773040 – <dev-qt/qtwebengine-5.15.2_p20210224: Multiple vulnerabilities

Bug 773040 - <dev-qt/qtwebengine-5.15.2_p20210224: Multiple vulnerabilities

Summary: <dev-qt/qtwebengine-5.15.2_p20210224: Multiple vulnerabilities

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	A2 [glsa+]
Keywords:

Depends on:
Blocks:	787950
	Show dependency tree

Reported:	2021-02-26 13:40 UTC by Andreas Sturmlechner
Modified:	2022-08-14 14:41 UTC (History)
CC List:	1 user (show)

See Also:	CVE-2021-21142, CVE-2021-21143, CVE-2021-21144, CVE-2021-21145, CVE-2021-21146, CVE-2021-21147 CVE-2021-21149, CVE-2021-21150, CVE-2021-21151, CVE-2021-21152, CVE-2021-21153, CVE-2021-21154, CVE-2021-21155, CVE-2021-21156, CVE-2021-21157 CVE-2021-21148 CVE-2021-21117, CVE-2021-21118, CVE-2021-21119, CVE-2021-21120, CVE-2021-21121, CVE-2021-21122, CVE-2021-21123, CVE-2021-21124, CVE-2021-21125, CVE-2021-21126, CVE-2021-21127, CVE-2021-21128, CVE-2021-21129, CVE-2021-21130, CVE-2021-21131, CVE-2021-21132, CVE-2021-21133, CVE-2021-21134, CVE-2021-21135, CVE-2021-21136, CVE-2021-21137, CVE-2021-21138, CVE-2021-21139, CVE-2021-21140, CVE-2021-21141 CVE-2020-16014, CVE-2020-16015, CVE-2020-16018, CVE-2020-16019, CVE-2020-16020, CVE-2020-16021, CVE-2020-16022, CVE-2020-16023, CVE-2020-16024, CVE-2020-16025, CVE-2020-16026, CVE-2020-16027, CVE-2020-16028, CVE-2020-16029, CVE-2020-16030, CVE-2020-16031, CVE-2020-16032, CVE-2020-16033, CVE-2020-16034, CVE-2020-16036 773919
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Sturmlechner gentoo-dev

2021-02-26 13:40:50 UTC

Snapshot in preparation.

See also: https://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=87-based&qt=grep&q=CVE

Comment 1 Larry the Git Cow gentoo-dev

2021-02-26 21:19:35 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b17a3763239b411e863259e928b496bea2b9d051

commit b17a3763239b411e863259e928b496bea2b9d051
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-02-26 13:35:44 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-02-26 21:19:23 +0000

    dev-qt/qtwebengine: 5.15.2_p20210224 bump
    
    Snapshotted at:
    Branch: 5.15
    Commit: 0b5f110234256eabaa264189d9117069f2a2d144
    
    Submodule qtwebengine-chromium.git:
    Branch: 87-based
    Commit: 0eea95b24a9ed61c185adeeb787fb5b62e8f4537
    
    V8-ICU-68 runtime fix:
    Thanks-to: Stephan Hartmann <sultan@gentoo.org>
    
    Bug: https://bugs.gentoo.org/773040
    Package-Manager: Portage-3.0.15, Repoman-3.0.2
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-qt/qtwebengine/Manifest                        |  2 +-
 ...2_p20210220-fixup-CVE-2021-21149-backport.patch | 42 ----------------------
 ...ne-5.15.2_p20210224-chromium-87-v8-icu68.patch} |  0
 ...qtwebengine-5.15.2_p20210224-disable-git.patch} |  0
 dev-qt/qtwebengine/metadata.xml                    |  1 +
 ....ebuild => qtwebengine-5.15.2_p20210224.ebuild} | 11 +++---
 6 files changed, 7 insertions(+), 49 deletions(-)

Comment 2 John Helmert III archtester

2021-02-27 01:18:51 UTC

As these browser things go, let's presume there's code execution somewhere. Thank you for the report. Please proceed with stabilization when ready.

Comment 3 Andreas Sturmlechner gentoo-dev

2021-03-04 23:16:35 UTC

Let's not waste any more time then.

Comment 4 Thomas Deutschmann (RETIRED) gentoo-dev

2021-03-06 15:11:37 UTC

x86 stable

Comment 5 Sam James archtester

2021-03-06 18:37:39 UTC

amd64 done

Comment 6 Sam James archtester

2021-03-07 19:44:18 UTC

arm64 done

all arches done

Comment 7 John Helmert III archtester

2021-03-07 19:52:01 UTC

Please cleanup.

Comment 8 Andreas Sturmlechner gentoo-dev

2021-03-08 17:35:11 UTC

Cleanup is currently blocked by

- ~ppc64
- bug 773919

Comment 9 Andreas Sturmlechner gentoo-dev

2021-03-12 21:09:39 UTC

bug 773919 should be no longer blocking us, just waiting for ~ppc64 to catch up now.

Comment 10 Larry the Git Cow gentoo-dev

2021-03-24 12:15:40 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=f16bf0c1808fac00085c2ef8833879ed39642425

commit f16bf0c1808fac00085c2ef8833879ed39642425
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-03-24 12:14:09 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-03-24 12:14:47 +0000

    dev-qt/qtwebengine: 5.15.2 security cleanup
    
    Bug: https://bugs.gentoo.org/773040
    Package-Manager: Portage-3.0.17, Repoman-3.0.2
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-qt/qtwebengine/Manifest                        |   2 -
 .../qtwebengine-5.15.2-icu-68-v8-runtime-fix.patch | 170 ------------
 .../files/qtwebengine-5.15.2-icu-68.patch          | 302 ---------------------
 dev-qt/qtwebengine/qtwebengine-5.15.2.ebuild       | 172 ------------
 4 files changed, 646 deletions(-)

Comment 11 Andreas Sturmlechner gentoo-dev

2021-04-18 20:52:10 UTC

qt proj is done in this bug anyway.

Comment 12 NATTkA bot gentoo-dev

2021-07-29 17:23:49 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 13 NATTkA bot gentoo-dev

2021-07-29 17:32:14 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 14 Andreas Sturmlechner gentoo-dev

2021-07-29 17:37:47 UTC

ping security

Comment 15 NATTkA bot gentoo-dev

2021-07-29 17:40:07 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 16 NATTkA bot gentoo-dev

2021-07-29 17:48:18 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 17 NATTkA bot gentoo-dev

2021-07-29 18:04:15 UTC Comment hidden (obsolete)

Package list is empty or all packages have requested keywords.

Comment 18 NATTkA bot gentoo-dev

2021-07-29 18:12:32 UTC

Package list is empty or all packages have requested keywords.

Comment 19 John Helmert III archtester

2022-08-14 04:58:59 UTC

GLSA request filed

Comment 20 Larry the Git Cow gentoo-dev

2022-08-14 14:34:16 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3212eacb7aa1bccb5bf765cd0a4fb91d206ad2c5

commit 3212eacb7aa1bccb5bf765cd0a4fb91d206ad2c5
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 14:29:30 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-14 14:33:57 +0000

    [ GLSA 202208-25 ] Chromium, Google Chrome, Microsoft Edge, QtWebEngine: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/773040
    Bug: https://bugs.gentoo.org/787950
    Bug: https://bugs.gentoo.org/800181
    Bug: https://bugs.gentoo.org/810781
    Bug: https://bugs.gentoo.org/815397
    Bug: https://bugs.gentoo.org/828519
    Bug: https://bugs.gentoo.org/829161
    Bug: https://bugs.gentoo.org/834477
    Bug: https://bugs.gentoo.org/835397
    Bug: https://bugs.gentoo.org/835761
    Bug: https://bugs.gentoo.org/836011
    Bug: https://bugs.gentoo.org/836381
    Bug: https://bugs.gentoo.org/836777
    Bug: https://bugs.gentoo.org/836830
    Bug: https://bugs.gentoo.org/837497
    Bug: https://bugs.gentoo.org/838049
    Bug: https://bugs.gentoo.org/838433
    Bug: https://bugs.gentoo.org/838682
    Bug: https://bugs.gentoo.org/841371
    Bug: https://bugs.gentoo.org/843035
    Bug: https://bugs.gentoo.org/843728
    Bug: https://bugs.gentoo.org/847370
    Bug: https://bugs.gentoo.org/847613
    Bug: https://bugs.gentoo.org/848864
    Bug: https://bugs.gentoo.org/851003
    Bug: https://bugs.gentoo.org/851009
    Bug: https://bugs.gentoo.org/853229
    Bug: https://bugs.gentoo.org/853643
    Bug: https://bugs.gentoo.org/854372
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202208-25.xml | 284 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 284 insertions(+)

Comment 21 Sam James archtester

2022-08-14 14:37:50 UTC

GLSA done, all done.