Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package qt6-webengine for openSUSE:Factory checked in at 2022-04-05 19:55:39 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/qt6-webengine (Old) and /work/SRC/openSUSE:Factory/.qt6-webengine.new.1900 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "qt6-webengine" Tue Apr 5 19:55:39 2022 rev:7 rq:966962 version:6.2.4 Changes: -------- --- /work/SRC/openSUSE:Factory/qt6-webengine/qt6-webengine.changes 2022-03-29 18:15:14.635121737 +0200 +++ /work/SRC/openSUSE:Factory/.qt6-webengine.new.1900/qt6-webengine.changes 2022-04-05 19:56:12.285730985 +0200 @@ -1,0 +2,7 @@ +Mon Apr 4 20:41:16 UTC 2022 - Christophe Giboudeaux <christo...@krop.fr> + +- Add security fixes: + * CVE-2022-0971-qtwebengine-5.15.patch (CVE-2022-0971, boo#1197163) + * CVE-2022-1096-qtwebengine-6.2.patch (CVE-2022-1096, boo#1197552) + +------------------------------------------------------------------- New: ---- CVE-2022-0971-qtwebengine-5.15.patch CVE-2022-1096-qtwebengine-6.2.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ qt6-webengine.spec ++++++ --- /var/tmp/diff_new_pack.3NGx5B/_old 2022-04-05 19:56:14.589705297 +0200 +++ /var/tmp/diff_new_pack.3NGx5B/_new 2022-04-05 19:56:14.597705209 +0200 @@ -50,6 +50,8 @@ Source: https://download.qt.io/official_releases/qt/%{short_version}/%{real_version}%{tar_suffix}/submodules/%{tar_name}-%{real_version}%{tar_suffix}.tar.xz Source99: qt6-webengine-rpmlintrc # Patches 0-100 are upstream patches # +Patch0: CVE-2022-0971-qtwebengine-5.15.patch +Patch1: CVE-2022-1096-qtwebengine-6.2.patch # Patches 100-200 are openSUSE and/or non-upstream(able) patches # Patch100: rtc-dont-use-h264.patch Patch101: sandbox-statx-futex_time64.patch ++++++ CVE-2022-0971-qtwebengine-5.15.patch ++++++ >From d13d0924c4e18ecc4b79adf0fec142ee9a9eaa14 Mon Sep 17 00:00:00 2001 From: "liber...@chromium.org" <liber...@chromium.org> Date: Mon, 7 Mar 2022 20:17:13 +0000 Subject: [Backport] CVE-2022-0971 Don't use a deleted RenderFrameHost. Since we do not check for frame liveness, a RenderFrameHost might be deleted (in the use-after-free sense) without another call to RenderFrameDeleted. So, WeakPtr it to avoid these cases. Bug: 1299422 Task-number: QTBUG-101946 Change-Id: Ie4fe85f88ef80f4e4c3d0452397c0e5050ed881c Reviewed-by: Allan Sandfeld Jensen <allan.jen...@qt.io> --- .../display_cutout/display_cutout_host_impl.cc | 29 +++++++++++++--------- .../display_cutout/display_cutout_host_impl.h | 10 ++++++-- 2 files changed, 25 insertions(+), 14 deletions(-) diff --git a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc index 1640ec83489..8f89cc24b5f 100644 --- a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc +++ b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc @@ -5,6 +5,7 @@ #include "content/browser/display_cutout/display_cutout_host_impl.h" #include "content/browser/display_cutout/display_cutout_constants.h" +#include "content/browser/renderer_host/render_frame_host_impl.h" #include "content/browser/web_contents/web_contents_impl.h" #include "content/public/browser/navigation_handle.h" #include "mojo/public/cpp/bindings/associated_remote.h" @@ -33,7 +34,7 @@ void DisplayCutoutHostImpl::ViewportFitChangedForFrame( // If we are the current |RenderFrameHost| frame then notify // WebContentsObservers about the new value. - if (current_rfh_ == rfh) + if (current_rfh_.get() == rfh) web_contents_impl_->NotifyViewportFitChanged(value); MaybeQueueUKMEvent(rfh); @@ -60,7 +61,9 @@ void DisplayCutoutHostImpl::DidFinishNavigation( // If we finish a main frame navigation and the |WebDisplayMode| is // fullscreen then we should make the main frame the current - // |RenderFrameHost|. + // |RenderFrameHost|. Note that this is probably not correct; we do not check + // that the navigation completed successfully, nor do we check if the main + // frame is still IsRenderFrameLive(). blink::mojom::DisplayMode mode = web_contents_impl_->GetDisplayMode(); if (mode == blink::mojom::DisplayMode::kFullscreen) SetCurrentRenderFrameHost(web_contents_impl_->GetMainFrame()); @@ -70,7 +73,7 @@ void DisplayCutoutHostImpl::RenderFrameDeleted(RenderFrameHost* rfh) { values_.erase(rfh); // If we were the current |RenderFrameHost| then we should clear that. - if (current_rfh_ == rfh) + if (current_rfh_.get() == rfh) SetCurrentRenderFrameHost(nullptr); } @@ -87,7 +90,7 @@ void DisplayCutoutHostImpl::SetDisplayCutoutSafeArea(gfx::Insets insets) { insets_ = insets; if (current_rfh_) - SendSafeAreaToFrame(current_rfh_, insets); + SendSafeAreaToFrame(current_rfh_.get(), insets); // If we have a pending UKM event on the top of the stack that is |kAllowed| // and we have a |current_rfh_| then we should update that UKM event as it @@ -100,26 +103,28 @@ void DisplayCutoutHostImpl::SetDisplayCutoutSafeArea(gfx::Insets insets) { } void DisplayCutoutHostImpl::SetCurrentRenderFrameHost(RenderFrameHost* rfh) { - if (current_rfh_ == rfh) + if (current_rfh_.get() == rfh) return; // If we had a previous frame then we should clear the insets on that frame. if (current_rfh_) - SendSafeAreaToFrame(current_rfh_, gfx::Insets()); - - // Update the |current_rfh_| with the new frame. - current_rfh_ = rfh; + SendSafeAreaToFrame(current_rfh_.get(), gfx::Insets()); // If the new RenderFrameHost is nullptr we should stop here and notify // observers that the new viewport fit is kAuto (the default). if (!rfh) { + current_rfh_ = nullptr; web_contents_impl_->NotifyViewportFitChanged( blink::mojom::ViewportFit::kAuto); return; } + + // Update the |current_rfh_| with the new frame. + current_rfh_ = static_cast<RenderFrameHostImpl*>(rfh)->GetWeakPtr(); + // Record a UKM event for the new frame. - MaybeQueueUKMEvent(current_rfh_); + MaybeQueueUKMEvent(current_rfh_.get()); // Send the current safe area to the new frame. SendSafeAreaToFrame(rfh, insets_); @@ -159,11 +164,11 @@ void DisplayCutoutHostImpl::MaybeQueueUKMEvent(RenderFrameHost* frame) { blink::mojom::ViewportFit supplied_value = GetValueOrDefault(frame); if (supplied_value == blink::mojom::ViewportFit::kAuto) return; - blink::mojom::ViewportFit applied_value = GetValueOrDefault(current_rfh_); + blink::mojom::ViewportFit applied_value = GetValueOrDefault(current_rfh_.get()); // Set the reason why this frame is not the current frame. int ignored_reason = DisplayCutoutIgnoredReason::kAllowed; - if (current_rfh_ != frame) { + if (current_rfh_.get() != frame) { ignored_reason = current_rfh_ == nullptr ? DisplayCutoutIgnoredReason::kWebContentsNotFullscreen diff --git a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h index 56081029df0..2477a4bcd7d 100644 --- a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h +++ b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h @@ -5,12 +5,15 @@ #ifndef CONTENT_BROWSER_DISPLAY_CUTOUT_DISPLAY_CUTOUT_HOST_IMPL_H_ #define CONTENT_BROWSER_DISPLAY_CUTOUT_DISPLAY_CUTOUT_HOST_IMPL_H_ +#include "base/memory/weak_ptr.h" #include "content/public/browser/web_contents_observer.h" #include "content/public/browser/web_contents_receiver_set.h" #include "third_party/blink/public/mojom/page/display_cutout.mojom.h" namespace content { +class RenderFrameHostImpl; + class DisplayCutoutHostImpl : public blink::mojom::DisplayCutoutHost { public: explicit DisplayCutoutHostImpl(WebContentsImpl*); @@ -74,8 +77,11 @@ class DisplayCutoutHostImpl : public blink::mojom::DisplayCutoutHost { gfx::Insets insets_; // Stores the current |RenderFrameHost| that has the applied safe area insets - // and is controlling the viewport fit value. - RenderFrameHost* current_rfh_ = nullptr; + // and is controlling the viewport fit value. This value is different than + // `WebContentsImpl::current_fullscreen_frame_` because it also considers + // browser side driven fullscreen mode, not just renderer side requested + // frames. + base::WeakPtr<RenderFrameHostImpl> current_rfh_; // Stores a map of RenderFrameHosts and their current viewport fit values. std::map<RenderFrameHost*, blink::mojom::ViewportFit> values_; -- cgit v1.2.1 ++++++ CVE-2022-1096-qtwebengine-6.2.patch ++++++ From: Allan Sandfeld Jensen <allan.jen...@qt.io> Date: Tue, 29 Mar 2022 17:31:58 +0200 Subject: [Backport] CVE-2022-1096 [runtime] Fix handling of interceptors --- a/src/3rdparty/chromium/v8/src/objects/objects.cc +++ b/src/3rdparty/chromium/v8/src/objects/objects.cc @@ -2513,6 +2513,12 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it, Maybe<bool> result = JSObject::SetPropertyWithInterceptor(it, should_throw, value); if (result.IsNothing() || result.FromJust()) return result; + // Assuming that the callback have side effects, we use + // Object::SetSuperProperty() which works properly regardless on + // whether the property was present on the receiver or not when + // storing to the receiver. + // Proceed lookup from the next state. + it->Next(); } else { Maybe<PropertyAttributes> maybe_attributes = JSObject::GetPropertyAttributesWithInterceptor(it); @@ -2533,10 +2539,8 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it, // property to the receiver. it->NotFound(); } - return Object::SetSuperProperty(it, value, store_origin, - should_throw); } - break; + return Object::SetSuperProperty(it, value, store_origin, should_throw); } case LookupIterator::ACCESSOR: {
