Summary: | <dev-qt/qtwebengine-5.15.1: Multiple vulnerabilities | ||||||||
---|---|---|---|---|---|---|---|---|---|
Product: | Gentoo Security | Reporter: | Sam James <sam> | ||||||
Component: | Vulnerabilities | Assignee: | Gentoo Security <security> | ||||||
Status: | RESOLVED FIXED | ||||||||
Severity: | major | CC: | gyakovlev, qt | ||||||
Priority: | Normal | Flags: | nattka:
sanity-check-
|
||||||
Version: | unspecified | ||||||||
Hardware: | All | ||||||||
OS: | Linux | ||||||||
See Also: | https://bugs.gentoo.org/show_bug.cgi?id=741861 | ||||||||
Whiteboard: | A2 [glsa+ cve] | ||||||||
Package list: |
dev-qt/assistant-5.15.1 amd64 arm64 ppc64 x86
dev-qt/designer-5.15.1
dev-qt/linguist-5.15.1 amd64 arm64 ppc64 x86
dev-qt/linguist-tools-5.15.1
dev-qt/pixeltool-5.15.1 amd64 arm64 ppc64 x86
dev-qt/qdbus-5.15.1 amd64 arm64 ppc ppc64 x86
dev-qt/qdbusviewer-5.15.1 amd64 arm64 ppc64 x86
dev-qt/qdoc-5.15.1 amd64 arm64 x86
dev-qt/qt3d-5.15.1 amd64 arm64 x86
dev-qt/qtbluetooth-5.15.1 amd64 arm arm64 x86
dev-qt/qtcharts-5.15.1 amd64 arm64 x86
dev-qt/qtconcurrent-5.15.1
dev-qt/qtcore-5.15.1-r1
dev-qt/qtdatavis3d-5.15.1 amd64 arm64 x86
dev-qt/qtdbus-5.15.1
dev-qt/qtdeclarative-5.15.1
dev-qt/qtdiag-5.15.1 amd64 x86
dev-qt/qt-docs-5.15.1_p202009071124 amd64 arm64 x86
dev-qt/qtgamepad-5.15.1 amd64 arm64 x86
dev-qt/qtgraphicaleffects-5.15.1 amd64 arm64 ppc ppc64 x86
dev-qt/qtgui-5.15.1-r1
dev-qt/qthelp-5.15.1
dev-qt/qtimageformats-5.15.1 amd64 arm64 ppc64 x86
dev-qt/qtlocation-5.15.1 amd64 arm arm64 x86
dev-qt/qtmultimedia-5.15.1
dev-qt/qtnetwork-5.15.1
dev-qt/qtnetworkauth-5.15.1 amd64 arm64 x86
dev-qt/qtopengl-5.15.1
dev-qt/qtpaths-5.15.1 amd64 arm64 ppc ppc64 x86
dev-qt/qtpositioning-5.15.1
dev-qt/qtprintsupport-5.15.1
dev-qt/qtquickcontrols2-5.15.1 amd64 arm64 x86
dev-qt/qtquickcontrols-5.15.1 amd64 arm64 ppc ppc64 x86
dev-qt/qtscript-5.15.1 amd64 arm64 ppc ppc64 x86
dev-qt/qtscxml-5.15.1 amd64 arm64 x86
dev-qt/qtsensors-5.15.1 amd64 arm arm64 ppc64 x86
dev-qt/qtserialport-5.15.1
dev-qt/qtspeech-5.15.1 amd64 arm64 x86
dev-qt/qtsql-5.15.1
dev-qt/qtsvg-5.15.1
dev-qt/qttest-5.15.1
dev-qt/qttranslations-5.15.1
dev-qt/qtvirtualkeyboard-5.15.1 amd64 arm64 x86
dev-qt/qtwayland-5.15.1
dev-qt/qtwebchannel-5.15.1 amd64 arm arm64 ppc64 x86
dev-qt/qtwebengine-5.15.1 amd64 arm64 x86
dev-qt/qtwebsockets-5.15.1 amd64 arm arm64 ppc64 x86
dev-qt/qtwidgets-5.15.1
dev-qt/qtx11extras-5.15.1
dev-qt/qtxml-5.15.1
dev-qt/qtxmlpatterns-5.15.1
|
Runtime testing required: | --- | ||||||
Bug Depends on: | 726178, 734356, 737914 | ||||||||
Bug Blocks: | |||||||||
Attachments: |
|
Description
Sam James
2020-07-29 18:32:16 UTC
Let us know when ready (obviously). Thank you as ever. Revbumping dev-qt/qtgui for commit 5e4b74cf31c4478d491f577d5746e4024b3ea552. Out of interest, are we waiting now on Qt-timeout, or some bug(s) or alignment with the Plasma bug? 30 days since 5.15.1 bump have not yet passed. Above fix shows we've done well to wait. Also, yes, linked Plasma would be best for this and will start first. (In reply to Andreas Sturmlechner from comment #4) > 30 days since 5.15.1 bump have not yet passed. Above fix shows we've done > well to wait. Also, yes, linked Plasma would be best for this and will start > first. So why CC arches on one and not the other? (and no, we don't always wait 30 days) (In reply to Sam James from comment #5) > (In reply to Andreas Sturmlechner from comment #4) > > 30 days since 5.15.1 bump have not yet passed. Above fix shows we've done > > well to wait. Also, yes, linked Plasma would be best for this and will start > > first. > > So why CC arches on one and not the other? (and no, we don't always wait 30 > days) (To be clear, I have no problem waiting and I always appreciate your work with us. I'm just trying to figure out, with the arch team hat on too, whether or not doing Plasma now is going to cause unnecessary rebuilds. If we're going to be doing this in a few days or whatever, I don't want to do it on both amd64 and x86 or something then cause a bunch of hassle.) There is only a handful of Qt revdeps that use private headers hence causing rebuilds, Plasma/Frameworks rebuilds are not expensive at all. (In reply to Andreas Sturmlechner from comment #7) > There is only a handful of Qt revdeps that use private headers hence causing > rebuilds, Plasma/Frameworks rebuilds are not expensive at all. So no real need to be done in sync then. Thank you for explaining. :) arm64 done arm done amd64 done (In reply to Sam James from comment #11) > amd64 done This is causing some trouble: !!! Multiple package instances within a single package slot have been pulled !!! into the dependency graph, resulting in a slot conflict: Created attachment 664984 [details]
emerge -uDNav @world
Created attachment 664987 [details]
emerge --info
Don't spam this bug please, seek help in irc or forums. ppc stable ppc64 stable (In reply to Andreas Sturmlechner from comment #15) > Don't spam this bug please, seek help in irc or forums. I'm surprised by this response, frankly. Why is this tracked in bugzilla if we don't want users to report problems? Am I misunderstanding something? (In reply to Michal Privoznik from comment #18) > (In reply to Andreas Sturmlechner from comment #15) > > Don't spam this bug please, seek help in irc or forums. > > I'm surprised by this response, frankly. Why is this tracked in bugzilla if > we don't want users to report problems? Am I misunderstanding something? Slot conflicts are usually support problems, even if it's not always obvious how to fix them. At the very least, a new bug should be filed, but like I said, this is likely a support issue. Sometimes they are things where we can intervene to make things easier (e.g. stabilising a newer version of something), sometimes not. Please ensure you are updating your whole system. (In reply to Michal Privoznik from comment #18) > I'm surprised by this response, frankly. Why is this tracked in bugzilla if > we don't want users to report problems? Am I misunderstanding something? You're experiencing a well-known Portage limitation, it even tells you how to solve it at the end (increase --backtrack). If that does not help, then #gentoo or forums are best suited for this type of support question for more real-time response. A bug is very ill-suited for that, and it is nothing for Qt proj to solve anyway. x86 stable The bug has been referenced in the following commit(s): https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=1c0947091db651f4e7d136e22d4887b47d9245cd commit 1c0947091db651f4e7d136e22d4887b47d9245cd Author: Andreas Sturmlechner <asturm@gentoo.org> AuthorDate: 2020-10-13 14:26:11 +0000 Commit: Andreas Sturmlechner <asturm@gentoo.org> CommitDate: 2020-10-18 16:15:28 +0000 dev-qt: Drop Qt 5.14.2 Bug: https://bugs.gentoo.org/734600 Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org> dev-qt/assistant/Manifest | 1 - dev-qt/assistant/assistant-5.14.2.ebuild | 55 ------ dev-qt/designer/Manifest | 1 - dev-qt/designer/designer-5.14.2.ebuild | 57 ------- dev-qt/linguist-tools/Manifest | 1 - dev-qt/linguist-tools/linguist-tools-5.14.2.ebuild | 35 ---- dev-qt/linguist/Manifest | 1 - dev-qt/linguist/linguist-5.14.2.ebuild | 48 ------ dev-qt/pixeltool/Manifest | 1 - dev-qt/pixeltool/pixeltool-5.14.2.ebuild | 25 --- dev-qt/qdbus/Manifest | 1 - dev-qt/qdbus/qdbus-5.14.2.ebuild | 25 --- dev-qt/qdbusviewer/Manifest | 1 - dev-qt/qdbusviewer/qdbusviewer-5.14.2.ebuild | 45 ----- dev-qt/qdoc/Manifest | 1 - dev-qt/qdoc/qdoc-5.14.2.ebuild | 41 ----- dev-qt/qt-docs/Manifest | 55 ------ dev-qt/qt-docs/metadata.xml | 1 - .../qt-docs/qt-docs-5.14.2_p202003291239-r1.ebuild | 103 ------------ dev-qt/qt-docs/qt-docs-5.14.2_p202003291239.ebuild | 102 ------------ dev-qt/qt3d/Manifest | 1 - dev-qt/qt3d/qt3d-5.14.2.ebuild | 34 ---- dev-qt/qtbluetooth/Manifest | 1 - dev-qt/qtbluetooth/qtbluetooth-5.14.2-r1.ebuild | 33 ---- dev-qt/qtcharts/Manifest | 1 - dev-qt/qtcharts/qtcharts-5.14.2.ebuild | 29 ---- dev-qt/qtconcurrent/Manifest | 1 - dev-qt/qtconcurrent/qtconcurrent-5.14.2.ebuild | 23 --- dev-qt/qtcore/Manifest | 1 - .../files/qtcore-5.14.2-QLibrary-deadlock.patch | 106 ------------ dev-qt/qtcore/qtcore-5.14.2.ebuild | 103 ------------ dev-qt/qtdatavis3d/Manifest | 1 - dev-qt/qtdatavis3d/qtdatavis3d-5.14.2.ebuild | 31 ---- dev-qt/qtdbus/Manifest | 1 - dev-qt/qtdbus/qtdbus-5.14.2.ebuild | 43 ----- dev-qt/qtdeclarative/Manifest | 1 - ....2-QQuickMouseArea-stuck-in-pressed-state.patch | 55 ------ ...ative-5.14.2-fix-subpixel-positioned-text.patch | 64 ------- .../qtdeclarative/qtdeclarative-5.14.2-r4.ebuild | 59 ------- dev-qt/qtdiag/Manifest | 1 - dev-qt/qtdiag/qtdiag-5.14.2.ebuild | 36 ---- dev-qt/qtgamepad/Manifest | 1 - dev-qt/qtgamepad/qtgamepad-5.14.2.ebuild | 35 ---- dev-qt/qtgraphicaleffects/Manifest | 1 - .../qtgraphicaleffects-5.14.2.ebuild | 21 --- dev-qt/qtgui/Manifest | 1 - .../qtgui/files/qtgui-5.14.2-CVE-2020-17507.patch | 39 ----- dev-qt/qtgui/qtgui-5.14.2-r1.ebuild | 185 --------------------- dev-qt/qthelp/Manifest | 1 - dev-qt/qthelp/qthelp-5.14.2.ebuild | 29 ---- dev-qt/qtimageformats/Manifest | 1 - dev-qt/qtimageformats/qtimageformats-5.14.2.ebuild | 30 ---- dev-qt/qtlocation/Manifest | 1 - .../files/qtlocation-5.14.2-gcc-10.patch | 36 ---- dev-qt/qtlocation/qtlocation-5.14.2.ebuild | 49 ------ dev-qt/qtmultimedia/Manifest | 1 - .../qtmultimedia-5.14.2-gstreamer-buffering.patch | 38 ----- dev-qt/qtmultimedia/qtmultimedia-5.14.2-r1.ebuild | 72 -------- dev-qt/qtnetwork/Manifest | 1 - .../files/qtnetwork-5.14.2-CVE-2020-13962.patch | 172 ------------------- dev-qt/qtnetwork/qtnetwork-5.14.2-r1.ebuild | 66 -------- dev-qt/qtnetworkauth/Manifest | 1 - dev-qt/qtnetworkauth/qtnetworkauth-5.14.2.ebuild | 20 --- dev-qt/qtopengl/Manifest | 1 - dev-qt/qtopengl/qtopengl-5.14.2-r1.ebuild | 34 ---- dev-qt/qtpaths/Manifest | 1 - dev-qt/qtpaths/qtpaths-5.14.2.ebuild | 23 --- dev-qt/qtplugininfo/Manifest | 1 - dev-qt/qtplugininfo/qtplugininfo-5.14.2.ebuild | 23 --- dev-qt/qtpositioning/Manifest | 1 - dev-qt/qtpositioning/qtpositioning-5.14.2.ebuild | 40 ----- dev-qt/qtprintsupport/Manifest | 1 - dev-qt/qtprintsupport/qtprintsupport-5.14.2.ebuild | 42 ----- dev-qt/qtquickcontrols/Manifest | 1 - .../qtquickcontrols/qtquickcontrols-5.14.2.ebuild | 32 ---- dev-qt/qtquickcontrols2/Manifest | 1 - ...14.2-account-for-scale-before-positioning.patch | 61 ------- .../qtquickcontrols2-5.14.2-r1.ebuild | 34 ---- dev-qt/qtscript/Manifest | 1 - dev-qt/qtscript/qtscript-5.14.2.ebuild | 36 ---- dev-qt/qtscxml/Manifest | 1 - dev-qt/qtscxml/qtscxml-5.14.2.ebuild | 19 --- dev-qt/qtsensors/Manifest | 1 - dev-qt/qtsensors/qtsensors-5.14.2.ebuild | 28 ---- dev-qt/qtserialbus/Manifest | 1 - dev-qt/qtserialbus/qtserialbus-5.14.2.ebuild | 20 --- dev-qt/qtserialport/Manifest | 1 - dev-qt/qtserialport/qtserialport-5.14.2.ebuild | 27 --- dev-qt/qtspeech/Manifest | 1 - dev-qt/qtspeech/qtspeech-5.14.2.ebuild | 20 --- dev-qt/qtsql/Manifest | 1 - dev-qt/qtsql/qtsql-5.14.2.ebuild | 55 ------ dev-qt/qtsvg/Manifest | 1 - dev-qt/qtsvg/qtsvg-5.14.2.ebuild | 23 --- dev-qt/qttest/Manifest | 1 - dev-qt/qttest/qttest-5.14.2.ebuild | 33 ---- dev-qt/qttranslations/Manifest | 1 - dev-qt/qttranslations/qttranslations-5.14.2.ebuild | 19 --- dev-qt/qtvirtualkeyboard/Manifest | 1 - .../qtvirtualkeyboard-5.14.2.ebuild | 43 ----- dev-qt/qtwayland/Manifest | 1 - dev-qt/qtwayland/qtwayland-5.14.2.ebuild | 45 ----- dev-qt/qtwebchannel/Manifest | 1 - dev-qt/qtwebchannel/qtwebchannel-5.14.2.ebuild | 26 --- dev-qt/qtwebengine/Manifest | 1 - ...qtwebengine-5.14.1-disable-fatal-warnings.patch | 12 -- .../files/qtwebengine-5.14.2-gcc-10.patch | 89 ---------- .../files/qtwebengine-5.14.2-icu67.patch | 169 ------------------- .../files/qtwebengine-5.15.0-bison-3.7-build.patch | 54 ------ dev-qt/qtwebengine/qtwebengine-5.14.2.ebuild | 152 ----------------- dev-qt/qtwebsockets/Manifest | 1 - dev-qt/qtwebsockets/qtwebsockets-5.14.2.ebuild | 27 --- dev-qt/qtwebview/Manifest | 1 - dev-qt/qtwebview/qtwebview-5.14.2.ebuild | 21 --- dev-qt/qtwidgets/Manifest | 1 - dev-qt/qtwidgets/qtwidgets-5.14.2.ebuild | 57 ------- dev-qt/qtx11extras/Manifest | 1 - dev-qt/qtx11extras/qtx11extras-5.14.2.ebuild | 22 --- dev-qt/qtxml/Manifest | 1 - dev-qt/qtxml/qtxml-5.14.2.ebuild | 29 ---- dev-qt/qtxmlpatterns/Manifest | 1 - dev-qt/qtxmlpatterns/qtxmlpatterns-5.14.2.ebuild | 30 ---- 122 files changed, 3398 deletions(-) Cleanup done. (In reply to Andreas Sturmlechner from comment #23) > Cleanup done. Thank you! Unable to check for sanity:
> no match for package: dev-qt/qtnetwork-5.15.1
Unable to check for sanity:
> no match for package: dev-qt/assistant-5.15.1
This issue was resolved and addressed in GLSA 202101-30 at https://security.gentoo.org/glsa/202101-30 by GLSA coordinator Sam James (sam_c). This issue was resolved and addressed in GLSA 202101-30 at https://security.gentoo.org/glsa/202101-30 by GLSA coordinator Sam James (sam_c). This issue was resolved and addressed in GLSA 202101-30 at https://security.gentoo.org/glsa/202101-30 by GLSA coordinator Sam James (sam_c). |