Bug 29973 - qtwebengine5 new security issues fixed upstream in 5.15.8
Summary: qtwebengine5 new security issues fixed upstream in 5.15.8
Status: RESOLVED FIXED
Alias: None
Product: Mageia
Classification: Unclassified
Component: Security (show other bugs)
Version: 8
Hardware: All Linux
Priority: Normal normal
Target Milestone: ---
Assignee: QA Team
QA Contact: Sec team
URL:
Whiteboard: MGA8-64-OK
Keywords: advisory, validated_update
Depends on:
Blocks:
 
Reported: 2022-01-30 20:08 CET by David Walser
Modified: 2022-02-05 21:24 CET (History)
5 users (show)

See Also:
Source RPM: qtwebengine5-5.15.6-1.mga8.src.rpm
CVE:
Status comment:


Attachments

Description David Walser 2022-01-30 20:08:11 CET
Fedora has issued an advisory today (January 30):
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2MLX3OHXV7SCLP5MK4AA5TVXPPNSWDUP/

It updates the bundled Chromium code to a newer version with more security fixes.

Advisory will be as follows.

Advisory:
========================

Updated qtwebengine5 packages fix security vulnerabilities:

The qtwebengine5 package has been updated to version 5.15.8, fixing several
security issues in the bundled chromium code.

References:
https://lists.fedoraproject.org/archives/list/package-announce@lists.fedoraproject.org/thread/2MLX3OHXV7SCLP5MK4AA5TVXPPNSWDUP/
========================

Updated packages in core/updates_testing:
========================
qtwebengine5-5.15.8-1.mga8
qtwebengine5-doc-5.15.8-1.mga8
libqt5pdf5-5.15.8-1.mga8
libqt5webengine-devel-5.15.8-1.mga8
libqt5webengine5-5.15.8-1.mga8
libqt5webenginewidgets5-5.15.8-1.mga8
libqt5pdfwidgets5-5.15.8-1.mga8
libqt5webenginecore5-5.15.8-1.mga8

from qtwebengine5-5.15.8-1.mga8.src.rpm
Comment 1 Lewis Smith 2022-01-30 21:47:25 CET
Assigning this to DavidG as you are the main  visible actual 'packager' of this SRPM.

Assignee: bugsquad => geiger.david68210

David Walser 2022-01-31 04:59:10 CET

Assignee: geiger.david68210 => qa-bugs

Comment 2 Herman Viaene 2022-01-31 15:10:15 CET
MGA8-64 Plasma on Lenovo B50 in Dutch
No installation issues.
Ref bug 29777 for using konqueror to test.
Youtube video plays OK, newspaper site is OK with thext and pictures, but video fail, see e.g. https://www.standaard.be/cnt/dmf20220131_94310556
When I click on the video, there flashes a message "Sorry ......" on the screen, but to quickly to read. On the CLI I get at that moment:
[8561:13:0131/150517.502665:ERROR:batching_media_log.cc(38)] MediaEvent: {"error":"FFmpegDemuxer: no supported streams"}
[8561:13:0131/150517.503441:ERROR:batching_media_log.cc(38)] MediaEvent: {"error":"FFmpegDemuxer: no supported streams"}
[8561:1:0131/150517.586216:ERROR:batching_media_log.cc(35)] MediaEvent: {"pipeline_error":14}
[8561:1:0131/150517.586580:ERROR:batching_media_log.cc(35)] MediaEvent: {"pipeline_error":14}
js: VIDEOJS: ERROR: (CODE:3 MEDIA_ERR_DECODE) 4032 - undefined [object Object]
js: The resource https://www.googletagservices.com/tag/js/gpt.js was preloaded using link preload but not used within a few seconds from the window's load event. Please make sure it has an appropriate `as` value and it is preloaded intentionally.

CC: (none) => herman.viaene

Comment 3 David Walser 2022-01-31 15:29:41 CET
That's to be expected.  Fedora patched out a lot of the ffmpeg stuff.
Comment 4 Morgan Leijström 2022-01-31 15:35:43 CET
Testing the failing site of comment 2 before updating:

I see the Sorry.. message (also here too quickly vanishing) and the last lines from "VIDEOJS" and on are the same. Different lines in between.

So I would say that is not a regression of qtwebengine.

CC: (none) => fri

Comment 5 Thomas Andrews 2022-02-04 21:42:11 CET
@Herman: Since it appears that the issue you saw is "to be expected," and existed before the update so "is not a regression," do you have any objection to an OK for this? Did you see any other issues?

CC: (none) => andrewsfarm

Comment 6 Herman Viaene 2022-02-05 09:14:25 CET
No other issues.

Whiteboard: (none) => MGA8-64-OK

Comment 7 Thomas Andrews 2022-02-05 16:24:45 CET
Validating. Advisory in Comment 0.

Keywords: (none) => validated_update
CC: (none) => sysadmin-bugs

Dave Hodgins 2022-02-05 19:33:13 CET

CC: (none) => davidwhodgins
Keywords: (none) => advisory

Comment 8 Mageia Robot 2022-02-05 21:24:14 CET
An update for this issue has been pushed to the Mageia Updates repository.

https://advisories.mageia.org/MGASA-2022-0050.html

Status: NEW => RESOLVED
Resolution: (none) => FIXED


Note You need to log in before you can comment on or make changes to this bug.