Bug 29249

Summary: qtwebengine5 new security issues fixed upstream in 5.15.3
Product: Mageia Reporter: David Walser <luigiwalser>
Component: SecurityAssignee: QA Team <qa-bugs>
Status: RESOLVED FIXED QA Contact: Sec team <security>
Severity: major    
Priority: Normal CC: herman.viaene, sysadmin-bugs
Version: 8Keywords: advisory, validated_update
Target Milestone: ---   
Hardware: All   
OS: Linux   
Whiteboard: MGA8-64-OK
Source RPM: qtwebengine5-5.15.2-2.mga8.src.rpm CVE:
Status comment:
Bug Depends on: 29362    
Bug Blocks:    

Comment 1 David Walser 2021-08-10 23:10:29 CEST 
We should push the qtwebengine5 update that I just made in Cauldron to Mageia 8.
Comment 2 David Walser 2021-08-11 16:32:39 CEST 
It's checked into SVN.  I tried building it once, but the build system went homicidal and killed it for no reason.  Will have to try again later.
David Walser 2021-08-12 05:59:44 CEST

Depends on: (none) => 29362

Comment 3 David Walser 2021-08-12 22:24:46 CEST 
qtwebengine5-5.15.5-1.mga8
qtwebengine5-doc-5.15.5-1.mga8
libqt5pdf5-5.15.5-1.mga8
libqt5webengine-devel-5.15.5-1.mga8
libqt5webengine5-5.15.5-1.mga8
libqt5webenginewidgets5-5.15.5-1.mga8
libqt5pdfwidgets5-5.15.5-1.mga8
libqt5webenginecore5-5.15.5-1.mga8

from qtwebengine5-5.15.5-1.mga8.src.rpm

Assignee: kde => qa-bugs

Comment 4 Herman Viaene 2021-08-13 15:17:05 CEST 
MGA8-64 Plasma on Lenovo B50
Installation issue: "Sorry, the following package cannot be seected:

- lib64qt5webengine-devel-5.15.5-1.mga8.x86_64"
Allthe others install OK. Continuing .....

CC: (none) => herman.viaene

Comment 5 Herman Viaene 2021-08-13 15:28:40 CEST 
Looking in vain how to test this.

BTW:when I check in http://madb.mageia.org/tools/updates the link "Bugzilla" to find previous updates, it returns nothing but this update itself. However, whill googling I found https://bugs.mageia.org/show_bug.cgi?id=20685, isn't that strange?????
Comment 6 David Walser 2021-08-13 15:40:41 CEST 
Why can't the devel package be installed?

For testing, check urpmq --whatrequires on the libraries.
Comment 7 Herman Viaene 2021-08-14 21:24:09 CEST 
# urpmq --whatrequires qtwebengine5
gives a.o. konqueror
$ strace -o qtwebengin.txt konqueror
used it to go to newspapersite and read some text, display images and view a video.
Trace file has a whole lot of statements like
access("/usr/lib64/qt5/libexec/QtWebEngineProcess", F_OK) = 0
lstat("/usr/lib64/qt5/libexec/QtWebEngineProcess", {st_mode=S_IFREG|0755, st_size=11496, ...}) = 0
access("/usr/share/qt5/resources/qtwebengine_resources.pak", F_OK) = 0
access("/usr/share/qt5/translations/qtwebengine_locales", F_OK) = 0
and more.....
So OK'ing

Whiteboard: (none) => MGA8-64-OK

Comment 8 David Walser 2021-08-14 21:43:18 CEST 
We still need to figure out if the -devel package is OK, otherwise this could break building other things.  What's the deal there?

Whiteboard: MGA8-64-OK => (none)

Comment 9 David Walser 2021-08-14 22:08:24 CEST 
I just checked it, there's nothing wrong with it.  Must have been user error with qarepo.

Whiteboard: (none) => MGA8-64-OK
CC: (none) => sysadmin-bugs
Keywords: (none) => validated_update

Comment 10 David Walser 2021-08-14 22:11:39 CEST 
Advisory:
========================

Updated qtwebengine5 packages fix security vulnerabilities:

The qtwebengine5 package has been updated to version 5.15.5, fixing several
security issues in the bundled chromium code.

References:
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2020-16044
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21118
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21119
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21120
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21121
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21122
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21123
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21125
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21126
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21127
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21128
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21129
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21130
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21131
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21132
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21135
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21137
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21140
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21141
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21145
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21146
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21147
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21148
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21149
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21150
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21152
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21153
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21156
https://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2021-21157
https://lists.opensuse.org/archives/list/security-announce@lists.opensuse.org/thread/5TAIJROLXEDDASYPE5FNK2OGKN4IAJT5/
David Walser 2021-08-14 22:17:25 CEST

Keywords: (none) => advisory

Comment 11 Mageia Robot 2021-08-15 10:39:27 CEST 
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2021-0406.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED