Bug 15749

Summary: qtwebkit new security issue fixed upstream in 5.4.1 (CVE-2015-8079)
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: normal    
Priority: Normal CC: sysadmin-bugs
Version: 4Keywords: validated_update
Target Milestone: ---   
Hardware: i586   
OS: Linux   
URL: http://lwn.net/Vulnerabilities/639231/
Whiteboard: has_procedure advisory MGA4-32-OK mga4-64-ok
Source RPM: qtwebkit-2.3.4-2.mga5.src.rpm, qtwebkit5-5.4.0-1.mga5.src.rpm CVE:
Status comment:

Description David Walser 2015-04-22 18:18:36 CEST 
Fedora has issued advisories on March 26:
https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155063.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-April/154671.html

Fedora has a patch for the issue for qtwebkit 2.3.4, and it is fixed in qtwebkit5 5.4.1.

Mageia 4 and Cauldron are affected.

Reproducible: 

Steps to Reproduce:
David Walser 2015-04-22 18:18:51 CEST

Whiteboard: (none) => MGA5TOO, MGA4TOO

David Walser 2015-04-22 19:31:03 CEST

URL: http://lwn.net/Vulnerabilities/639231/ => http://lwn.net/Vulnerabilities/641427/

Comment 1 David Walser 2015-04-22 19:51:27 CEST 
Actually qtwebkit5 needs an additional patch as well:
http://pkgs.fedoraproject.org/cgit/qt5-qtwebkit.git/commit/?h=f22&id=ae50d7df90edc20a9f7427879d39c5b176f17a56
David Walser 2015-04-22 20:13:00 CEST

URL: http://lwn.net/Vulnerabilities/641427/ => http://lwn.net/Vulnerabilities/639231/

Comment 2 David Walser 2015-04-22 20:57:11 CEST 
Patches checked into Mageia 4 and Cauldron SVN.  Freeze push requested.
Comment 3 David Walser 2015-04-24 17:09:21 CEST 
Patched packages uploaded for Mageia 4 and Cauldron.

Advisory:
========================

Updated qtwebkit and qtwebkit5 packages fix security vulnerability:

QtWebKit logs visited URLs to WebpageIcons.db in private browsing mode.

References:
https://lists.fedoraproject.org/pipermail/package-announce/2015-April/155063.html
https://lists.fedoraproject.org/pipermail/package-announce/2015-April/154671.html
========================

Updated packages in core/updates_testing:
========================
libqtwebkit2.2_4-2.3.3-3.1
qtwebkit-qmlplugin-2.3.3-3.1
libqtwebkit2.2-devel-2.3.3-3.1
qtwebkit5-5.2.0-2.1
libqt5webkitwidgets5-5.2.0-2.1
libqt5webkitwidgets-devel-5.2.0-2.1
libqt5webkitwidgets-private-devel-5.2.0-2.1
libqt5webkit5-5.2.0-2.1
libqt5webkit-devel-5.2.0-2.1
libqt5webkit-private-devel-5.2.0-2.1

from SRPMS:
qtwebkit-2.3.3-3.1.mga4.src.rpm
qtwebkit5-5.2.0-2.1.mga4.src.rpm

Version: Cauldron => 4
Assignee: mageia => qa-bugs
Whiteboard: MGA5TOO, MGA4TOO => (none)

Comment 4 David Walser 2015-04-24 18:55:37 CEST 
qtwebkit is used by a lot of things, but most directly by qupzilla and rekonq.  qtwebkit5 is only used by qt-creator, sigil, and yaflight, but I'm not sure how.
Comment 5 David Walser 2015-05-05 16:48:06 CEST 
Tested with qupzilla and qt-creator.  Seems OK on Mageia 4 i586.

Whiteboard: (none) => has_procedure MGA4-32-OK

Comment 6 claire robinson 2015-05-06 15:59:57 CEST 
Tested mga4 64

Validating. Advisory uploaded.

Please push to 4 updates

Thanks

Keywords: (none) => validated_update
Whiteboard: has_procedure MGA4-32-OK => has_procedure advisory MGA4-32-OK mga4-64-ok
CC: (none) => sysadmin-bugs

Comment 7 Mageia Robot 2015-05-06 17:16:42 CEST 
An update for this issue has been pushed to Mageia Updates repository.

http://advisories.mageia.org/MGASA-2015-0194.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED

Comment 8 David Walser 2015-11-05 18:44:58 CET 
CVE-2015-8079 has been assigned for this:
http://openwall.com/lists/oss-security/2015/11/05/4

Summary: qtwebkit new security issue fixed upstream in 5.4.1 => qtwebkit new security issue fixed upstream in 5.4.1 (CVE-2015-8079)