commit fb62e11071b99bae296ba2c7be03295af4008cb5 Author: Kevin Kofler <kevin.kofler(a)chello.at&gt; Date: Sun Mar 18 19:08:08 2018 +0100 Fix (from 5.9.5) for incomplete, ineffective fix for CVE-2018-6033 in 5.10.1 * Sun Mar 18 2018 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; - 5.10.1-4 - Fix (from 5.9.5) for incomplete, ineffective fix for CVE-2018-6033 in 5.10.1 qt5-qtwebengine-freeworld.spec | 13 ++++- ...ngine-everywhere-src-5.10.1-CVE-2018-6033.patch | 64 ++++++++++++++++++++++ 2 files changed, 74 insertions(+), 3 deletions(-) --- diff --git a/qt5-qtwebengine-freeworld.spec b/qt5-qtwebengine-freeworld.spec index 65e4e51..576d162 100644 --- a/qt5-qtwebengine-freeworld.spec +++ b/qt5-qtwebengine-freeworld.spec @@ -41,7 +41,7 @@ Summary: Qt5 - QtWebEngine components (freeworld version) Name: qt5-qtwebengine-freeworld Version: 5.10.1 -Release: 3%{?dist} +Release: 4%{?dist} %global major_minor %(echo %{version} | cut -d. -f-2) %global major %(echo %{version} | cut -d. -f1) @@ -107,10 +107,13 @@ Patch100: qtwebengine-everywhere-src-5.10.0-no-aspirational-scripts.patch # see the patch metadata for the list of fixed CVEs and Chromium bug IDs # omit the Chromium bug 806122 fix because we use the system FFmpeg Patch101: qtwebengine-everywhere-src-5.10.1-security-5.9.5.patch +# fix incomplete (and thus having no effect) fix for CVE-2018-6033 in 5.10.1 +# (forward-ported from 5.9.5, will also be included in 5.11) +Patch102: qtwebengine-everywhere-src-5.10.1-CVE-2018-6033.patch # fix build with FFmpeg 3.5 (apply conditionally because it breaks older FFmpeg) # backport of: https://chromium-review.googlesource.com/c/chromium/src/+/754261 # https://chromium-review.googlesource.com/c/chromium/src/+/889686 -Patch102: qtwebengine-everywhere-src-5.10.1-ffmpeg35.patch +Patch103: qtwebengine-everywhere-src-5.10.1-ffmpeg35.patch # handled by qt5-srpm-macros, which defines %%qt5_qtwebengine_arches ExclusiveArch: %{qt5_qtwebengine_arches} @@ -339,8 +342,9 @@ This version is compiled with support for patent-encumbered codecs enabled. %patch22 -p1 -b .icu59 %patch100 -p1 -b .no-aspirational-scripts %patch101 -p1 -b .security-5.9.5 +%patch102 -p1 -b .CVE-2018-6033 %if 0%{?fedora} > 27 -%patch102 -p1 -b .ffmpeg35 +%patch103 -p1 -b .ffmpeg35 %endif # fix // in #include in content/renderer/gpu to avoid debugedit failure sed -i -e 's!gpu//!gpu/!g' \ @@ -424,6 +428,9 @@ echo "%{_libdir}/%{name}" \ %config(noreplace) %{_sysconfdir}/ld.so.conf.d/%{name}-%{_arch}.conf %changelog +* Sun Mar 18 2018 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; - 5.10.1-4 +- Fix (from 5.9.5) for incomplete, ineffective fix for CVE-2018-6033 in 5.10.1 + * Sat Mar 17 2018 Kevin Kofler <Kevin(a)tigcc.ticalc.org&gt; - 5.10.1-3 - Forward-port security backports from 5.9.5 LTS (up to Chromium 65.0.3325.146) diff --git a/qtwebengine-everywhere-src-5.10.1-CVE-2018-6033.patch b/qtwebengine-everywhere-src-5.10.1-CVE-2018-6033.patch new file mode 100644 index 0000000..8b97a2c --- /dev/null +++ b/qtwebengine-everywhere-src-5.10.1-CVE-2018-6033.patch @@ -0,0 +1,64 @@ +From 1fd21185614dcae0c7a6e5647ba56cff0120f563 Mon Sep 17 00:00:00 2001 +Message-Id: <1fd21185614dcae0c7a6e5647ba56cff0120f563.1521386919.git.kevin.kofler(a)chello.at&gt; +From: Michal Klocek <michal.klocek(a)qt.io&gt; +Date: Wed, 7 Mar 2018 18:36:25 +0100 +Subject: [PATCH] Implement IsMostRecentDownloadItemAtFilePath call + +Implement IsMostRecentDownloadItemAtFilePath +for download_manager_delegate_qt. This is required for +CVE-2018-6033. + +Change-Id: I9f48dfa159d684f0fda894e68b81ff622aceaae2 +Reviewed-by: Allan Sandfeld Jensen <allan.jensen(a)qt.io&gt; +--- + src/core/download_manager_delegate_qt.cpp | 20 ++++++++++++++++++++ + src/core/download_manager_delegate_qt.h | 2 ++ + 2 files changed, 22 insertions(+) + +diff --git a/src/core/download_manager_delegate_qt.cpp b/src/core/download_manager_delegate_qt.cpp +index 40df9b3a..487a831e 100644 +--- a/src/core/download_manager_delegate_qt.cpp ++++ b/src/core/download_manager_delegate_qt.cpp +@@ -293,6 +293,26 @@ void DownloadManagerDelegateQt::ChooseSavePath(content::WebContents *web_content + m_weakPtrFactory.GetWeakPtr())); + } + ++bool DownloadManagerDelegateQt::IsMostRecentDownloadItemAtFilePath(content::DownloadItem *download) ++{ ++ content::BrowserContext *context = download->GetBrowserContext(); ++ std::vector<content::DownloadItem*> all_downloads; ++ ++ content::DownloadManager* manager = ++ content::BrowserContext::GetDownloadManager(context); ++ if (manager) ++ manager->GetAllDownloads(&all_downloads); ++ ++ for (const auto* item : all_downloads) { ++ if (item->GetGuid() == download->GetGuid() || ++ item->GetTargetFilePath() != download->GetTargetFilePath()) ++ continue; ++ if (item->GetState() == content::DownloadItem::IN_PROGRESS) ++ return false; ++ } ++ return true; ++} ++ + void DownloadManagerDelegateQt::savePackageDownloadCreated(content::DownloadItem *item) + { + OnDownloadUpdated(item); +diff --git a/src/core/download_manager_delegate_qt.h b/src/core/download_manager_delegate_qt.h +index df43211e..7563d5d3 100644 +--- a/src/core/download_manager_delegate_qt.h ++++ b/src/core/download_manager_delegate_qt.h +@@ -81,6 +81,8 @@ public: + const base::FilePath::StringType &default_extension, + bool can_save_as_complete, + const content::SavePackagePathPickedCallback &callback) override; ++ bool IsMostRecentDownloadItemAtFilePath(content::DownloadItem* download) override; ++ + + void cancelDownload(quint32 downloadId); + void pauseDownload(quint32 downloadId); +-- +2.14.3 +