[packages/qt5-qtwebengine] up to 5.15.5 (multitude of security fixes)
atler
atler at pld-linux.org
Fri Aug 13 19:48:50 CEST 2021
commit 3b5e88b8a2a79b660404823ff3f12501f15895c9
Author: Jan Palus <atler at pld-linux.org>
Date: Fri Aug 13 19:27:21 2021 +0200
up to 5.15.5 (multitude of security fixes)
note: this is an unofficial release -- after 5.15.2 Qt no longer makes
open source 5.15 releases but code is still available in Git. this
upgrade consists of git extract of tag v5.15.5-lts from
https://code.qt.io/cgit/qt/qtwebengine.git/
along with rev d2679df (87-based branch) from:
https://code.qt.io/cgit/qt/qtwebengine-chromium.git/
additional fixes thanks to fedora:
- remaing 'TRUE' replaced (no longer defined by icu)
- syncqt.pl invocation to fix build errors related to missing header
<QtWebEngineCore/qtwebenginecoreglobal.h>
- font rendering issue with glibc 2.33
- gold preference -- bfd got insane when it comes to opened file
descriptors (4096 is not enough to build qtwebengine and qtwenengine
itself enforces no more than 4096 opened descriptors limiting it even
if user's limit is higher)
glibc-2.33.patch | 141 +++++++++++++++++++++++++++++++++++++++++++++++++++
icu.patch | 12 +++++
qt5-qtwebengine.spec | 20 +++++---
3 files changed, 167 insertions(+), 6 deletions(-)
---
diff --git a/qt5-qtwebengine.spec b/qt5-qtwebengine.spec
index bdc5c60..2d44dd3 100644
--- a/qt5-qtwebengine.spec
+++ b/qt5-qtwebengine.spec
@@ -13,14 +13,16 @@
Summary: The Qt5 WebEngine library
Summary(pl.UTF-8): Biblioteka Qt5 WebEngine
Name: qt5-%{orgname}
-Version: 5.15.2
-Release: 3
+Version: 5.15.5
+Release: 1
License: LGPL v3 or GPL v2 or GPL v3 or commercial
Group: X11/Libraries
-Source0: http://download.qt.io/official_releases/qt/5.15/%{version}/submodules/%{orgname}-everywhere-src-%{version}.tar.xz
-# Source0-md5: c88cbe3158feb20c4feb3d54262feb23
+Source0: qtwebengine-%{version}.tar.xz
+# Source0-md5: ef8a67c66f2e59d349c3590a3ef41615
Patch0: x32.patch
Patch1: %{name}-gn-dynamic.patch
+Patch2: icu.patch
+Patch3: glibc-2.33.patch
URL: https://www.qt.io/
BuildRequires: Mesa-khrplatform-devel
BuildRequires: Qt5Core-devel >= %{qtbase_ver}
@@ -106,6 +108,8 @@ BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n)
%define specflags -fno-strict-aliasing
%define qt5dir %{_libdir}/qt5
+%define qt5bindir %(qtpaths-qt5 --binaries-dir)
+
%description
Qt is a cross-platform application and UI framework. Using Qt, you can
write web-enabled applications once and deploy them across desktop,
@@ -262,17 +266,21 @@ Qt5 WebEngine examples.
Przykłady do biblioteki Qt5 WebEngine.
%prep
-%setup -q -n %{orgname}-everywhere-src-%{version}
+%setup -q -n qtwebengine
%ifarch x32
%patch0 -p1
%endif
%patch1 -p1
+%patch2 -p1
+%patch3 -p1
+
+%{qt5bindir}/syncqt.pl -version %{version}
%build
%ifarch x32
export V8_TARGET_ARCH="x32"
%endif
-qmake-qt5 -- \
+qmake-qt5 CONFIG+=use_gold_linker -- \
-webengine-ffmpeg \
-webengine-icu \
-webengine-opus \
diff --git a/glibc-2.33.patch b/glibc-2.33.patch
new file mode 100644
index 0000000..7951e6b
--- /dev/null
+++ b/glibc-2.33.patch
@@ -0,0 +1,141 @@
+diff -up qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc.rh#1904652 qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc
+--- qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc.rh#1904652 2021-05-28 07:05:45.000000000 -0500
++++ qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc 2021-06-24 08:34:07.566783935 -0500
+@@ -257,6 +257,18 @@ ResultExpr EvaluateSyscallImpl(int fs_de
+ return RestrictKillTarget(current_pid, sysno);
+ }
+
++#if defined(__NR_newfstatat)
++ if (sysno == __NR_newfstatat) {
++ return RewriteFstatatSIGSYS();
++ }
++#endif
++
++#if defined(__NR_fstatat64)
++ if (sysno == __NR_fstatat64) {
++ return RewriteFstatatSIGSYS();
++ }
++#endif
++
+ if (SyscallSets::IsFileSystem(sysno) ||
+ SyscallSets::IsCurrentDirectory(sysno)) {
+ return Error(fs_denied_errno);
+diff -up qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc.rh#1904652 qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc
+--- qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc.rh#1904652 2021-05-28 07:05:45.000000000 -0500
++++ qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc 2021-06-24 08:40:08.552334787 -0500
+@@ -6,6 +6,8 @@
+
+ #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h"
+
++#include <errno.h>
++#include <fcntl.h>
+ #include <stddef.h>
+ #include <stdint.h>
+ #include <string.h>
+@@ -355,6 +357,35 @@ intptr_t SIGSYSSchedHandler(const struct
+ return -ENOSYS;
+ }
+
++intptr_t SIGSYSFstatatHandler(const struct arch_seccomp_data& args,
++ void* aux) {
++ switch (args.nr) {
++#if defined(__NR_newfstatat)
++ case __NR_newfstatat:
++#endif
++#if defined(__NR_fstatat64)
++ case __NR_fstatat64:
++#endif
++#if defined(__NR_newfstatat) || defined(__NR_fstatat64)
++ if (*reinterpret_cast<const char *>(args.args[1]) == '\0'
++ && args.args[3] == static_cast<uint64_t>(AT_EMPTY_PATH)) {
++ return sandbox::sys_fstat64(static_cast<int>(args.args[0]),
++ reinterpret_cast<struct stat64 *>(args.args[2]));
++ } else {
++ errno = EACCES;
++ return -1;
++ }
++ break;
++#endif
++ }
++
++ CrashSIGSYS_Handler(args, aux);
++
++ // Should never be reached.
++ RAW_CHECK(false);
++ return -ENOSYS;
++}
++
+ bpf_dsl::ResultExpr CrashSIGSYS() {
+ return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL);
+ }
+@@ -387,6 +418,10 @@ bpf_dsl::ResultExpr RewriteSchedSIGSYS()
+ return bpf_dsl::Trap(SIGSYSSchedHandler, NULL);
+ }
+
++bpf_dsl::ResultExpr RewriteFstatatSIGSYS() {
++ return bpf_dsl::Trap(SIGSYSFstatatHandler, NULL);
++}
++
+ void AllocateCrashKeys() {
+ #if !defined(OS_NACL_NONSFI)
+ if (seccomp_crash_key)
+diff -up qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h.rh#1904652 qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h
+--- qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h.rh#1904652 2021-05-28 07:05:45.000000000 -0500
++++ qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h 2021-06-24 08:39:31.205174337 -0500
+@@ -62,6 +62,10 @@ SANDBOX_EXPORT intptr_t SIGSYSPtraceFail
+ // sched_setparam(), sched_setscheduler()
+ SANDBOX_EXPORT intptr_t SIGSYSSchedHandler(const arch_seccomp_data& args,
+ void* aux);
++// If the fstatat syscall is actually a disguised fstat, calls the regular fstat
++// syscall, otherwise, crashes in the same way as CrashSIGSYS_Handler.
++SANDBOX_EXPORT intptr_t
++ SIGSYSFstatatHandler(const struct arch_seccomp_data& args, void* aux);
+
+ // Variants of the above functions for use with bpf_dsl.
+ SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYS();
+@@ -72,6 +76,7 @@ SANDBOX_EXPORT bpf_dsl::ResultExpr Crash
+ SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSFutex();
+ SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSPtrace();
+ SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteSchedSIGSYS();
++SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteFstatatSIGSYS();
+
+ // Allocates a crash key so that Seccomp information can be recorded.
+ void AllocateCrashKeys();
+diff -up qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/services/syscall_wrappers.cc.rh#1904652 qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/services/syscall_wrappers.cc
+--- qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/services/syscall_wrappers.cc.rh#1904652 2021-05-28 07:05:45.000000000 -0500
++++ qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/services/syscall_wrappers.cc 2021-06-24 08:34:07.567783940 -0500
+@@ -261,4 +261,13 @@ int sys_sigaction(int signum,
+
+ #endif // defined(MEMORY_SANITIZER)
+
++SANDBOX_EXPORT int sys_fstat64(int fd, struct stat64 *buf)
++{
++#if defined(__NR_fstat64)
++ return syscall(__NR_fstat64, fd, buf);
++#else
++ return syscall(__NR_fstat, fd, buf);
++#endif
++}
++
+ } // namespace sandbox
+diff -up qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/services/syscall_wrappers.h.rh#1904652 qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/services/syscall_wrappers.h
+--- qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/services/syscall_wrappers.h.rh#1904652 2021-05-28 07:05:45.000000000 -0500
++++ qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/services/syscall_wrappers.h 2021-06-24 08:34:07.568783944 -0500
+@@ -17,6 +17,7 @@ struct sock_fprog;
+ struct rlimit64;
+ struct cap_hdr;
+ struct cap_data;
++struct stat64;
+
+ namespace sandbox {
+
+@@ -84,6 +85,9 @@ SANDBOX_EXPORT int sys_sigaction(int sig
+ const struct sigaction* act,
+ struct sigaction* oldact);
+
++// Recent glibc rewrites fstat to fstatat.
++SANDBOX_EXPORT int sys_fstat64(int fd, struct stat64 *buf);
++
+ } // namespace sandbox
+
+ #endif // SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_
diff --git a/icu.patch b/icu.patch
new file mode 100644
index 0000000..b61c923
--- /dev/null
+++ b/icu.patch
@@ -0,0 +1,12 @@
+diff -up qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/third_party/libxml/src/encoding.c.TRUE qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/third_party/libxml/src/encoding.c
+--- qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/third_party/libxml/src/encoding.c.TRUE 2021-05-28 07:05:45.000000000 -0500
++++ qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/third_party/libxml/src/encoding.c 2021-06-24 09:44:41.592468805 -0500
+@@ -2004,7 +2004,7 @@ xmlEncOutputChunk(xmlCharEncodingHandler
+ #ifdef LIBXML_ICU_ENABLED
+ else if (handler->uconv_out != NULL) {
+ ret = xmlUconvWrapper(handler->uconv_out, 0, out, outlen, in, inlen,
+- TRUE);
++ 1);
+ }
+ #endif /* LIBXML_ICU_ENABLED */
+ else {
================================================================
---- gitweb:
http://git.pld-linux.org/gitweb.cgi/packages/qt5-qtwebengine.git/commitdiff/3b5e88b8a2a79b660404823ff3f12501f15895c9
More information about the pld-cvs-commit
mailing list