Bug 815397

Summary:	<dev-qt/qtwebengine-5.15.2_p20211019: Multiple vulnerabilities
Product:	Gentoo Security	Reporter:	Joe Kappus <joe>
Component:	Vulnerabilities	Assignee:	Gentoo Security <security>
Status:	RESOLVED FIXED
Severity:	normal	CC:	sam, voron1
Priority:	Normal
Version:	unspecified
Hardware:	All
OS:	Linux
Whiteboard:	A2 [glsa+]
Package list:		Runtime testing required:	---
Bug Depends on:	810781, 820893
Bug Blocks:	829161

Description Joe Kappus 2021-09-29 21:49:51 UTC

While having a dumb conversation in #gentoo-chat I noticed upstream has updated to include a bunch of patched CVE's. Sam asked me to file this. 

Trees below:
https://code.qt.io/cgit/qt/qtwebengine.git/log/?h=5.15
https://code.qt.io/cgit/qt/qtwebengine-chromium.git/log/?h=87-based



Reproducible: Always

Steps to Reproduce:
1. Go on #gentoo-cafe
2. Have a dumb conversation
3. Get handed some work.
Actual Results:  
I'm filing a bug now

Expected Results:  
Package will get bumped. 

Today is national coffee day.

Comment 1 Andreas Sturmlechner gentoo-dev

2021-10-20 16:43:13 UTC

We could have such a bug about dev-qt/qtwebengine open permanently.

Comment 2 Larry the Git Cow gentoo-dev

2021-10-20 16:43:57 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=b3ab484a8786b3c9be656759cd7118e95ca52b76

commit b3ab484a8786b3c9be656759cd7118e95ca52b76
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-10-20 13:07:48 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-10-20 16:43:27 +0000

    dev-qt/qtwebengine: 5.15.2_p20211019 snapshot bump for testing
    
    Snapshotted at:
    Branch: 5.15
    Commit: 03b3df668088d0750af6a59410ee4d0d00ba88ae
    
    Submodule qtwebengine-chromium.git:
    Branch: 87-based
    Commit: 8c0a9b4459f5200a24ab9e687a3fb32e975382e5
    
    Fixes build on arm64.
    
    Bug: https://bugs.gentoo.org/815397
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-qt/qtwebengine/Manifest                        |   1 +
 .../qtwebengine-5.15.2_p20211019.ebuild            | 227 +++++++++++++++++++++
 2 files changed, 228 insertions(+)

Comment 3 Andreas Sturmlechner gentoo-dev

2021-10-20 16:46:08 UTC

New version has patchlevel 94.0.4606.61 effectively.

@sam, feel free to file a stabilisation bug whenever you think it is ready.

Comment 4 Sam James archtester

2021-10-31 00:33:43 UTC

(In reply to Andreas Sturmlechner from comment #3)
> New version has patchlevel 94.0.4606.61 effectively.
> 
> @sam, feel free to file a stabilisation bug whenever you think it is ready.

Thanks. I'm happy other than bug 813957.

Comment 5 Larry the Git Cow gentoo-dev

2021-11-14 19:53:25 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=476a64a83f7929a4d83fe02e0f10c39557440eea

commit 476a64a83f7929a4d83fe02e0f10c39557440eea
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2021-11-14 19:40:43 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2021-11-14 19:53:01 +0000

    dev-qt/qtwebengine: Cleanup vulnerable 5.15.2_p20210824-r1
    
    Bug: https://bugs.gentoo.org/815397
    Package-Manager: Portage-3.0.28, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-qt/qtwebengine/Manifest                        |   2 -
 .../qtwebengine-5.15.2_p20210406-glibc-2.33.patch  | 141 ------------
 ...qtwebengine-5.15.2_p20210521-clang-libc++.patch |  10 -
 .../files/qtwebengine-5.15.2_p20210521-gcc11.patch |  74 -------
 ...webengine-5.15.2_p20210824-harfbuzz-3.0.0.patch |  32 ---
 .../qtwebengine-5.15.2_p20210824-r1.ebuild         | 237 ---------------------
 6 files changed, 496 deletions(-)

Comment 6 John Helmert III archtester

2022-08-14 04:59:03 UTC

GLSA request filed

Comment 7 Larry the Git Cow gentoo-dev

2022-08-14 14:34:02 UTC

The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3212eacb7aa1bccb5bf765cd0a4fb91d206ad2c5

commit 3212eacb7aa1bccb5bf765cd0a4fb91d206ad2c5
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 14:29:30 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-14 14:33:57 +0000

    [ GLSA 202208-25 ] Chromium, Google Chrome, Microsoft Edge, QtWebEngine: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/773040
    Bug: https://bugs.gentoo.org/787950
    Bug: https://bugs.gentoo.org/800181
    Bug: https://bugs.gentoo.org/810781
    Bug: https://bugs.gentoo.org/815397
    Bug: https://bugs.gentoo.org/828519
    Bug: https://bugs.gentoo.org/829161
    Bug: https://bugs.gentoo.org/834477
    Bug: https://bugs.gentoo.org/835397
    Bug: https://bugs.gentoo.org/835761
    Bug: https://bugs.gentoo.org/836011
    Bug: https://bugs.gentoo.org/836381
    Bug: https://bugs.gentoo.org/836777
    Bug: https://bugs.gentoo.org/836830
    Bug: https://bugs.gentoo.org/837497
    Bug: https://bugs.gentoo.org/838049
    Bug: https://bugs.gentoo.org/838433
    Bug: https://bugs.gentoo.org/838682
    Bug: https://bugs.gentoo.org/841371
    Bug: https://bugs.gentoo.org/843035
    Bug: https://bugs.gentoo.org/843728
    Bug: https://bugs.gentoo.org/847370
    Bug: https://bugs.gentoo.org/847613
    Bug: https://bugs.gentoo.org/848864
    Bug: https://bugs.gentoo.org/851003
    Bug: https://bugs.gentoo.org/851009
    Bug: https://bugs.gentoo.org/853229
    Bug: https://bugs.gentoo.org/853643
    Bug: https://bugs.gentoo.org/854372
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202208-25.xml | 284 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 284 insertions(+)

Comment 8 Sam James archtester

2022-08-14 14:34:48 UTC

GLSA done, all done.