847613 – <dev-qt/qtwebengine-5.15.4_p20220526: Multiple vulnerabilities...

Bug 847613 - <dev-qt/qtwebengine-5.15.4_p20220526: Multiple vulnerabilities...

Summary: <dev-qt/qtwebengine-5.15.4_p20220526: Multiple vulnerabilities...

Status:	RESOLVED FIXED

Alias:	None

Product:	Gentoo Security
Classification:	Unclassified
Component:	Vulnerabilities (show other bugs)
Hardware:	All Linux

Importance:	Normal normal
Assignee:	Gentoo Security

URL:
Whiteboard:	B2 [glsa+]
Keywords:

Depends on:	836830 boost-1.79-stable, qt-5.15.4-stable
Blocks:	853229
	Show dependency tree

Reported:	2022-05-26 19:33 UTC by Andreas Sturmlechner
Modified:	2022-08-14 14:39 UTC (History)
CC List:	1 user (show)

See Also:	CVE-2022-1305, CVE-2022-1306, CVE-2022-1307, CVE-2022-1308, CVE-2022-1309, CVE-2022-1310, CVE-2022-1311, CVE-2022-1312, CVE-2022-1313, CVE-2022-1314 CVE-2022-1125, CVE-2022-1127, CVE-2022-1128, CVE-2022-1129, CVE-2022-1130, CVE-2022-1131, CVE-2022-1132, CVE-2022-1133, CVE-2022-1134, CVE-2022-1135, CVE-2022-1136, CVE-2022-1137, CVE-2022-1138, CVE-2022-1139, CVE-2022-1141, CVE-2022-1142, CVE-2022-1143, CVE-2022-1144, CVE-2022-1145, CVE-2022-1146 CVE-2022-0971, CVE-2022-0972, CVE-2022-0973, CVE-2022-0974, CVE-2022-0975, CVE-2022-0976, CVE-2022-0977, CVE-2022-0978, CVE-2022-0979, CVE-2022-0980 CVE-2022-1477, CVE-2022-1478, CVE-2022-1479, CVE-2022-1480, CVE-2022-1481, CVE-2022-1482, CVE-2022-1483, CVE-2022-1484, CVE-2022-1485, CVE-2022-1486, CVE-2022-1487, CVE-2022-1488, CVE-2022-1489, CVE-2022-1490, CVE-2022-1491, CVE-2022-1492, CVE-2022-1493, CVE-2022-1494, CVE-2022-1495, CVE-2022-1496, CVE-2022-1497, CVE-2022-1498, CVE-2022-1499, CVE-2022-1500, CVE-2022-1501 CVE-2022-0789, CVE-2022-0790, CVE-2022-0791, CVE-2022-0792, CVE-2022-0793, CVE-2022-0794, CVE-2022-0795, CVE-2022-0796, CVE-2022-0797, CVE-2022-0798, CVE-2022-0799, CVE-2022-0800, CVE-2022-0801, CVE-2022-0802, CVE-2022-0803, CVE-2022-0804, CVE-2022-0805, CVE-2022-0806, CVE-2022-0807, CVE-2022-0808, CVE-2022-0809
Package list:
Runtime testing required:	---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.

Description Andreas Sturmlechner gentoo-dev

2022-05-26 19:33:42 UTC

Update Chromium
Submodule src/3rdparty 0d984c7f..caba2fcb:

  > Bump V8_PATCH_LEVEL
  > [Backport] Security bug 1306507
  > [Backport] Security bug 1304659
  > [Backport] Security bug 1269999
  > [Backport] Roll libxml from a46e85f6 to dea91c97
  > [Backport] Roll libxml from bfd2f430 to a46e85f6
  > [Backport] Roll libxml to bfd2f430
  > [Backport] Roll libxml to 7279d236
  > [Backport] Roll libxml to f93ca3e1
  > [Backport] Security bug 1292905
  > [Backport] CVE-2022-1314: Type Confusion in V8
  > [Backport] CVE-2022-1310: Use after free in regular expressions
  > [Backport] CVE-2022-1305: Use after free in storage
  > [Backport] CVE-2022-1125
  > [Backport] Security bug 1280852
  > [Backport] Secuirity Bug 1296876
  > [Backport] CVE-2022-0978: Use after free in ANGLE
  > [Backport] CVE-2022-1493: Use after free in Dev Tools
  > [Backport] CVE-2022-1138: Inappropriate implementation in Web Cursor.
  > Quick fix for regression in service workers by reverting backports
  > [Backport] CVE-2022-0797: Out of bounds memory access in Mojo

Comment 1 Larry the Git Cow gentoo-dev

2022-05-26 19:35:34 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=fa0ed801438935af8cd8896d5b788483e7893fa1

commit fa0ed801438935af8cd8896d5b788483e7893fa1
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-05-26 19:34:05 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-05-26 19:34:19 +0000

    dev-qt/qtwebengine: 5.15.4_p20220526 version bump
    
    Various security fixes...
    
    Snapshotted at:
    Branch: 5.15
    Commit: 79943b157ef381e5953f34f8e03049f2eecd6eb5
    
    Submodule qtwebengine-chromium.git:
    Branch: 87-based
    Commit: 7857ff290ab254a5a1fe2e85e146680448b4d46e
    
    Bug: https://bugs.gentoo.org/847613
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-qt/qtwebengine/Manifest                        |   1 +
 .../qtwebengine-5.15.4_p20220526.ebuild            | 275 +++++++++++++++++++++
 2 files changed, 276 insertions(+)

Comment 2 Larry the Git Cow gentoo-dev

2022-05-30 16:09:32 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=d9fd830429f4bc8f41e12c837107c8aefaebc0c3

commit d9fd830429f4bc8f41e12c837107c8aefaebc0c3
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-05-30 15:21:52 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-05-30 16:09:02 +0000

    dev-qt/qtwebengine: Re-add KEYWORDS to 5.15.4_p20220526
    
    Bug: https://bugs.gentoo.org/847613
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-qt/qtwebengine/qtwebengine-5.15.4_p20220526.ebuild | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

Comment 3 Larry the Git Cow gentoo-dev

2022-06-14 17:32:07 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6cdbe0d99c748df0cda42c26aa7eca4e5537cc7c

commit 6cdbe0d99c748df0cda42c26aa7eca4e5537cc7c
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-06-14 16:08:27 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2022-06-14 17:31:46 +0000

    dev-qt/qtwebengine: Cleanup vulnerable 5.15.3_p20220406
    
    Bug: https://bugs.gentoo.org/847613
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-qt/qtwebengine/Manifest                        |   1 -
 .../qtwebengine-5.15.3_p20220406.ebuild            | 280 ---------------------
 2 files changed, 281 deletions(-)

Comment 4 John Helmert III archtester

2022-06-14 19:24:58 UTC

Thanks!

Comment 5 John Helmert III archtester

2022-08-14 04:59:06 UTC

GLSA request filed

Comment 6 Larry the Git Cow gentoo-dev

2022-08-14 14:34:23 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3212eacb7aa1bccb5bf765cd0a4fb91d206ad2c5

commit 3212eacb7aa1bccb5bf765cd0a4fb91d206ad2c5
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 14:29:30 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-14 14:33:57 +0000

    [ GLSA 202208-25 ] Chromium, Google Chrome, Microsoft Edge, QtWebEngine: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/773040
    Bug: https://bugs.gentoo.org/787950
    Bug: https://bugs.gentoo.org/800181
    Bug: https://bugs.gentoo.org/810781
    Bug: https://bugs.gentoo.org/815397
    Bug: https://bugs.gentoo.org/828519
    Bug: https://bugs.gentoo.org/829161
    Bug: https://bugs.gentoo.org/834477
    Bug: https://bugs.gentoo.org/835397
    Bug: https://bugs.gentoo.org/835761
    Bug: https://bugs.gentoo.org/836011
    Bug: https://bugs.gentoo.org/836381
    Bug: https://bugs.gentoo.org/836777
    Bug: https://bugs.gentoo.org/836830
    Bug: https://bugs.gentoo.org/837497
    Bug: https://bugs.gentoo.org/838049
    Bug: https://bugs.gentoo.org/838433
    Bug: https://bugs.gentoo.org/838682
    Bug: https://bugs.gentoo.org/841371
    Bug: https://bugs.gentoo.org/843035
    Bug: https://bugs.gentoo.org/843728
    Bug: https://bugs.gentoo.org/847370
    Bug: https://bugs.gentoo.org/847613
    Bug: https://bugs.gentoo.org/848864
    Bug: https://bugs.gentoo.org/851003
    Bug: https://bugs.gentoo.org/851009
    Bug: https://bugs.gentoo.org/853229
    Bug: https://bugs.gentoo.org/853643
    Bug: https://bugs.gentoo.org/854372
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202208-25.xml | 284 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 284 insertions(+)

Comment 7 Sam James archtester

2022-08-14 14:37:40 UTC

GLSA done, all done.