Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 835761 - <dev-qt/qtwebengine-5.15.3_p20220310: Multiple vulnerabilities...
Summary: <dev-qt/qtwebengine-5.15.3_p20220310: Multiple vulnerabilities...
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal with 1 vote (vote)
Assignee: Gentoo Security
URL:
Whiteboard: B2 [glsa+]
Keywords: PullRequest
Depends on: 829161 qt-5.15.3-stable
Blocks: 836830
  Show dependency tree
 
Reported: 2022-03-21 19:28 UTC by Andreas Sturmlechner
Modified: 2022-08-14 14:41 UTC (History)
2 users (show)

See Also:
Package list:
Runtime testing required: ---


Attachments

Note You need to log in before you can comment on or make changes to this bug.
Comment 1 Andreas Sturmlechner gentoo-dev 2022-04-05 10:58:12 UTC
https://code.qt.io/cgit/qt/qtwebengine.git/commit/?h=5.15&id=f206c05a9dc6c2391b10762b6038f65fdb6818b6

Update Chromium
Submodule src/3rdparty: 48a205f9..ab3a3447:
  > [Backport] CVE-2022-0108: Inappropriate implementation in Navigation
  > [Backport] Dependency for CVE-2022-0108
  > Bump V8_PATCH_LEVEL
  > [Backport] CVE-2022-0111 and CVE-2022-0117 (2/2)
  > [Backport] CVE-2022-0111 and CVE-2022-0117 (1/2)
  > [Backport] Dependency for CVE-2022-0111 and CVE-2022-0117
  > [Backport] CVE-2022-0310 and CVE-0311: Heap buffer overflow in Task Manager
  > [Backport] CVE-2022-23852
  > [Backport] Security bug 1289394
  > [Backport] CVE-2022-0608: Integer overflow in Mojo
  > [Backport] Security bug 1270014
  > [Backport] Security bug 1261415
  > [Backport] CVE-2022-0291: Inappropriate implementation in Storage
  > [Backport] CVE-2022-0293: Use after free in Web packaging
  > [Backport] CVE-2022-0607: Use after free in GPU
  > [Backport] CVE-2022-0610: Inappropriate implementation in Gamepad API
  > [Backport] CVE-2022-0606: Use after free in ANGLE
  > [Backport] Security bug 1292537
  > [Backport] CVE-2022-0609: Use after free in Animation
  > [Backport] Security bug 1265570
  > [Backport] CVE-2022-0116: Inappropriate implementation in Compositing
  > [Backport] Dependency for CVE-2022-0116
  > [Backport] CVE-2022-0102: Type Confusion in V8
  > [Backport] Security bug 1256885
  > [Backport] CVE-2022-0460: Use after free in Window Dialog
  > [Backport] CVE-2022-0459: Use after free in Screen Capture
  > [Backport] CVE-2022-0461: Policy bypass in COOP
  > [Backport] Security bug 1280743
  > [Backport] Security bug 1274113
  > [Backport] CVE-2022-0456: Use after free in Web Search
  > [Backport] CVE-2022-0298: Use after free in Scheduling
  > [Backport] Security bug 1276331
  > [Backport] CVE-2022-0305: Inappropriate implementation in Service Worker API
  > [Backport] CVE-2022-0306: Heap buffer overflow in PDFium
  > [Backport] CVE-2022-0289: Use after free in Safe browsing
  > [Backport] CVE-2022-0100: Heap buffer overflow in Media streams API
  > [Backport] CVE-2022-0113: Inappropriate implementation in Blink
  > [Backport] Security bug 1258603
  > [Backport] Security bug 1259557
  > [Backport] CVE-2022-0103: Use after free in SwiftShader
  > [Backport] CVE-2022-0109: Inappropriate implementation in Autofill (2/2)
  > [Backport] CVE-2022-0109: Inappropriate implementation in Autofill (1/2)
  > [Backport] CVE-2022-0104: Heap buffer overflow in ANGLE
  > [Backport] Security bug 1268448
  > Replace base::ranges::set_union with std::set_union to fix MSVC2017 build
Comment 2 Larry the Git Cow gentoo-dev 2022-04-17 19:29:22 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=bcd3f4c1d0d989c0858270e2f4bf3a83f6da9fc7

commit bcd3f4c1d0d989c0858270e2f4bf3a83f6da9fc7
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2022-04-15 21:36:17 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-04-17 19:27:34 +0000

    dev-qt/qtwebengine: Cleanup vulnerable 5.15.2_p20211216
    
    Bug: https://bugs.gentoo.org/836830
    Bug: https://bugs.gentoo.org/835761
    Package-Manager: Portage-3.0.30, Repoman-3.0.3
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 dev-qt/qtwebengine/Manifest                        |   1 -
 ...ngine-5.15.2_p20211210-sandbox-glibc-2.34.patch |  27 ---
 .../qtwebengine-5.15.2_p20211216.ebuild            | 266 ---------------------
 3 files changed, 294 deletions(-)
Comment 3 Andreas Sturmlechner gentoo-dev 2022-04-17 19:39:57 UTC
Cleanup done. Thx @sam.
Comment 4 John Helmert III archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 04:59:04 UTC
GLSA request filed
Comment 5 Larry the Git Cow gentoo-dev 2022-08-14 14:34:19 UTC
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=3212eacb7aa1bccb5bf765cd0a4fb91d206ad2c5

commit 3212eacb7aa1bccb5bf765cd0a4fb91d206ad2c5
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2022-08-14 14:29:30 +0000
Commit:     Sam James <sam@gentoo.org>
CommitDate: 2022-08-14 14:33:57 +0000

    [ GLSA 202208-25 ] Chromium, Google Chrome, Microsoft Edge, QtWebEngine: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/773040
    Bug: https://bugs.gentoo.org/787950
    Bug: https://bugs.gentoo.org/800181
    Bug: https://bugs.gentoo.org/810781
    Bug: https://bugs.gentoo.org/815397
    Bug: https://bugs.gentoo.org/828519
    Bug: https://bugs.gentoo.org/829161
    Bug: https://bugs.gentoo.org/834477
    Bug: https://bugs.gentoo.org/835397
    Bug: https://bugs.gentoo.org/835761
    Bug: https://bugs.gentoo.org/836011
    Bug: https://bugs.gentoo.org/836381
    Bug: https://bugs.gentoo.org/836777
    Bug: https://bugs.gentoo.org/836830
    Bug: https://bugs.gentoo.org/837497
    Bug: https://bugs.gentoo.org/838049
    Bug: https://bugs.gentoo.org/838433
    Bug: https://bugs.gentoo.org/838682
    Bug: https://bugs.gentoo.org/841371
    Bug: https://bugs.gentoo.org/843035
    Bug: https://bugs.gentoo.org/843728
    Bug: https://bugs.gentoo.org/847370
    Bug: https://bugs.gentoo.org/847613
    Bug: https://bugs.gentoo.org/848864
    Bug: https://bugs.gentoo.org/851003
    Bug: https://bugs.gentoo.org/851009
    Bug: https://bugs.gentoo.org/853229
    Bug: https://bugs.gentoo.org/853643
    Bug: https://bugs.gentoo.org/854372
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Sam James <sam@gentoo.org>

 glsa-202208-25.xml | 284 +++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 284 insertions(+)
Comment 6 Sam James archtester Gentoo Infrastructure gentoo-dev Security 2022-08-14 14:37:49 UTC
GLSA done, all done.