diff --git a/.gitattributes b/.gitattributes new file mode 100644 index 0000000000000000000000000000000000000000..d87f5613ec4234f82f8eaeebc563711f587fdf88 --- /dev/null +++ b/.gitattributes @@ -0,0 +1 @@ +*.xz filter=lfs diff=lfs merge=lfs -text diff --git a/.lfsconfig b/.lfsconfig new file mode 100644 index 0000000000000000000000000000000000000000..bf163f0808738c0e0f61382a7418b2a91b6e449e --- /dev/null +++ b/.lfsconfig @@ -0,0 +1,2 @@ +[lfs] + url = https://artlfs.openeuler.openatom.cn/src-openEuler/qt5-qtwebengine diff --git a/CVE-2024-12694.patch b/CVE-2024-12694.patch new file mode 100644 index 0000000000000000000000000000000000000000..00b96081eddf513b0f83ca20a8f6b6bed24565d6 --- /dev/null +++ b/CVE-2024-12694.patch @@ -0,0 +1,51 @@ +From e79507cb9cd85a80879a7c3c5570eaa96f56b5b6 Mon Sep 17 00:00:00 2001 +From: Stefan Zager +Date: Sat, 14 Dec 2024 11:06:00 -0800 +Subject: [PATCH] [Backport] CVE-2024-12694: Use after free in Compositing + +Cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/6093379: +Prevent ImageData from being reclaimed while in use + +Cherry-picked from: + https://chromium-review.googlesource.com/c/chromium/src/+/5990752 + +Bug: chromium:368222741 +Change-Id: If830b19287fd7c4aa07137044f23a14f8ce6912d +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6093379 +Reviewed-by: Prudhvikumar Bommana +Owners-Override: Prudhvikumar Bommana +Commit-Queue: Prudhvikumar Bommana +Cr-Commit-Position: refs/branch-heads/6723@{#2713} +Cr-Branched-From: 985f2961df230630f9cbd75bd6fe463009855a11-refs/heads/main@{#1356013} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/615689 +Reviewed-by: Anu Aliyas +--- + chromium/cc/tiles/gpu_image_decode_cache.cc | 7 +++++++ + 1 file changed, 7 insertions(+) + +diff --git a/chromium/cc/tiles/gpu_image_decode_cache.cc b/chromium/cc/tiles/gpu_image_decode_cache.cc +index 04ea83859f0a..a256a956be46 100644 +--- a/chromium/cc/tiles/gpu_image_decode_cache.cc ++++ b/chromium/cc/tiles/gpu_image_decode_cache.cc +@@ -1904,6 +1904,10 @@ void GpuImageDecodeCache::DecodeImageIfNecessary(const DrawImage& draw_image, + TRACE_EVENT0("cc,benchmark", "GpuImageDecodeCache::DecodeImage"); + + image_data->decode.ResetData(); ++ ++ // Prevent image_data from being deleted while lock is not held. ++ scoped_refptr image_data_holder(image_data); ++ + std::unique_ptr backing_memory; + sk_sp image; + // These are used only for decoding into YUV. +@@ -2131,6 +2135,9 @@ void GpuImageDecodeCache::UploadImageIfNecessary(const DrawImage& draw_image, + GrMipMapped image_needs_mips = + image_data->needs_mips ? GrMipMapped::kYes : GrMipMapped::kNo; + ++ // Prevent image_data from being deleted while lock is not held. ++ scoped_refptr image_data_holder(image_data); ++ + if (image_data->is_yuv) { + DCHECK(image_data->yuv_color_space.has_value()); + // Grab a reference to our decoded image. For the kCpu path, we will use diff --git a/CVE-2025-0436.patch b/CVE-2025-0436.patch new file mode 100644 index 0000000000000000000000000000000000000000..3f62fbfdfe56020dcaf4bebb237c3e8f000c7529 --- /dev/null +++ b/CVE-2025-0436.patch @@ -0,0 +1,66 @@ +From 8882ed795a3dc6b489982f6d6869e5c22d3703ea Mon Sep 17 00:00:00 2001 +From: James Godfrey-Kittle +Date: Tue, 17 Dec 2024 12:14:17 -0500 +Subject: [PATCH] [Backport] CVE-2025-0436: Integer overflow in Skia + +Manual backport of patch originally reviewed on +https://skia-review.googlesource.com/c/skia/+/930577: +Avoid overflow when combining AAHairlineOps + +Bug: b/382786791 +Change-Id: I955d943015cce76f75221df9fab0897a6f22fe4b +Reviewed-on: https://skia-review.googlesource.com/c/skia/+/930577 +Reviewed-by: Michael Ludwig +Commit-Queue: James Godfrey-Kittle +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/626412 +Reviewed-by: Anu Aliyas +--- + .../src/gpu/ops/GrAAHairLinePathRenderer.cpp | 23 +++++++++++++++---- + 1 file changed, 18 insertions(+), 5 deletions(-) + +diff --git a/chromium/third_party/skia/src/gpu/ops/GrAAHairLinePathRenderer.cpp b/chromium/third_party/skia/src/gpu/ops/GrAAHairLinePathRenderer.cpp +index c4ae781f0b5a..a91eaac389bc 100644 +--- a/chromium/third_party/skia/src/gpu/ops/GrAAHairLinePathRenderer.cpp ++++ b/chromium/third_party/skia/src/gpu/ops/GrAAHairLinePathRenderer.cpp +@@ -11,6 +11,7 @@ + #include "src/core/SkMatrixPriv.h" + #include "src/core/SkPointPriv.h" + #include "src/core/SkRectPriv.h" ++#include "src/core/SkSafeMath.h" + #include "src/core/SkStroke.h" + #include "src/gpu/GrAuditTrail.h" + #include "src/gpu/GrBuffer.h" +@@ -1189,16 +1190,28 @@ void AAHairlineOp::onPrepareDraws(Target* target) { + + int instanceCount = fPaths.count(); + bool convertConicsToQuads = !target->caps().shaderCaps()->floatIs32Bits(); +- for (int i = 0; i < instanceCount; i++) { ++ SkSafeMath safeMath; ++ for (int i = 0; i < instanceCount && safeMath.ok(); i++) { + const PathData& args = fPaths[i]; +- quadCount += gather_lines_and_quads(args.fPath, args.fViewMatrix, args.fDevClipBounds, +- args.fCapLength, convertConicsToQuads, &lines, &quads, +- &conics, &qSubdivs, &cWeights); ++ quadCount = safeMath.addInt(quadCount, ++ gather_lines_and_quads(args.fPath, ++ args.fViewMatrix, ++ args.fDevClipBounds, ++ args.fCapLength, ++ convertConicsToQuads, ++ &lines, ++ &quads, ++ &conics, ++ &qSubdivs, ++ &cWeights)); + } + + int lineCount = lines.count() / 2; + int conicCount = conics.count() / 3; +- int quadAndConicCount = conicCount + quadCount; ++ int quadAndConicCount = safeMath.addInt(conicCount, quadCount); ++ if (!safeMath.ok()) { ++ return; ++ } + + static constexpr int kMaxLines = SK_MaxS32 / kLineSegNumVertices; + static constexpr int kMaxQuadsAndConics = SK_MaxS32 / kQuadNumVertices; diff --git a/CVE-2025-0762.patch b/CVE-2025-0762.patch new file mode 100644 index 0000000000000000000000000000000000000000..d191595b2dd0809b676e72ad38cb7bede4d2f9b7 --- /dev/null +++ b/CVE-2025-0762.patch @@ -0,0 +1,87 @@ +From 8648b762c4a840add58cd2df697854cd5bd67feb Mon Sep 17 00:00:00 2001 +From: Andrey Kosyakov +Date: Wed, 15 Jan 2025 10:17:13 -0800 +Subject: [PATCH] [Backport] CVE-2025-0762: Use after free in DevTools + +Manual cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/6175790: +Make DevToolsAgent::Client a GCMixin, since the implementation is GCed + +We used to keep a raw pointer to Client in DevToolsAgent, which does +not play well when the implementation is getting collected. + +Bug: 384844003 +Change-Id: Id34886635955133f0be746a9e6e910f9e6891dbf +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6175790 +Commit-Queue: Andrey Kosyakov +Reviewed-by: Daniel Cheng +Cr-Commit-Position: refs/heads/main@{#1406819} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/626414 +Reviewed-by: Anu Aliyas +--- + .../blink/renderer/core/exported/web_dev_tools_agent_impl.h | 2 +- + .../blink/renderer/core/inspector/devtools_agent.cc | 1 + + .../blink/renderer/core/inspector/devtools_agent.h | 4 ++-- + .../renderer/core/inspector/worker_inspector_controller.h | 2 +- + 4 files changed, 5 insertions(+), 4 deletions(-) + +diff --git a/chromium/third_party/blink/renderer/core/exported/web_dev_tools_agent_impl.h b/chromium/third_party/blink/renderer/core/exported/web_dev_tools_agent_impl.h +index 6bde1bb591c2..c1f006b08eb5 100644 +--- a/chromium/third_party/blink/renderer/core/exported/web_dev_tools_agent_impl.h ++++ b/chromium/third_party/blink/renderer/core/exported/web_dev_tools_agent_impl.h +@@ -69,7 +69,7 @@ class CORE_EXPORT WebDevToolsAgentImpl final + + WebDevToolsAgentImpl(WebLocalFrameImpl*, bool include_view_agents); + ~WebDevToolsAgentImpl() override; +- virtual void Trace(Visitor*) const; ++ void Trace(Visitor*) const override; + DevToolsAgent* GetDevToolsAgent() const { return agent_.Get(); } + + void WillBeDestroyed(); +diff --git a/chromium/third_party/blink/renderer/core/inspector/devtools_agent.cc b/chromium/third_party/blink/renderer/core/inspector/devtools_agent.cc +index f5c138ac9293..8172ff070c56 100644 +--- a/chromium/third_party/blink/renderer/core/inspector/devtools_agent.cc ++++ b/chromium/third_party/blink/renderer/core/inspector/devtools_agent.cc +@@ -146,6 +146,7 @@ DevToolsAgent::DevToolsAgent( + DevToolsAgent::~DevToolsAgent() = default; + + void DevToolsAgent::Trace(Visitor* visitor) const { ++ visitor->Trace(client_); + visitor->Trace(associated_receiver_); + visitor->Trace(host_remote_); + visitor->Trace(associated_host_remote_); +diff --git a/chromium/third_party/blink/renderer/core/inspector/devtools_agent.h b/chromium/third_party/blink/renderer/core/inspector/devtools_agent.h +index 2a1708b06634..ab5f2472e5ee 100644 +--- a/chromium/third_party/blink/renderer/core/inspector/devtools_agent.h ++++ b/chromium/third_party/blink/renderer/core/inspector/devtools_agent.h +@@ -32,7 +32,7 @@ struct WorkerDevToolsParams; + class CORE_EXPORT DevToolsAgent : public GarbageCollected, + public mojom::blink::DevToolsAgent { + public: +- class Client { ++ class Client : public GarbageCollectedMixin { + public: + virtual ~Client() = default; + virtual void AttachSession(DevToolsSession*, bool restore) = 0; +@@ -122,7 +122,7 @@ class CORE_EXPORT DevToolsAgent : public GarbageCollected, + bool wait_for_debugger, + base::OnceClosure callback); + +- Client* client_; ++ Member const client_; + // DevToolsAgent is not tied to ExecutionContext + HeapMojoAssociatedReceiver, + std::unique_ptr); + ~WorkerInspectorController() override; +- void Trace(Visitor*) const; ++ void Trace(Visitor*) const override; + + CoreProbeSink* GetProbeSink() const { return probe_sink_.Get(); } + DevToolsAgent* GetDevToolsAgent() const { return agent_.Get(); } diff --git a/CVE-2025-0996.patch b/CVE-2025-0996.patch new file mode 100644 index 0000000000000000000000000000000000000000..17db69b8a5367873d4611de59fd177015637a011 --- /dev/null +++ b/CVE-2025-0996.patch @@ -0,0 +1,71 @@ +From 5c7888deb1749d0429069a8f5e4d2d31b795df6a Mon Sep 17 00:00:00 2001 +From: Mustafa Emre Acer +Date: Mon, 3 Feb 2025 17:53:06 -0800 +Subject: [PATCH] [Backport] CVE-2025-0996: Inappropriate implementation in + Browser UI + +Manual cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/6227546: +[Lookalikes] Disallow hostnames containing certain ligatures + +On some platforms, system fonts contain ligatures that render the +Google logo. This can be used to spoof hostnames. + +This CL blocks hostnames containing unsafe ligatures with an +interstitial. + +Bug: 391788835 +Change-Id: Ida694f42b2540ec61b78c7f9f6d0732a768c16c9 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6227546 +Reviewed-by: Joe DeBlasio +Commit-Queue: Mustafa Emre Acer +Cr-Commit-Position: refs/heads/main@{#1415328} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/626413 +Reviewed-by: Anu Aliyas +--- + .../lookalikes/core/lookalike_url_util.cc | 25 +++++++++++++++++++ + 1 file changed, 25 insertions(+) + +diff --git a/chromium/components/lookalikes/core/lookalike_url_util.cc b/chromium/components/lookalikes/core/lookalike_url_util.cc +index 6092d94ccfe4..39354a10cb18 100644 +--- a/chromium/components/lookalikes/core/lookalike_url_util.cc ++++ b/chromium/components/lookalikes/core/lookalike_url_util.cc +@@ -348,6 +348,27 @@ bool IsAllowedToBeEmbedded( + EndsWithPermittedDomains(embedded_target, embedding_domain); + } + ++// Hostnames containing these strings are considered unsafe due to ligature ++// rendering in some fonts. ++const char* kUnsafeLigatures[] = { ++ "g_logo", "o_logo", "l_logo", "e_logo", ++ // google_logo is also unsafe, but e_logo is its substring. ++ // super_g_logo is also unsafe, but g_logo is its substring. ++ "google_g", "glogoligature", "ologoligature", "llogoligature", ++ "elogoligature", ++ // googlelogoligature is also unsafe, but elogoligature is its ++ // substring ++}; ++ ++bool IsUnsafeLigature(const DomainInfo& domain) { ++ for (const char* unsafe_ligature : kUnsafeLigatures) { ++ if (domain.hostname.find(unsafe_ligature) != std::string::npos) { ++ return true; ++ } ++ } ++ return false; ++} ++ + } // namespace + + DomainInfo::DomainInfo(const std::string& arg_hostname, +@@ -771,6 +792,10 @@ bool IsASCIIAndEmojiOnly(const base::StringPiece16& text) { + } + + bool ShouldBlockBySpoofCheckResult(const DomainInfo& navigated_domain) { ++ if (IsUnsafeLigature(navigated_domain)) { ++ return true; ++ } ++ + // Here, only a subset of spoof checks that cause an IDN to fallback to + // punycode are configured to show an interstitial. + switch (navigated_domain.idn_result.spoof_check_result) { diff --git a/CVE-2025-0999.patch b/CVE-2025-0999.patch new file mode 100644 index 0000000000000000000000000000000000000000..6fe1c6596aca48fbc7d017a5ddb15d9f097b26b7 --- /dev/null +++ b/CVE-2025-0999.patch @@ -0,0 +1,58 @@ +From 031ba58f785e2355830c938a792e99889010b65f Mon Sep 17 00:00:00 2001 +From: Thibaud Michaud +Date: Mon, 10 Feb 2025 14:31:16 +0100 +Subject: [PATCH] [Backport] CVE-2025-0999: Heap buffer overflow in V8 + +Manual cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/v8/v8/+/6249299: +Reland "Lower the maximum JS parameter count" + +This is a reland of commit 1827ed8345369ca50a55a10ab3e45bcc581c6339 + +Before the change, one of the nodes had more than 2^16 inputs +so optimization bailed out. +After the change, the function has fewer parameters and gets +optimized, and the register allocator struggles with that many +parameters and times out. +Just mark the test as slow for now. + +Original change's description: +> Lower the maximum JS parameter count +> +> To allow extra implicit arguments on the call node without overflowing +> the uint16_t input count, in particular in the wasm-to-js wrapper where +> we don't have a bailout mechanism. +> +> R=verwaest@chromium.org +> +> Fixed: 394350433 +> Change-Id: I61d2e2387539cafd6a0909c3ee035c93d0217be3 +> Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6239302 +> Reviewed-by: Toon Verwaest +> Commit-Queue: Thibaud Michaud +> Cr-Commit-Position: refs/heads/main@{#98556} + +Change-Id: I9b5c53a8f7ee247914585a3292895672bbce1ab6 +Reviewed-on: https://chromium-review.googlesource.com/c/v8/v8/+/6249299 +Reviewed-by: Toon Verwaest +Commit-Queue: Thibaud Michaud +Cr-Commit-Position: refs/heads/main@{#98609} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/626416 +Reviewed-by: Anu Aliyas +--- + chromium/v8/src/objects/code.h | 2 +- + 1 file changed, 1 insertion(+), 1 deletion(-) + +diff --git a/chromium/v8/src/objects/code.h b/chromium/v8/src/objects/code.h +index d71a0b1132a2..d4201a0a7bfe 100644 +--- a/chromium/v8/src/objects/code.h ++++ b/chromium/v8/src/objects/code.h +@@ -506,7 +506,7 @@ class Code : public HeapObject { + + static const int kArgumentsBits = 16; + // Reserve one argument count value as the "don't adapt arguments" sentinel. +- static const int kMaxArguments = (1 << kArgumentsBits) - 2; ++ static const int kMaxArguments = (1 << kArgumentsBits) - 10; + + private: + friend class RelocIterator; diff --git a/CVE-2025-1426.patch b/CVE-2025-1426.patch new file mode 100644 index 0000000000000000000000000000000000000000..cade10a3417c01d0700c01bdaddd6782f416e11e --- /dev/null +++ b/CVE-2025-1426.patch @@ -0,0 +1,56 @@ +From 7e7ab4f3115d12976b24efe049043f5a5f769109 Mon Sep 17 00:00:00 2001 +From: Geoff Lang +Date: Wed, 12 Feb 2025 10:48:28 -0800 +Subject: [PATCH] [Backport] CVE-2025-1426: Heap buffer overflow in GPU + +Manual cherry-pick of patch originally reviewed on +https://chromium-review.googlesource.com/c/chromium/src/+/6258068: +M132: Check query IDs before removing from active_queries_ + +glDeleteQueries was removing queries from active_queries_ if they +matched the type of query being deleted. It also needed to check that +the ID matches. + +This would cause issues later when the real active query was ended and +did not exist in the map. + +(cherry picked from commit d8747107c91751884bdc5a297b29e6ba1785e7e5) + +Bug: 383465163 +Change-Id: I1ea9d1b053324dbe86c8dceadd9e3b8aa2b41c64 +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6226546 +Reviewed-by: Zhenyao Mo +Commit-Queue: Geoff Lang +Cr-Original-Commit-Position: refs/heads/main@{#1416160} +Reviewed-on: https://chromium-review.googlesource.com/c/chromium/src/+/6258068 +Cr-Commit-Position: refs/branch-heads/6834@{#5225} +Cr-Branched-From: 47a3549fac11ee8cb7be6606001ede605b302b9f-refs/heads/main@{#1381561} +Reviewed-on: https://codereview.qt-project.org/c/qt/qtwebengine-chromium/+/626417 +Reviewed-by: Michal Klocek +--- + .../service/gles2_cmd_decoder_passthrough_doers.cc | 5 +++-- + 1 file changed, 3 insertions(+), 2 deletions(-) + +diff --git a/chromium/gpu/command_buffer/service/gles2_cmd_decoder_passthrough_doers.cc b/chromium/gpu/command_buffer/service/gles2_cmd_decoder_passthrough_doers.cc +index 8f95009add1b..dfded496838e 100644 +--- a/chromium/gpu/command_buffer/service/gles2_cmd_decoder_passthrough_doers.cc ++++ b/chromium/gpu/command_buffer/service/gles2_cmd_decoder_passthrough_doers.cc +@@ -3514,7 +3514,8 @@ error::Error GLES2DecoderPassthroughImpl::DoDeleteQueriesEXT( + } + + auto active_queries_iter = active_queries_.find(query_info.type); +- if (active_queries_iter != active_queries_.end()) { ++ if (active_queries_iter != active_queries_.end() && ++ active_queries_iter->second.service_id == query_service_id) { + active_queries_.erase(active_queries_iter); + } + +@@ -3698,7 +3699,7 @@ error::Error GLES2DecoderPassthroughImpl::DoEndQueryEXT(GLenum target, + } + } + +- DCHECK(active_queries_.find(target) != active_queries_.end()); ++ CHECK(base::Contains(active_queries_, target)); + ActiveQuery active_query = std::move(active_queries_[target]); + active_queries_.erase(target); + diff --git a/qt5-qtwebengine.spec b/qt5-qtwebengine.spec index 770e7884dc2ff66eb4d6666905773e5bf0b87510..e4d868f2cb9ef6da8b4d538f57eb7e6efffeb8c7 100644 --- a/qt5-qtwebengine.spec +++ b/qt5-qtwebengine.spec @@ -52,7 +52,7 @@ Summary: Qt5 - QtWebEngine components Name: qt5-qtwebengine Version: 5.15.10 -Release: 6 +Release: 7 # See LICENSE.GPL LICENSE.LGPL LGPL_EXCEPTION.txt, for details # See also http://qt-project.org/doc/qt-5.0/qtdoc/licensing.html @@ -130,6 +130,15 @@ Patch1001: riscv-qt5-qtwebengine.patch Patch1002: qtwebengine-ffmpeg5.patch %endif +# chromium patches +# from https://code.qt.io/cgit/qt/qtwebengine-chromium.git/?h=87-based +Patch2001: CVE-2024-12694.patch +Patch2002: CVE-2025-0436.patch +Patch2003: CVE-2025-0996.patch +Patch2004: CVE-2025-1426.patch +Patch2005: CVE-2025-0762.patch +Patch2006: CVE-2025-0999.patch + BuildRequires: make BuildRequires: qt5-qtbase-devel BuildRequires: qt5-qtbase-private-devel @@ -410,6 +419,7 @@ BuildArch: noarch mv pulse src/3rdparty/chromium/ pushd src/3rdparty/chromium +%autopatch -m2001 -M3000 -p2 popd %patch2 -p1 -b .fix-extractcflag @@ -665,6 +675,10 @@ done %changelog +* Sun Jun 29 2025 Funda Wang - 5.15.10-7 +- fix CVE-2024-12694, CVE-2025-0436, CVE-2025-0996, CVE-2025-1426, + CVE-2025-0762, CVE-2025-0999 + * Wed Apr 03 2024 misaka00251 - 5.15.10-6 - Migrate python 2 to python 3 & Fix build on riscv64 diff --git a/qtwebengine-everywhere-src-5.15.10-clean.tar.xz b/qtwebengine-everywhere-src-5.15.10-clean.tar.xz index 853a92d3409da146b7817ee39564c67715a0b99a..177edba8bef48016bc187a70c139b7e94ba951f8 100644 Binary files a/qtwebengine-everywhere-src-5.15.10-clean.tar.xz and b/qtwebengine-everywhere-src-5.15.10-clean.tar.xz differ