Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!

Bug 544334

Summary: dev-qt/qtwebkit: QtWebKit logs visited URLs to WebpageIcons.db in private browsing mode
Product: Gentoo Security Reporter: Agostino Sarubbo <ago>
Component: VulnerabilitiesAssignee: Gentoo Security <security>
Status: RESOLVED OBSOLETE    
Severity: trivial CC: qt
Priority: Normal    
Version: unspecified   
Hardware: All   
OS: Linux   
URL: https://bugzilla.redhat.com/show_bug.cgi?id=1204795
Whiteboard: ~3 [ebuild+]
Package list:
Runtime testing required: ---
Bug Depends on: 620684    
Bug Blocks:    

Description Agostino Sarubbo gentoo-dev 2015-03-24 13:28:58 UTC 
From ${URL} :

QtWebKit upstream are reviewing a patch that prevents it recording visited URLs to its favicon 
database (WebpageIcons.db) while using private browsing mode:

- https://codereview.qt-project.org/#/c/108936/


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Michael Palimaka (kensington) gentoo-dev 2015-10-09 16:17:17 UTC 
The fix is part of 5.4.2 which is stable in-tree, but apparently affects qtwebkit:4 too.
Comment 2 Davide Pesavento (RETIRED) gentoo-dev 2015-10-09 16:22:02 UTC 
Fedora has a patch [1] against qtwebkit23, i.e. our qtwebkit-4.10.4

[1] http://pkgs.fedoraproject.org/cgit/qtwebkit.git/plain/webkit-qtwebkit-23-private_browsing.patch
Comment 3 Aaron Bauman (RETIRED) gentoo-dev 2016-03-31 08:15:34 UTC 
Per upstream commit this is included in the 5.4 branch which is currently stable in the tree.

@maintainers, I imagine the 4.8.x branch will be around for awhile.  Is it feasible to include the referenced patch on all 4.8.x stable versions?
Comment 4 Michael Palimaka (kensington) gentoo-dev 2016-03-31 11:18:58 UTC 
(In reply to Aaron Bauman from comment #3)
> @maintainers, I imagine the 4.8.x branch will be around for awhile.  Is it
> feasible to include the referenced patch on all 4.8.x stable versions?

Fedora's patch is against qtwebkit-4.10.4, which is in-tree but hard-masked and will require a lot of integration work to be usable. 

The file being patched doesn't even existing in qtwebkit-4.8.x so it will need investigation whether it's possible to port or not.

Considering that Qt 4 is EOL and how behind qtwebkit in general is, I wonder if it's time to start investigating revdeps and avoid usage where possible.
Comment 5 Davide Pesavento (RETIRED) gentoo-dev 2016-03-31 17:30:32 UTC 
(In reply to Michael Palimaka (kensington) from comment #4)
> Considering that Qt 4 is EOL and how behind qtwebkit in general is, I wonder
> if it's time to start investigating revdeps and avoid usage where possible.

I concur. I don't even want to think about how many security issues affect qtwebkit-4.8.x at this point...
Comment 6 Aaron Bauman (RETIRED) gentoo-dev 2016-03-31 22:59:17 UTC 
(In reply to Michael Palimaka (kensington) from comment #4)
> (In reply to Aaron Bauman from comment #3)
> > @maintainers, I imagine the 4.8.x branch will be around for awhile.  Is it
> > feasible to include the referenced patch on all 4.8.x stable versions?
> 
> Fedora's patch is against qtwebkit-4.10.4, which is in-tree but hard-masked
> and will require a lot of integration work to be usable. 
> 
> The file being patched doesn't even existing in qtwebkit-4.8.x so it will
> need investigation whether it's possible to port or not.
> 
> Considering that Qt 4 is EOL and how behind qtwebkit in general is, I wonder
> if it's time to start investigating revdeps and avoid usage where possible.

That looks to me like the issue has been mitigated than concerning 4.10.4.  I cannot find anywhere (CVE's, OSS, etc) confirming that 4.8.x contains the same vulnerability.  As you mentioned, the source file does not even exist so that rules out finding the same code.  Would you like to keep this bug open for any other tracking issues?
Comment 7 Michael Palimaka (kensington) gentoo-dev 2016-04-01 06:07:46 UTC 
(In reply to Aaron Bauman from comment #6)
> (In reply to Michael Palimaka (kensington) from comment #4)
> > (In reply to Aaron Bauman from comment #3)
> > > @maintainers, I imagine the 4.8.x branch will be around for awhile.  Is it
> > > feasible to include the referenced patch on all 4.8.x stable versions?
> > 
> > Fedora's patch is against qtwebkit-4.10.4, which is in-tree but hard-masked
> > and will require a lot of integration work to be usable. 
> > 
> > The file being patched doesn't even existing in qtwebkit-4.8.x so it will
> > need investigation whether it's possible to port or not.
> > 
> > Considering that Qt 4 is EOL and how behind qtwebkit in general is, I wonder
> > if it's time to start investigating revdeps and avoid usage where possible.
> 
> That looks to me like the issue has been mitigated than concerning 4.10.4. 
> I cannot find anywhere (CVE's, OSS, etc) confirming that 4.8.x contains the
> same vulnerability.  As you mentioned, the source file does not even exist
> so that rules out finding the same code.  Would you like to keep this bug
> open for any other tracking issues?

While the source file does not exist, the code referenced in the patch does appear in another file. I can't say for certain whether it's really affected or not.
Comment 8 Davide Pesavento (RETIRED) gentoo-dev 2018-01-13 00:40:28 UTC 
qtwebkit:4 has been treecleaned.