| Summary: | <dev-qt/qtwebengine-5.14.1: use-after-free in audio (CVE-2019-13720) | ||
|---|---|---|---|
| Product: | Gentoo Security | Reporter: | GLSAMaker/CVETool Bot <glsamaker> |
| Component: | Vulnerabilities | Assignee: | Gentoo Security <security> |
| Status: | RESOLVED FIXED | ||
| Severity: | normal | CC: | asturm, fuantaji, kroemmelbein, qt |
| Priority: | Normal | Keywords: | STABLEREQ |
| Version: | unspecified | Flags: | nattka:
sanity-check+
|
| Hardware: | All | ||
| OS: | Linux | ||
| See Also: |
https://bugs.gentoo.org/show_bug.cgi?id=709284 https://bugs.gentoo.org/show_bug.cgi?id=711000 |
||
| Whiteboard: | B2 [glsa+ cve] | ||
| Package list: |
dev-qt/assistant-5.14.1 amd64 arm64 ppc64 x86
dev-qt/designer-5.14.1 amd64 arm arm64 ppc ppc64 x86
dev-qt/linguist-5.14.1 amd64 arm64 ppc64 x86
dev-qt/linguist-tools-5.14.1 amd64 arm arm64 ppc ppc64 x86
dev-qt/pixeltool-5.14.1 amd64 arm64 ppc64 x86
dev-qt/qdbus-5.14.1 amd64 arm64 ppc ppc64 x86
dev-qt/qdbusviewer-5.14.1 amd64 arm64 ppc64 x86
dev-qt/qdoc-5.14.1 amd64 arm64 x86
dev-qt/qt3d-5.14.1-r1 amd64 arm64 x86
dev-qt/qtbluetooth-5.14.1 amd64 arm arm64 x86
dev-qt/qtconcurrent-5.14.1 amd64 arm arm64 ppc ppc64 x86
dev-qt/qtcore-5.14.1-r1 amd64 arm arm64 ppc ppc64 x86
dev-qt/qtdatavis3d-5.14.1-r1 amd64 arm64 x86
dev-qt/qtdbus-5.14.1 amd64 arm arm64 ppc ppc64 x86
dev-qt/qtdeclarative-5.14.1-r2 amd64 arm arm64 ppc ppc64 x86
dev-qt/qt-docs-5.14.1_p202001241012 amd64 arm64 x86
dev-qt/qtgamepad-5.14.1 amd64 arm64 x86
dev-qt/qtgraphicaleffects-5.14.1 amd64 arm64 ppc ppc64 x86
dev-qt/qtgui-5.14.1-r4 amd64 arm arm64 ppc ppc64 x86
dev-qt/qthelp-5.14.1 amd64 arm arm64 ppc ppc64 x86
dev-qt/qtimageformats-5.14.1 amd64 arm64 ppc64 x86
dev-qt/qtlocation-5.14.1 amd64 arm arm64 x86
dev-qt/qtmultimedia-5.14.1-r1 amd64 arm arm64 ppc ppc64 x86
dev-qt/qtnetwork-5.14.1 amd64 arm arm64 ppc ppc64 x86
dev-qt/qtnetworkauth-5.14.1 amd64 arm64 x86
dev-qt/qtopengl-5.14.1-r1 amd64 arm arm64 ppc ppc64 x86
dev-qt/qtpaths-5.14.1 amd64 arm64 ppc ppc64 x86
dev-qt/qtpositioning-5.14.1 amd64 arm arm64 ppc ppc64 x86
dev-qt/qtprintsupport-5.14.1-r1 amd64 arm arm64 ppc ppc64 x86
dev-qt/qtquickcontrols2-5.14.1 amd64 arm64 x86
dev-qt/qtquickcontrols-5.14.1 amd64 arm64 ppc ppc64 x86
dev-qt/qtscript-5.14.1 amd64 arm64 ppc ppc64 x86
dev-qt/qtscxml-5.14.1 amd64 arm64 x86
dev-qt/qtsensors-5.14.1 amd64 arm arm64 ppc64 x86
dev-qt/qtserialport-5.14.1 amd64 arm arm64 ppc ppc64 x86
dev-qt/qtspeech-5.14.1 amd64 arm64 x86
dev-qt/qtsql-5.14.1 amd64 arm arm64 ppc ppc64 x86
dev-qt/qtsvg-5.14.1 amd64 arm arm64 ppc ppc64 x86
dev-qt/qttest-5.14.1 amd64 arm arm64 ppc ppc64 x86
dev-qt/qttranslations-5.14.1 amd64 arm arm64 ppc ppc64 x86
dev-qt/qtvirtualkeyboard-5.14.1 amd64 arm64 x86
dev-qt/qtwayland-5.14.1-r3 amd64 arm arm64 ppc ppc64 x86
dev-qt/qtwebchannel-5.14.1 amd64 arm arm64 ppc64 x86
dev-qt/qtwebengine-5.14.1 amd64 arm64 x86
dev-qt/qtwebsockets-5.14.1 amd64 arm arm64 ppc64 x86
dev-qt/qtwidgets-5.14.1-r1 amd64 arm arm64 ppc ppc64 x86
dev-qt/qtx11extras-5.14.1 amd64 arm arm64 ppc ppc64 x86
dev-qt/qtxml-5.14.1 amd64 arm arm64 ppc ppc64 x86
dev-qt/qtxmlpatterns-5.14.1 amd64 arm arm64 ppc ppc64 x86
|
Runtime testing required: | --- |
| Bug Depends on: | 695446, 703306, 703594, 704918, 705198, 705232, 707056, 708666, 708812, 708814, 708816, 708818, 708820, 708822, 709540, 711476 | ||
| Bug Blocks: | 699324 | ||
|
Description
GLSAMaker/CVETool Bot
2019-11-04 20:22:43 UTC
*** Bug 701860 has been marked as a duplicate of this bug. *** Let's add a stable list then. This issue occured in my tatt test run: Bug 711476 - dev-qt/qtwayland-5.14.1-r1: qwaylanddisplay_p.h:69:10: fatal error: QtXkbCommonSupport/private/qxkbcommon_p.h: No such file or directory The problem only occurs only when the useflag libinput, which is forced by ISUE in ebuild, is switched off by user. I did not test qtwebengine with tatt, because every emerge with useflag +jumbo-build takes almost 2.5 hours on this machine and with -jumbo-build more than 4.5 hours. And I don't want to let the PC run for 2 to 3 days at ~ 100% CPU load. I have ignored the following useflags: +systemd, -vulkan, -widgets, -X, -cups, -egl, -accessibility, -gif, -qml, -gstreamer, -scripttools, -ssl, -sqlite, -mysql, -png, -qml Since allmost all of these useflags are forced by the Desktop/Plasma profile, or are required by other already installed packages. Bumping to dev-qt/qtwayland-5.14.1-r2. Arches please stabilise! ppc stable ppc64 stable amd64 stable x86 stable arm64 stable The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=410485e1760ed0e99c964f9fe853164d6b0f2c51 commit 410485e1760ed0e99c964f9fe853164d6b0f2c51 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-03-28 11:31:24 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-03-28 11:41:00 +0000 dev-qt: Security cleanup Qt 5.13.2 all KEYWORDS except for arm/~arm Drop all packages ending up without KEYWORDS. Bug: https://bugs.gentoo.org/699328 Package-Manager: Portage-2.3.96, Repoman-2.3.22 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> dev-qt/assistant/assistant-5.13.2.ebuild | 4 +-- dev-qt/designer/designer-5.13.2.ebuild | 2 +- dev-qt/linguist-tools/linguist-tools-5.13.2.ebuild | 2 +- dev-qt/linguist/linguist-5.13.2.ebuild | 4 +-- dev-qt/pixeltool/pixeltool-5.13.2.ebuild | 4 +-- dev-qt/qdbus/qdbus-5.13.2.ebuild | 2 +- dev-qt/qdbusviewer/qdbusviewer-5.13.2.ebuild | 4 +-- dev-qt/qdoc/qdoc-5.13.2.ebuild | 4 +-- dev-qt/qt-docs/qt-docs-5.13.2_p201910220817.ebuild | 4 +-- dev-qt/qt3d/Manifest | 1 - dev-qt/qt3d/qt3d-5.13.2.ebuild | 34 ------------------ dev-qt/qtbluetooth/qtbluetooth-5.13.2.ebuild | 2 +- dev-qt/qtcharts/Manifest | 1 - dev-qt/qtcharts/qtcharts-5.13.2.ebuild | 29 --------------- dev-qt/qtconcurrent/qtconcurrent-5.13.2.ebuild | 2 +- dev-qt/qtcore/qtcore-5.13.2-r2.ebuild | 2 +- dev-qt/qtdatavis3d/Manifest | 1 - dev-qt/qtdatavis3d/qtdatavis3d-5.13.2.ebuild | 31 ---------------- dev-qt/qtdbus/qtdbus-5.13.2.ebuild | 2 +- .../qtdeclarative/qtdeclarative-5.13.2-r1.ebuild | 2 +- dev-qt/qtdiag/qtdiag-5.13.2.ebuild | 4 +-- dev-qt/qtgamepad/Manifest | 1 - dev-qt/qtgamepad/qtgamepad-5.13.2.ebuild | 35 ------------------ .../qtgraphicaleffects-5.13.2.ebuild | 2 +- dev-qt/qtgui/qtgui-5.13.2.ebuild | 2 +- dev-qt/qthelp/qthelp-5.13.2.ebuild | 2 +- dev-qt/qtimageformats/qtimageformats-5.13.2.ebuild | 4 +-- dev-qt/qtlocation/qtlocation-5.13.2.ebuild | 2 +- dev-qt/qtmultimedia/qtmultimedia-5.13.2-r1.ebuild | 2 +- dev-qt/qtnetwork/qtnetwork-5.13.2.ebuild | 2 +- dev-qt/qtnetworkauth/Manifest | 1 - dev-qt/qtnetworkauth/qtnetworkauth-5.13.2.ebuild | 20 ----------- dev-qt/qtopengl/qtopengl-5.13.2.ebuild | 2 +- dev-qt/qtpaths/qtpaths-5.13.2.ebuild | 2 +- dev-qt/qtplugininfo/Manifest | 1 - dev-qt/qtplugininfo/qtplugininfo-5.13.2.ebuild | 23 ------------ dev-qt/qtpositioning/qtpositioning-5.13.2.ebuild | 2 +- .../qtprintsupport/qtprintsupport-5.13.2-r1.ebuild | 2 +- dev-qt/qtprintsupport/qtprintsupport-5.13.2.ebuild | 42 ---------------------- .../qtquickcontrols/qtquickcontrols-5.13.2.ebuild | 2 +- .../qtquickcontrols2-5.13.2.ebuild | 4 +-- dev-qt/qtscript/qtscript-5.13.2.ebuild | 2 +- dev-qt/qtscxml/Manifest | 1 - dev-qt/qtscxml/qtscxml-5.13.2.ebuild | 19 ---------- dev-qt/qtsensors/qtsensors-5.13.2.ebuild | 2 +- dev-qt/qtserialbus/Manifest | 1 - dev-qt/qtserialbus/qtserialbus-5.13.2.ebuild | 20 ----------- dev-qt/qtserialport/qtserialport-5.13.2.ebuild | 2 +- dev-qt/qtspeech/qtspeech-5.13.2.ebuild | 4 +-- dev-qt/qtsql/qtsql-5.13.2.ebuild | 2 +- dev-qt/qtsvg/qtsvg-5.13.2.ebuild | 2 +- dev-qt/qttest/qttest-5.13.2.ebuild | 2 +- dev-qt/qttranslations/qttranslations-5.13.2.ebuild | 2 +- .../qtvirtualkeyboard-5.13.2.ebuild | 4 +-- dev-qt/qtwayland/qtwayland-5.13.2-r1.ebuild | 2 +- dev-qt/qtwebchannel/qtwebchannel-5.13.2.ebuild | 2 +- dev-qt/qtwebengine/qtwebengine-5.13.2.ebuild | 2 +- dev-qt/qtwebsockets/qtwebsockets-5.13.2.ebuild | 2 +- dev-qt/qtwebview/Manifest | 1 - dev-qt/qtwebview/qtwebview-5.13.2.ebuild | 21 ----------- dev-qt/qtwidgets/qtwidgets-5.13.2.ebuild | 2 +- dev-qt/qtx11extras/qtx11extras-5.13.2.ebuild | 2 +- dev-qt/qtxml/qtxml-5.13.2.ebuild | 2 +- dev-qt/qtxmlpatterns/qtxmlpatterns-5.13.2.ebuild | 2 +- 64 files changed, 56 insertions(+), 339 deletions(-) Waiting on arm to cleanup 5.13.2, it seems. (In reply to Sam James (sam_c) (security padawan) from comment #13) > Waiting on arm to cleanup 5.13.2, it seems. Oops. p.g.o was out of date, combined with me misreading the version removed. Thanks for pointing this out on IRC, asturm. Cleanup is done. Waiting on arm to stabilise 5.14.x (arm currently has no stable version). New GLSA request filed. This issue was resolved and addressed in GLSA 202004-04 at https://security.gentoo.org/glsa/202004-04 by GLSA coordinator Thomas Deutschmann (whissi). Re-opening for remaining architecture. Resetting sanity check; keywords are not fully specified and arches are not CC-ed. The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9fb143d71dcdcdf31abc464f9b767eae39c98734 commit 9fb143d71dcdcdf31abc464f9b767eae39c98734 Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-04-26 13:37:12 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-04-26 18:11:27 +0000 dev-qt/qtwebengine: Drop vulnerable 5.13.2 Effectively dropping package without revdeps back to ~arm. Bug: https://bugs.gentoo.org/713900 Bug: https://bugs.gentoo.org/699328 Package-Manager: Portage-2.3.99, Repoman-2.3.22 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> dev-qt/qtwebengine/Manifest | 1 - .../files/qtwebengine-5.12.5-icu-65.patch | 33 ------ dev-qt/qtwebengine/qtwebengine-5.13.2.ebuild | 126 --------------------- 3 files changed, 160 deletions(-) dev-qt/qtwebengine was dropped back to ~arm. With Qt 5.14.2 stabilisation around the corner in bug 719732, arm need no longer waste time on this. So, tree looks clean. Closing. |
