Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 544334 - dev-qt/qtwebkit: QtWebKit logs visited URLs to WebpageIcons.db in private browsing mode
Summary: dev-qt/qtwebkit: QtWebKit logs visited URLs to WebpageIcons.db in private bro...
Status: RESOLVED OBSOLETE
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal trivial (vote)
Assignee: Gentoo Security
URL: https://bugzilla.redhat.com/show_bug....
Whiteboard: ~3 [ebuild+]
Keywords:
Depends on: qtwebkit4-removal
Blocks:
  Show dependency tree
 
Reported: 2015-03-24 13:28 UTC by Agostino Sarubbo
Modified: 2018-01-13 00:40 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Description Agostino Sarubbo gentoo-dev 2015-03-24 13:28:58 UTC
From ${URL} :

QtWebKit upstream are reviewing a patch that prevents it recording visited URLs to its favicon 
database (WebpageIcons.db) while using private browsing mode:

- https://codereview.qt-project.org/#/c/108936/


@maintainer(s): since the package or the affected version has never been marked as stable, we don't need to stabilize it. After the bump, please remove the affected versions from the tree.
Comment 1 Michael Palimaka (kensington) gentoo-dev 2015-10-09 16:17:17 UTC
The fix is part of 5.4.2 which is stable in-tree, but apparently affects qtwebkit:4 too.
Comment 2 Davide Pesavento gentoo-dev 2015-10-09 16:22:02 UTC
Fedora has a patch [1] against qtwebkit23, i.e. our qtwebkit-4.10.4

[1] http://pkgs.fedoraproject.org/cgit/qtwebkit.git/plain/webkit-qtwebkit-23-private_browsing.patch
Comment 3 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-31 08:15:34 UTC
Per upstream commit this is included in the 5.4 branch which is currently stable in the tree.

@maintainers, I imagine the 4.8.x branch will be around for awhile.  Is it feasible to include the referenced patch on all 4.8.x stable versions?
Comment 4 Michael Palimaka (kensington) gentoo-dev 2016-03-31 11:18:58 UTC
(In reply to Aaron Bauman from comment #3)
> @maintainers, I imagine the 4.8.x branch will be around for awhile.  Is it
> feasible to include the referenced patch on all 4.8.x stable versions?

Fedora's patch is against qtwebkit-4.10.4, which is in-tree but hard-masked and will require a lot of integration work to be usable. 

The file being patched doesn't even existing in qtwebkit-4.8.x so it will need investigation whether it's possible to port or not.

Considering that Qt 4 is EOL and how behind qtwebkit in general is, I wonder if it's time to start investigating revdeps and avoid usage where possible.
Comment 5 Davide Pesavento gentoo-dev 2016-03-31 17:30:32 UTC
(In reply to Michael Palimaka (kensington) from comment #4)
> Considering that Qt 4 is EOL and how behind qtwebkit in general is, I wonder
> if it's time to start investigating revdeps and avoid usage where possible.

I concur. I don't even want to think about how many security issues affect qtwebkit-4.8.x at this point...
Comment 6 Aaron Bauman Gentoo Infrastructure gentoo-dev Security 2016-03-31 22:59:17 UTC
(In reply to Michael Palimaka (kensington) from comment #4)
> (In reply to Aaron Bauman from comment #3)
> > @maintainers, I imagine the 4.8.x branch will be around for awhile.  Is it
> > feasible to include the referenced patch on all 4.8.x stable versions?
> 
> Fedora's patch is against qtwebkit-4.10.4, which is in-tree but hard-masked
> and will require a lot of integration work to be usable. 
> 
> The file being patched doesn't even existing in qtwebkit-4.8.x so it will
> need investigation whether it's possible to port or not.
> 
> Considering that Qt 4 is EOL and how behind qtwebkit in general is, I wonder
> if it's time to start investigating revdeps and avoid usage where possible.

That looks to me like the issue has been mitigated than concerning 4.10.4.  I cannot find anywhere (CVE's, OSS, etc) confirming that 4.8.x contains the same vulnerability.  As you mentioned, the source file does not even exist so that rules out finding the same code.  Would you like to keep this bug open for any other tracking issues?
Comment 7 Michael Palimaka (kensington) gentoo-dev 2016-04-01 06:07:46 UTC
(In reply to Aaron Bauman from comment #6)
> (In reply to Michael Palimaka (kensington) from comment #4)
> > (In reply to Aaron Bauman from comment #3)
> > > @maintainers, I imagine the 4.8.x branch will be around for awhile.  Is it
> > > feasible to include the referenced patch on all 4.8.x stable versions?
> > 
> > Fedora's patch is against qtwebkit-4.10.4, which is in-tree but hard-masked
> > and will require a lot of integration work to be usable. 
> > 
> > The file being patched doesn't even existing in qtwebkit-4.8.x so it will
> > need investigation whether it's possible to port or not.
> > 
> > Considering that Qt 4 is EOL and how behind qtwebkit in general is, I wonder
> > if it's time to start investigating revdeps and avoid usage where possible.
> 
> That looks to me like the issue has been mitigated than concerning 4.10.4. 
> I cannot find anywhere (CVE's, OSS, etc) confirming that 4.8.x contains the
> same vulnerability.  As you mentioned, the source file does not even exist
> so that rules out finding the same code.  Would you like to keep this bug
> open for any other tracking issues?

While the source file does not exist, the code referenced in the patch does appear in another file. I can't say for certain whether it's really affected or not.
Comment 8 Davide Pesavento gentoo-dev 2018-01-13 00:40:28 UTC
qtwebkit:4 has been treecleaned.