Gentoo Websites Logo
Go to: Gentoo Home Documentation Forums Lists Bugs Planet Store Wiki Get Gentoo!
Bug 915465 - <dev-qt/qtwebengine-5.15.11_p20231120: Multiple vulnerabilities
Summary: <dev-qt/qtwebengine-5.15.11_p20231120: Multiple vulnerabilities
Status: RESOLVED FIXED
Alias: None
Product: Gentoo Security
Classification: Unclassified
Component: Vulnerabilities (show other bugs)
Hardware: All Linux
: Normal normal (vote)
Assignee: Gentoo Security
URL:
Whiteboard: A2 [glsa+]
Keywords: PullRequest
Depends on: 913050 qt-5.15.11-stable
Blocks: CVE-2023-4761, CVE-2023-4762, CVE-2023-4763, CVE-2023-4764 CVE-2023-5218, CVE-2023-5473, CVE-2023-5474, CVE-2023-5475, CVE-2023-5476, CVE-2023-5477, CVE-2023-5478, CVE-2023-5479, CVE-2023-5481, CVE-2023-5483, CVE-2023-5484, CVE-2023-5485, CVE-2023-5486, CVE-2023-5487 CVE-2023-5480, CVE-2023-5482, CVE-2023-5849, CVE-2023-5850, CVE-2023-5851, CVE-2023-5852, CVE-2023-5853, CVE-2023-5854, CVE-2023-5855, CVE-2023-5856, CVE-2023-5857, CVE-2023-5858, CVE-2023-5859 CVE-2023-5996 CVE-2023-5997, CVE-2023-6112
  Show dependency tree
 
Reported: 2023-10-09 08:43 UTC by Andreas Sturmlechner
Modified: 2023-12-22 10:53 UTC (History)
1 user (show)

See Also:
Package list:
Runtime testing required: ---

Attachments
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Andreas Sturmlechner gentoo-dev 2023-10-09 08:43:47 UTC 
* [Backport] [PA] Support 16kb pagesize on Linux+ARM6487-based
  * [Backport] Replace uses of re2::StringPiece::set().
  * Fix build with GCC 13
  * Fix errors and warnings for perfetto
  * Remove nodiscard attribute from cpwl_combo_box.h
  * FIXUP: [Backport] CVE-2023-4354: Heap buffer overflow in Skia
  * FIXUP: Disable Windows IME for GPU thread
  * Bump V8_PATCH_LEVEL
  * [Backport] CVE-2023-4762: Type Confusion in V8
  * [Backport] CVE-2023-4362: Heap buffer overflow in Mojom IDL
  * [Backport] CVE-2023-4354: Heap buffer overflow in Skia
  * [Backport] CVE-2023-4351: Use after free in Network
  * Disable Windows IME for GPU thread
  * [Backport] CVE-2023-4863: Heap buffer overflow in WebP
Comment 1 Andreas Sturmlechner gentoo-dev 2023-11-03 11:21:47 UTC 
* [Backport] CVE-2023-5482 and CVE-2023-584987-based
* [Backport] CVE-2023-45853: Buffer overflow in MiniZip (2/2)
* [Backport] CVE-2023-45853: Buffer overflow in MiniZip (1/2)
* [Backport] Security bug 1478470
* [Backport] Security bug 1472365 and 1472366
* [Backport] CVE-2023-5218: Use after free in Site Isolation
* [Backport] Security bug 1486316
* FIXUP: [Backport] [PA] Support 16kb pagesize on Linux+ARM64
Comment 2 Larry the Git Cow gentoo-dev 2023-11-06 18:10:59 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=9ece4c319deb63cf49047133934814290422e0ad

commit 9ece4c319deb63cf49047133934814290422e0ad
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2023-11-06 10:46:26 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2023-11-06 18:10:30 +0000

    dev-qt/qtwebengine: drop 5.15.11_p20231019
    
    Bug: https://bugs.gentoo.org/915465
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-qt/qtwebengine/Manifest                        |   1 -
 .../qtwebengine-5.15.11_p20231019.ebuild           | 270 ---------------------
 2 files changed, 271 deletions(-)
Comment 3 Andreas Sturmlechner gentoo-dev 2023-11-23 11:41:11 UTC 
Bumping to dev-qt/qtwebengine-5.15.11_p20231120 then, fixes:

  * [Backport] CVE-2023-6112: Use after free in Navigation
  * [Backport] CVE-2023-5997: Use after free in Garbage Collection
  * [Backport] CVE-2023-5996: Use after free in WebAudio
Comment 4 Larry the Git Cow gentoo-dev 2023-11-25 16:12:53 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/repo/gentoo.git/commit/?id=6616f0c736292450b52fe503cc1a904e55947ded

commit 6616f0c736292450b52fe503cc1a904e55947ded
Author:     Andreas Sturmlechner <asturm@gentoo.org>
AuthorDate: 2023-11-25 16:11:02 +0000
Commit:     Andreas Sturmlechner <asturm@gentoo.org>
CommitDate: 2023-11-25 16:11:29 +0000

    dev-qt/qtwebengine: Cleanup vulnerable 5.15.11_p20231102
    
    Bug: https://bugs.gentoo.org/915465
    Signed-off-by: Andreas Sturmlechner <asturm@gentoo.org>

 dev-qt/qtwebengine/Manifest                        |   1 -
 .../qtwebengine-5.15.11_p20231102.ebuild           | 283 ---------------------
 2 files changed, 284 deletions(-)
Comment 5 Larry the Git Cow gentoo-dev 2023-12-22 10:51:58 UTC 
The bug has been referenced in the following commit(s):

https://gitweb.gentoo.org/data/glsa.git/commit/?id=33421161add23e707a21bf30329af848c2577694

commit 33421161add23e707a21bf30329af848c2577694
Author:     GLSAMaker <glsamaker@gentoo.org>
AuthorDate: 2023-12-22 10:51:22 +0000
Commit:     Hans de Graaff <graaff@gentoo.org>
CommitDate: 2023-12-22 10:51:49 +0000

    [ GLSA 202312-07 ] QtWebEngine: Multiple Vulnerabilities
    
    Bug: https://bugs.gentoo.org/913050
    Bug: https://bugs.gentoo.org/915465
    Signed-off-by: GLSAMaker <glsamaker@gentoo.org>
    Signed-off-by: Hans de Graaff <graaff@gentoo.org>

 glsa-202312-07.xml | 87 ++++++++++++++++++++++++++++++++++++++++++++++++++++++
 1 file changed, 87 insertions(+)