconfig.xml:      <xref linkend="qt6"/>
lxqt/desktop/lxqt-kwindowsystem.xml:      <xref linkend="qt6"/>
lxqt/desktop/lxqt-build-tools.xml:      <xref linkend="qt6"/>
lxqt/desktop/lxqt-layer-shell.xml:      <xref linkend="qt6"/> 
lxqt/desktop/lxqt-kidletime.xml:      <xref linkend="qt6"/>
lxqt/desktop/lxqt-solid.xml:      <xref linkend="qt6"/>
lxqt/apps/qtermwidget.xml:      <xref linkend="qt6"/>
multimedia/libdriv/gst10-plugins-good.xml:      <xref linkend="qt6"/>,
multimedia/libdriv/mlt.xml:      <xref linkend='qt6'/>
multimedia/libdriv/v4l-utils.xml:      <xref linkend="qt6"/> (for qv4l2 and qvidcap),
multimedia/audioutils/audacious.xml:      <xref linkend="qt6"/> 
networking/netlibs/kdsoap.xml:      <xref linkend="qt6"/>
networking/netutils/wireshark.xml:      <xref linkend="qt6"/>, and
x/lib/kcolorpicker.xml:      <xref linkend="qt6"/>
x/lib/qtwebengine.xml:      <xref linkend='qt6'/> 
x/dm/sddm.xml:      <xref linkend="qt6"/>
x/icons/oxygen-icons.xml:      <xref linkend="qt6"/>
x/icons/breeze-icons.xml:      <xref linkend="qt6"/>
xsoft/other/transmission.xml:      <xref linkend="qt6"/>
xsoft/office/libreoffice.xml:      <xref linkend="qt6"/>

That includes LXQt/KDE needing to be rebuilt and tested, which at this part of the cycle is harder for me to suggest. At the same time though, this is a very exceptional occasion.

[Douglas R. Reno]

Given the severity of the security vulnerabilities here and the significant danger to users with QtWebEngine and Udisks especially, I have been tasked with doing these updates.

I will be rebuilding all dependents of them and reporting back with the status of them after they are tested. For Qt, this includes rebuilding and retesting all of LXQt and KDE Plasma. I will be doing these in a branch for review first before they get merged in.

Libreoffice, while not security related, will be updated as well because of the critical crash fix. It also has a fix in there which allows for characters to be un-bolded/italicized after they have been bolded or italicized.

[Douglas R. Reno]

Fixed at 256dbd440fc5f494a4f5293405bec41528b8386a

SA-12.3-101 issued