Script 'mail_helper' called by obssrc Hello community, here is the log from the commit of package libqt5-qtwebengine for openSUSE:Factory checked in at 2022-04-08 00:26:31 ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Comparing /work/SRC/openSUSE:Factory/libqt5-qtwebengine (Old) and /work/SRC/openSUSE:Factory/.libqt5-qtwebengine.new.1900 (New) ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
Package is "libqt5-qtwebengine" Fri Apr 8 00:26:31 2022 rev:77 rq:966883 version:5.15.8 Changes: -------- --- /work/SRC/openSUSE:Factory/libqt5-qtwebengine/libqt5-qtwebengine.changes 2022-03-28 17:01:13.085022919 +0200 +++ /work/SRC/openSUSE:Factory/.libqt5-qtwebengine.new.1900/libqt5-qtwebengine.changes 2022-04-08 00:26:33.983098299 +0200 @@ -1,0 +2,7 @@ +Mon Apr 4 19:25:12 UTC 2022 - Christophe Giboudeaux <christo...@krop.fr> + +- Add security fixes: + * CVE-2022-0971-qtwebengine-5.15.patch (CVE-2022-0971, boo#1197163) + * CVE-2022-1096-qtwebengine-5.15.patch (CVE-2022-1096, boo#1197552) + +------------------------------------------------------------------- New: ---- CVE-2022-0971-qtwebengine-5.15.patch CVE-2022-1096-qtwebengine-5.15.patch ++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++ Other differences: ------------------ ++++++ libqt5-qtwebengine.spec ++++++ --- /var/tmp/diff_new_pack.F6CHVi/_old 2022-04-08 00:26:36.655068310 +0200 +++ /var/tmp/diff_new_pack.F6CHVi/_new 2022-04-08 00:26:36.659068265 +0200 @@ -49,6 +49,10 @@ Patch3: rtc-dont-use-h264.patch # PATCH-FIX-UPSTREAM Patch4: 0001-skia-Some-includes-to-fix-build-with-GCC-12.patch +# PATCH-FIX-UPSTREAM +Patch5: CVE-2022-0971-qtwebengine-5.15.patch +# PATCH-FIX-UPSTREAM +Patch6: CVE-2022-1096-qtwebengine-5.15.patch # http://www.chromium.org/blink is not ported to PowerPC & s390 ExcludeArch: ppc ppc64 ppc64le s390 s390x # Try to fix i586 MemoryErrors with rpmlint ++++++ CVE-2022-0971-qtwebengine-5.15.patch ++++++ >From d13d0924c4e18ecc4b79adf0fec142ee9a9eaa14 Mon Sep 17 00:00:00 2001 From: "liber...@chromium.org" <liber...@chromium.org> Date: Mon, 7 Mar 2022 20:17:13 +0000 Subject: [Backport] CVE-2022-0971 Don't use a deleted RenderFrameHost. Since we do not check for frame liveness, a RenderFrameHost might be deleted (in the use-after-free sense) without another call to RenderFrameDeleted. So, WeakPtr it to avoid these cases. Bug: 1299422 Task-number: QTBUG-101946 Change-Id: Ie4fe85f88ef80f4e4c3d0452397c0e5050ed881c Reviewed-by: Allan Sandfeld Jensen <allan.jen...@qt.io> --- .../display_cutout/display_cutout_host_impl.cc | 29 +++++++++++++--------- .../display_cutout/display_cutout_host_impl.h | 10 ++++++-- 2 files changed, 25 insertions(+), 14 deletions(-) diff --git a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc index 1640ec83489..8f89cc24b5f 100644 --- a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc +++ b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.cc @@ -5,6 +5,7 @@ #include "content/browser/display_cutout/display_cutout_host_impl.h" #include "content/browser/display_cutout/display_cutout_constants.h" +#include "content/browser/renderer_host/render_frame_host_impl.h" #include "content/browser/web_contents/web_contents_impl.h" #include "content/public/browser/navigation_handle.h" #include "mojo/public/cpp/bindings/associated_remote.h" @@ -33,7 +34,7 @@ void DisplayCutoutHostImpl::ViewportFitChangedForFrame( // If we are the current |RenderFrameHost| frame then notify // WebContentsObservers about the new value. - if (current_rfh_ == rfh) + if (current_rfh_.get() == rfh) web_contents_impl_->NotifyViewportFitChanged(value); MaybeQueueUKMEvent(rfh); @@ -60,7 +61,9 @@ void DisplayCutoutHostImpl::DidFinishNavigation( // If we finish a main frame navigation and the |WebDisplayMode| is // fullscreen then we should make the main frame the current - // |RenderFrameHost|. + // |RenderFrameHost|. Note that this is probably not correct; we do not check + // that the navigation completed successfully, nor do we check if the main + // frame is still IsRenderFrameLive(). blink::mojom::DisplayMode mode = web_contents_impl_->GetDisplayMode(); if (mode == blink::mojom::DisplayMode::kFullscreen) SetCurrentRenderFrameHost(web_contents_impl_->GetMainFrame()); @@ -70,7 +73,7 @@ void DisplayCutoutHostImpl::RenderFrameDeleted(RenderFrameHost* rfh) { values_.erase(rfh); // If we were the current |RenderFrameHost| then we should clear that. - if (current_rfh_ == rfh) + if (current_rfh_.get() == rfh) SetCurrentRenderFrameHost(nullptr); } @@ -87,7 +90,7 @@ void DisplayCutoutHostImpl::SetDisplayCutoutSafeArea(gfx::Insets insets) { insets_ = insets; if (current_rfh_) - SendSafeAreaToFrame(current_rfh_, insets); + SendSafeAreaToFrame(current_rfh_.get(), insets); // If we have a pending UKM event on the top of the stack that is |kAllowed| // and we have a |current_rfh_| then we should update that UKM event as it @@ -100,26 +103,28 @@ void DisplayCutoutHostImpl::SetDisplayCutoutSafeArea(gfx::Insets insets) { } void DisplayCutoutHostImpl::SetCurrentRenderFrameHost(RenderFrameHost* rfh) { - if (current_rfh_ == rfh) + if (current_rfh_.get() == rfh) return; // If we had a previous frame then we should clear the insets on that frame. if (current_rfh_) - SendSafeAreaToFrame(current_rfh_, gfx::Insets()); - - // Update the |current_rfh_| with the new frame. - current_rfh_ = rfh; + SendSafeAreaToFrame(current_rfh_.get(), gfx::Insets()); // If the new RenderFrameHost is nullptr we should stop here and notify // observers that the new viewport fit is kAuto (the default). if (!rfh) { + current_rfh_ = nullptr; web_contents_impl_->NotifyViewportFitChanged( blink::mojom::ViewportFit::kAuto); return; } + + // Update the |current_rfh_| with the new frame. + current_rfh_ = static_cast<RenderFrameHostImpl*>(rfh)->GetWeakPtr(); + // Record a UKM event for the new frame. - MaybeQueueUKMEvent(current_rfh_); + MaybeQueueUKMEvent(current_rfh_.get()); // Send the current safe area to the new frame. SendSafeAreaToFrame(rfh, insets_); @@ -159,11 +164,11 @@ void DisplayCutoutHostImpl::MaybeQueueUKMEvent(RenderFrameHost* frame) { blink::mojom::ViewportFit supplied_value = GetValueOrDefault(frame); if (supplied_value == blink::mojom::ViewportFit::kAuto) return; - blink::mojom::ViewportFit applied_value = GetValueOrDefault(current_rfh_); + blink::mojom::ViewportFit applied_value = GetValueOrDefault(current_rfh_.get()); // Set the reason why this frame is not the current frame. int ignored_reason = DisplayCutoutIgnoredReason::kAllowed; - if (current_rfh_ != frame) { + if (current_rfh_.get() != frame) { ignored_reason = current_rfh_ == nullptr ? DisplayCutoutIgnoredReason::kWebContentsNotFullscreen diff --git a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h index 56081029df0..2477a4bcd7d 100644 --- a/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h +++ b/src/3rdparty/chromium/content/browser/display_cutout/display_cutout_host_impl.h @@ -5,12 +5,15 @@ #ifndef CONTENT_BROWSER_DISPLAY_CUTOUT_DISPLAY_CUTOUT_HOST_IMPL_H_ #define CONTENT_BROWSER_DISPLAY_CUTOUT_DISPLAY_CUTOUT_HOST_IMPL_H_ +#include "base/memory/weak_ptr.h" #include "content/public/browser/web_contents_observer.h" #include "content/public/browser/web_contents_receiver_set.h" #include "third_party/blink/public/mojom/page/display_cutout.mojom.h" namespace content { +class RenderFrameHostImpl; + class DisplayCutoutHostImpl : public blink::mojom::DisplayCutoutHost { public: explicit DisplayCutoutHostImpl(WebContentsImpl*); @@ -74,8 +77,11 @@ class DisplayCutoutHostImpl : public blink::mojom::DisplayCutoutHost { gfx::Insets insets_; // Stores the current |RenderFrameHost| that has the applied safe area insets - // and is controlling the viewport fit value. - RenderFrameHost* current_rfh_ = nullptr; + // and is controlling the viewport fit value. This value is different than + // `WebContentsImpl::current_fullscreen_frame_` because it also considers + // browser side driven fullscreen mode, not just renderer side requested + // frames. + base::WeakPtr<RenderFrameHostImpl> current_rfh_; // Stores a map of RenderFrameHosts and their current viewport fit values. std::map<RenderFrameHost*, blink::mojom::ViewportFit> values_; -- cgit v1.2.1 ++++++ CVE-2022-1096-qtwebengine-5.15.patch ++++++ >From abb5119d0f307f7f98e59a5f3ee9872f3d286b37 Mon Sep 17 00:00:00 2001 From: Allan Sandfeld Jensen <allan.jen...@qt.io> Date: Tue, 29 Mar 2022 17:31:58 +0200 Subject: [Backport] CVE-2022-1096 [runtime] Fix handling of interceptors Change-Id: I36b218f25c0dff6f5a39931e7536c6588ff46eef Reviewed-by: Igor Sheludko <ish...@chromium.org> (cherry picked from commit b85cb23217f629522702c19381db9c65accc1fba) Reviewed-by: Michal Klocek <michal.klo...@qt.io> --- chromium/v8/src/objects/objects.cc | 10 +++++++--- 1 file changed, 7 insertions(+), 3 deletions(-) diff --git a/src/3rdparty/chromium/v8/src/objects/objects.cc b/src/3rdparty/chromium/v8/src/objects/objects.cc index 43d835044de..f1d15d27c6e 100644 --- a/src/3rdparty/chromium/v8/src/objects/objects.cc +++ b/src/3rdparty/chromium/v8/src/objects/objects.cc @@ -2481,6 +2481,12 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it, Maybe<bool> result = JSObject::SetPropertyWithInterceptor(it, should_throw, value); if (result.IsNothing() || result.FromJust()) return result; + // Assuming that the callback have side effects, we use + // Object::SetSuperProperty() which works properly regardless on + // whether the property was present on the receiver or not when + // storing to the receiver. + // Proceed lookup from the next state. + it->Next(); } else { Maybe<PropertyAttributes> maybe_attributes = JSObject::GetPropertyAttributesWithInterceptor(it); @@ -2501,10 +2507,8 @@ Maybe<bool> Object::SetPropertyInternal(LookupIterator* it, // property to the receiver. it->NotFound(); } - return Object::SetSuperProperty(it, value, store_origin, - should_throw); } - break; + return Object::SetSuperProperty(it, value, store_origin, should_throw); } case LookupIterator::ACCESSOR: { -- cgit v1.2.1
