Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 699328 - <dev-qt/qtwebengine-5.14.1: use-after-free in audio (CVE-2019-13720)
Summary: <dev-qt/qtwebengine-5.14.1: use-after-free in audio (CVE-2019-13720)
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+ cve]
Keywords: STABLEREQ
: 701860 (view as bug list)
Depends on: 695446 703306 703594 704918 705198 705232 707056 708666 708812 708814 708816 708818 frameworks-5.67-stable kde-apps-19.12.3-stable 709540 711476
Blocks: CVE-2019-13720
  Show dependency tree
 
Reported: 2019-11-04 20:22 UTC by GLSAMaker/CVETool Bot
Modified: 2020-05-21 22:59 UTC (History)
4 users (show)

See Also:
Package list:
dev-qt/assistant-5.14.1 amd64 arm64 ppc64 x86 dev-qt/designer-5.14.1 amd64 arm arm64 ppc ppc64 x86 dev-qt/linguist-5.14.1 amd64 arm64 ppc64 x86 dev-qt/linguist-tools-5.14.1 amd64 arm arm64 ppc ppc64 x86 dev-qt/pixeltool-5.14.1 amd64 arm64 ppc64 x86 dev-qt/qdbus-5.14.1 amd64 arm64 ppc ppc64 x86 dev-qt/qdbusviewer-5.14.1 amd64 arm64 ppc64 x86 dev-qt/qdoc-5.14.1 amd64 arm64 x86 dev-qt/qt3d-5.14.1-r1 amd64 arm64 x86 dev-qt/qtbluetooth-5.14.1 amd64 arm arm64 x86 dev-qt/qtconcurrent-5.14.1 amd64 arm arm64 ppc ppc64 x86 dev-qt/qtcore-5.14.1-r1 amd64 arm arm64 ppc ppc64 x86 dev-qt/qtdatavis3d-5.14.1-r1 amd64 arm64 x86 dev-qt/qtdbus-5.14.1 amd64 arm arm64 ppc ppc64 x86 dev-qt/qtdeclarative-5.14.1-r2 amd64 arm arm64 ppc ppc64 x86 dev-qt/qt-docs-5.14.1_p202001241012 amd64 arm64 x86 dev-qt/qtgamepad-5.14.1 amd64 arm64 x86 dev-qt/qtgraphicaleffects-5.14.1 amd64 arm64 ppc ppc64 x86 dev-qt/qtgui-5.14.1-r4 amd64 arm arm64 ppc ppc64 x86 dev-qt/qthelp-5.14.1 amd64 arm arm64 ppc ppc64 x86 dev-qt/qtimageformats-5.14.1 amd64 arm64 ppc64 x86 dev-qt/qtlocation-5.14.1 amd64 arm arm64 x86 dev-qt/qtmultimedia-5.14.1-r1 amd64 arm arm64 ppc ppc64 x86 dev-qt/qtnetwork-5.14.1 amd64 arm arm64 ppc ppc64 x86 dev-qt/qtnetworkauth-5.14.1 amd64 arm64 x86 dev-qt/qtopengl-5.14.1-r1 amd64 arm arm64 ppc ppc64 x86 dev-qt/qtpaths-5.14.1 amd64 arm64 ppc ppc64 x86 dev-qt/qtpositioning-5.14.1 amd64 arm arm64 ppc ppc64 x86 dev-qt/qtprintsupport-5.14.1-r1 amd64 arm arm64 ppc ppc64 x86 dev-qt/qtquickcontrols2-5.14.1 amd64 arm64 x86 dev-qt/qtquickcontrols-5.14.1 amd64 arm64 ppc ppc64 x86 dev-qt/qtscript-5.14.1 amd64 arm64 ppc ppc64 x86 dev-qt/qtscxml-5.14.1 amd64 arm64 x86 dev-qt/qtsensors-5.14.1 amd64 arm arm64 ppc64 x86 dev-qt/qtserialport-5.14.1 amd64 arm arm64 ppc ppc64 x86 dev-qt/qtspeech-5.14.1 amd64 arm64 x86 dev-qt/qtsql-5.14.1 amd64 arm arm64 ppc ppc64 x86 dev-qt/qtsvg-5.14.1 amd64 arm arm64 ppc ppc64 x86 dev-qt/qttest-5.14.1 amd64 arm arm64 ppc ppc64 x86 dev-qt/qttranslations-5.14.1 amd64 arm arm64 ppc ppc64 x86 dev-qt/qtvirtualkeyboard-5.14.1 amd64 arm64 x86 dev-qt/qtwayland-5.14.1-r3 amd64 arm arm64 ppc ppc64 x86 dev-qt/qtwebchannel-5.14.1 amd64 arm arm64 ppc64 x86 dev-qt/qtwebengine-5.14.1 amd64 arm64 x86 dev-qt/qtwebsockets-5.14.1 amd64 arm arm64 ppc64 x86 dev-qt/qtwidgets-5.14.1-r1 amd64 arm arm64 ppc ppc64 x86 dev-qt/qtx11extras-5.14.1 amd64 arm arm64 ppc ppc64 x86 dev-qt/qtxml-5.14.1 amd64 arm arm64 ppc ppc64 x86 dev-qt/qtxmlpatterns-5.14.1 amd64 arm arm64 ppc ppc64 x86
Runtime testing required: ---
nattka: sanity-check+

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description GLSAMaker/CVETool Bot gentoo-dev 2019-11-04 20:22:43 UTC 
CVE-2019-13720 (https://nvd.nist.gov/vuln/detail/CVE-2019-13720):
  ** RESERVED ** This candidate has been reserved by an organization or
  individual that will use it when announcing a new security problem. When the
  candidate has been publicized, the details for this candidate will be
  provided.
Comment 2 Andreas Sturmlechner gentoo-dev 2020-02-09 13:18:10 UTC 
*** Bug 701860 has been marked as a duplicate of this bug. ***
Comment 3 Andreas Sturmlechner gentoo-dev 2020-02-26 22:50:54 UTC 
Let's add a stable list then.
Comment 4 Frank Krömmelbein 2020-03-04 09:14:41 UTC 
This issue occured in my tatt test run:
Bug 711476 - dev-qt/qtwayland-5.14.1-r1: qwaylanddisplay_p.h:69:10: fatal error: QtXkbCommonSupport/private/qxkbcommon_p.h: No such file or directory
The problem only occurs only when the useflag libinput, which is forced by ISUE in ebuild, is switched off by user.

I did not test qtwebengine with tatt, because every emerge with useflag +jumbo-build takes almost 2.5 hours on this machine and with -jumbo-build more than 4.5 hours. And I don't want to let the PC run for 2 to 3 days at ~ 100% CPU load.

I have ignored the following useflags: +systemd, -vulkan, -widgets, -X, -cups, -egl, -accessibility, -gif, -qml, -gstreamer, -scripttools, -ssl, -sqlite, -mysql, -png, -qml
Since allmost all of these useflags are forced by the Desktop/Plasma profile, or are required by other already installed packages.
Comment 5 Andreas Sturmlechner gentoo-dev 2020-03-18 21:59:23 UTC 
Bumping to dev-qt/qtwayland-5.14.1-r2.
Comment 6 Andreas Sturmlechner gentoo-dev 2020-03-18 23:50:00 UTC 
Arches please stabilise!
Comment 7 Agostino Sarubbo gentoo-dev 2020-03-19 10:12:17 UTC 
ppc stable
Comment 8 Agostino Sarubbo gentoo-dev 2020-03-19 10:14:56 UTC 
ppc64 stable
Comment 9 Agostino Sarubbo gentoo-dev 2020-03-19 12:46:17 UTC 
amd64 stable
Comment 10 Agostino Sarubbo gentoo-dev 2020-03-19 13:16:01 UTC 
x86 stable
Comment 11 Mart Raudsepp gentoo-dev 2020-03-28 10:46:53 UTC 
arm64 stable
Comment 12 Larry the Git Cow gentoo-dev 2020-03-28 11:41:13 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=410485e1760ed0e99c964f9fe853164d6b0f2c51

commit 410485e1760ed0e99c964f9fe853164d6b0f2c51
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-03-28 11:31:24 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-03-28 11:41:00 +0000

    dev-qt: Security cleanup Qt 5.13.2 all KEYWORDS except for arm/~arm
    
    Drop all packages ending up without KEYWORDS.
    
    Bug: https://bugs.gentoo.org/699328
    Package-Manager: Portage-2.3.96, Repoman-2.3.22
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-qt/assistant/assistant-5.13.2.ebuild           |  4 +--
 dev-qt/designer/designer-5.13.2.ebuild             |  2 +-
 dev-qt/linguist-tools/linguist-tools-5.13.2.ebuild |  2 +-
 dev-qt/linguist/linguist-5.13.2.ebuild             |  4 +--
 dev-qt/pixeltool/pixeltool-5.13.2.ebuild           |  4 +--
 dev-qt/qdbus/qdbus-5.13.2.ebuild                   |  2 +-
 dev-qt/qdbusviewer/qdbusviewer-5.13.2.ebuild       |  4 +--
 dev-qt/qdoc/qdoc-5.13.2.ebuild                     |  4 +--
 dev-qt/qt-docs/qt-docs-5.13.2_p201910220817.ebuild |  4 +--
 dev-qt/qt3d/Manifest                               |  1 -
 dev-qt/qt3d/qt3d-5.13.2.ebuild                     | 34 ------------------
 dev-qt/qtbluetooth/qtbluetooth-5.13.2.ebuild       |  2 +-
 dev-qt/qtcharts/Manifest                           |  1 -
 dev-qt/qtcharts/qtcharts-5.13.2.ebuild             | 29 ---------------
 dev-qt/qtconcurrent/qtconcurrent-5.13.2.ebuild     |  2 +-
 dev-qt/qtcore/qtcore-5.13.2-r2.ebuild              |  2 +-
 dev-qt/qtdatavis3d/Manifest                        |  1 -
 dev-qt/qtdatavis3d/qtdatavis3d-5.13.2.ebuild       | 31 ----------------
 dev-qt/qtdbus/qtdbus-5.13.2.ebuild                 |  2 +-
 .../qtdeclarative/qtdeclarative-5.13.2-r1.ebuild   |  2 +-
 dev-qt/qtdiag/qtdiag-5.13.2.ebuild                 |  4 +--
 dev-qt/qtgamepad/Manifest                          |  1 -
 dev-qt/qtgamepad/qtgamepad-5.13.2.ebuild           | 35 ------------------
 .../qtgraphicaleffects-5.13.2.ebuild               |  2 +-
 dev-qt/qtgui/qtgui-5.13.2.ebuild                   |  2 +-
 dev-qt/qthelp/qthelp-5.13.2.ebuild                 |  2 +-
 dev-qt/qtimageformats/qtimageformats-5.13.2.ebuild |  4 +--
 dev-qt/qtlocation/qtlocation-5.13.2.ebuild         |  2 +-
 dev-qt/qtmultimedia/qtmultimedia-5.13.2-r1.ebuild  |  2 +-
 dev-qt/qtnetwork/qtnetwork-5.13.2.ebuild           |  2 +-
 dev-qt/qtnetworkauth/Manifest                      |  1 -
 dev-qt/qtnetworkauth/qtnetworkauth-5.13.2.ebuild   | 20 -----------
 dev-qt/qtopengl/qtopengl-5.13.2.ebuild             |  2 +-
 dev-qt/qtpaths/qtpaths-5.13.2.ebuild               |  2 +-
 dev-qt/qtplugininfo/Manifest                       |  1 -
 dev-qt/qtplugininfo/qtplugininfo-5.13.2.ebuild     | 23 ------------
 dev-qt/qtpositioning/qtpositioning-5.13.2.ebuild   |  2 +-
 .../qtprintsupport/qtprintsupport-5.13.2-r1.ebuild |  2 +-
 dev-qt/qtprintsupport/qtprintsupport-5.13.2.ebuild | 42 ----------------------
 .../qtquickcontrols/qtquickcontrols-5.13.2.ebuild  |  2 +-
 .../qtquickcontrols2-5.13.2.ebuild                 |  4 +--
 dev-qt/qtscript/qtscript-5.13.2.ebuild             |  2 +-
 dev-qt/qtscxml/Manifest                            |  1 -
 dev-qt/qtscxml/qtscxml-5.13.2.ebuild               | 19 ----------
 dev-qt/qtsensors/qtsensors-5.13.2.ebuild           |  2 +-
 dev-qt/qtserialbus/Manifest                        |  1 -
 dev-qt/qtserialbus/qtserialbus-5.13.2.ebuild       | 20 -----------
 dev-qt/qtserialport/qtserialport-5.13.2.ebuild     |  2 +-
 dev-qt/qtspeech/qtspeech-5.13.2.ebuild             |  4 +--
 dev-qt/qtsql/qtsql-5.13.2.ebuild                   |  2 +-
 dev-qt/qtsvg/qtsvg-5.13.2.ebuild                   |  2 +-
 dev-qt/qttest/qttest-5.13.2.ebuild                 |  2 +-
 dev-qt/qttranslations/qttranslations-5.13.2.ebuild |  2 +-
 .../qtvirtualkeyboard-5.13.2.ebuild                |  4 +--
 dev-qt/qtwayland/qtwayland-5.13.2-r1.ebuild        |  2 +-
 dev-qt/qtwebchannel/qtwebchannel-5.13.2.ebuild     |  2 +-
 dev-qt/qtwebengine/qtwebengine-5.13.2.ebuild       |  2 +-
 dev-qt/qtwebsockets/qtwebsockets-5.13.2.ebuild     |  2 +-
 dev-qt/qtwebview/Manifest                          |  1 -
 dev-qt/qtwebview/qtwebview-5.13.2.ebuild           | 21 -----------
 dev-qt/qtwidgets/qtwidgets-5.13.2.ebuild           |  2 +-
 dev-qt/qtx11extras/qtx11extras-5.13.2.ebuild       |  2 +-
 dev-qt/qtxml/qtxml-5.13.2.ebuild                   |  2 +-
 dev-qt/qtxmlpatterns/qtxmlpatterns-5.13.2.ebuild   |  2 +-
 64 files changed, 56 insertions(+), 339 deletions(-)
Comment 13 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-28 17:38:39 UTC 
Waiting on arm to cleanup 5.13.2, it seems.
Comment 14 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-03-28 17:48:18 UTC 
(In reply to Sam James (sam_c) (security padawan) from comment #13)
> Waiting on arm to cleanup 5.13.2, it seems.

Oops. p.g.o was out of date, combined with me misreading the version removed. Thanks for pointing this out on IRC, asturm.

Cleanup is done. Waiting on arm to stabilise 5.14.x (arm currently has no stable version).
Comment 15 Thomas Deutschmann (RETIRED) gentoo-dev 2020-04-01 19:56:25 UTC 
New GLSA request filed.
Comment 16 GLSAMaker/CVETool Bot gentoo-dev 2020-04-01 20:06:01 UTC 
This issue was resolved and addressed in
 GLSA 202004-04 at https://security.gentoo.org/glsa/202004-04
by GLSA coordinator Thomas Deutschmann (whissi).
Comment 17 Thomas Deutschmann (RETIRED) gentoo-dev 2020-04-01 20:06:34 UTC 
Re-opening for remaining architecture.
Comment 18 NATTkA bot gentoo-dev 2020-04-11 06:14:22 UTC 
Resetting sanity check; keywords are not fully specified and arches are not CC-ed.
Comment 19 Larry the Git Cow gentoo-dev 2020-04-26 18:11:55 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9fb143d71dcdcdf31abc464f9b767eae39c98734

commit 9fb143d71dcdcdf31abc464f9b767eae39c98734
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2020-04-26 13:37:12 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2020-04-26 18:11:27 +0000

    dev-qt/qtwebengine: Drop vulnerable 5.13.2
    
    Effectively dropping package without revdeps back to ~arm.
    
    Bug: https://bugs.gentoo.org/713900
    Bug: https://bugs.gentoo.org/699328
    Package-Manager: Portage-2.3.99, Repoman-2.3.22
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-qt/qtwebengine/Manifest                        |   1 -
 .../files/qtwebengine-5.12.5-icu-65.patch          |  33 ------
 dev-qt/qtwebengine/qtwebengine-5.13.2.ebuild       | 126 ---------------------
 3 files changed, 160 deletions(-)
Comment 20 Andreas Sturmlechner gentoo-dev 2020-04-26 18:15:09 UTC 
dev-qt/qtwebengine was dropped back to ~arm.
Comment 21 Andreas Sturmlechner gentoo-dev 2020-05-07 08:44:05 UTC 
With Qt 5.14.2 stabilisation around the corner in bug 719732, arm need no longer waste time on this.
Comment 22 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2020-05-21 22:59:01 UTC 
So, tree looks clean. Closing.