Ubuntu
qtwebengine-opensource-src package

Update to bug-fix release Qt 5.9.8 to fix security issues in qtwebengine in Bionic

Bug #1830807 reported by Amr Ibrahim on 2019-05-28

This bug affects 1 person

Affects		Status	Importance	Assigned to	Milestone
	qtwebengine-opensource-src (Ubuntu)	Fix Released	Undecided	Unassigned
	Bionic	Won't Fix	Undecided	Unassigned

Bug Description

[Impact]
The currently shipped release of Qt WebEngine (5.9.5) suffers from multiple security issues, because it is based on an outdated Chromium release.

To enumerate these issues, I want to quote the upstream changelogs for 5.9.6, 5.9.7 and 5.9.8 releases:

https://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/changes-5.9.6

- Security fixes from Chromium up to version 66.0.3359.170:
   * CVE-2018-6120
   * CVE-2018-6115
   * CVE-2018-6114
   * CVE-2018-6118
   * CVE-2018-6103
   * CVE-2018-6101
   * CVE-2018-6101
   * CVE-2018-6085
   * CVE-2018-6086
   * CVE-2018-6088
   * CVE-2018-6090
   * Security Bug 831984
   * Security Bug 816768
   * Security Bug 797298

https://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/changes-5.9.7?h=5.9

- Security fixes from Chromium up to version 69.0.3497.113:
   * CVE-2018-4117
   * CVE-2018-6124
   * CVE-2018-6129
   * CVE-2018-6130
   * CVE-2018-6132
   * CVE-2018-6135
   * CVE-2018-6144
   * CVE-2018-6145
   * CVE-2018-6153
   * CVE-2018-6154
   * CVE-2018-6155
   * CVE-2018-6155
   * CVE-2018-6156
   * CVE-2018-6159
   * CVE-2018-6161
   * CVE-2018-6162
   * CVE-2018-6165
   * CVE-2018-16066
   * CVE-2018-16067
   * CVE-2018-16068
   * CVE-2018-16076
   * CVE-2018-16077

https://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/changes-5.9.8?h=5.9

- Security fixes from Chromium up to version 72.0.3626.121
   * CVE-2018-17462
   * CVE-2018-17469
   * CVE-2018-17471
   * CVE-2018-17474
   * CVE-2018-17476
   * CVE-2018-17481
   * CVE-2018-18336
   * CVE-2018-18337
   * CVE-2018-18339
   * CVE-2018-18340
   * CVE-2018-18342
   * CVE-2018-18343
   * CVE-2018-18345
   * CVE-2018-18347
   * CVE-2018-18349
   * CVE-2018-18356
   * CVE-2019-5756
   * CVE-2019-5758
   * CVE-2019-5759
   * CVE-2019-5764
   * CVE-2019-5786
   * Security issue 872189
   * Security issue 877843
   * Security issue 880207
   * Security issue 899689
   * Security issue 900910
   * Security issue 911253
   * Security issue 922677

These issues affect users of browsers based on Qt WebEngine (such as falkon and qutebrowser) and other apps (kmail, akregator).

There were also some non-security fixes in 5.9.6 release:

- [QTBUG-64071] Only add the first found widevine CDM
- [QTBUG-64925] Fix compilation with system ICU 60
- [QTBUG-66560] Remove NOTREACHED in ScreenWin::GetNativeWindowFromHWND
- Fix build with GCC 8.1.0

[Proposed Fix]
To fix all these issues, I propose to upgrade to the latest release from upstream 5.9 LTS branch. I think it is better to do this via -proposed rather than -security, to allow more people to test this package before it is moved to -updates.

[Test Case]
Install applications that are using Qt WebEngine (falkon, qutebrowser, konqueror, akregator, kmail, kontact, etc.)

Make sure they are working properly and can show HTML content.

[Regression Potential]
There are many security fixes in the new release, and they can introduce regressions (e.g. incorrect display of certain HTML pages). There should be no regressions in terms of ABI compatibility, as Qt 5.9 is an LTS branch and upstream developers promise both backward and upward ABI compatibility within this branch.

See original description

Tags:

Amr Ibrahim (amribrahim1987) on 2019-05-28

no longer affects:

qtbase-opensource-src (Ubuntu)

Dmitry Shachnev (mitya57) on 2019-05-31

description:	updated
Changed in qtwebengine-opensource-src (Ubuntu):
status:	New → Fix Released

Revision history for this message

Amr Ibrahim (amribrahim1987) wrote on 2019-06-01:

Now the question is, since upstream releases all Qt components as one stack (qtbase-opensource-src and its sisters), is an SRU of all Qt 5.9.8 LTS components to Bionic feasible, or required? It would be beneficial for IoT and embedded devices developers since Qt is used there.

Revision history for this message

Dmitry Shachnev (mitya57) wrote on 2019-06-01:

We cannot update qtbase as that would require rebuilds of all packages using QObjectPrivate. Also there are quite a lot of changes in qtbase which make it not match the SRU criteria.

If there are some important fixes related to IoT and embedded devices, please point me to specific upstream commits or bugs.

Revision history for this message

Amr Ibrahim (amribrahim1987) wrote on 2019-06-01:

OK, thanks Dmitry.

Revision history for this message

Łukasz Zemczak (sil2100) wrote on 2019-07-22: Please test proposed package

Hello Amr, or anyone else affected,

Accepted qtwebengine-opensource-src into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/qtwebengine-opensource-src/5.9.8+dfsg-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in qtwebengine-opensource-src (Ubuntu Bionic):
status:	New → Fix Committed
tags:	added: verification-needed verification-needed-bionic

Revision history for this message

Łukasz Zemczak (sil2100) wrote on 2019-07-22:

I have accepted the upload to bionic-proposed. I saw a lot of optional symbols being dropped/modified - as they were optional I suppose it should be fine, but let's keep an eye out for issues in case we missed something non-optional changing and breaking the ABI.

Also, since I have accepted it to bionic-proposed, in case we want it to land in bionic-security it would have to be rebuilt in a security-enabled PPA. If not, we'll simply release it to bionic-updates only. But it might be a good idea to get in touch with the security team here.

Revision history for this message

Dmitry Shachnev (mitya57) wrote on 2019-07-23:

As I mentioned in description, I decided to go through -proposed and not through -security to let more people test it before it’s released.

But subscribing the release team nevertheless, as they may be indeed interested in this.

Revision history for this message

Ubuntu SRU Bot (ubuntu-sru-bot) wrote on 2019-08-29: Autopkgtest regression report (qtwebengine-opensource-src/5.9.8+dfsg-0ubuntu1)

All autopkgtests for the newly accepted qtwebengine-opensource-src (5.9.8+dfsg-0ubuntu1) for bionic have finished running.
The following regressions have been reported in tests triggered by the package:

akregator/4:17.12.3-0ubuntu1 (arm64, amd64, armhf, i386)
kontact/4:17.12.3-0ubuntu1 (arm64, amd64, armhf, i386)
konqueror/4:17.12.3-0ubuntu1 (arm64, amd64, armhf, i386)
parley/4:17.12.3-0ubuntu1 (arm64, amd64, armhf, i386)
kf5-messagelib/4:17.12.3-0ubuntu3 (arm64, amd64, armhf, i386)
kdepim-runtime/4:17.12.3-0ubuntu2 (arm64, amd64, armhf, i386)
libkf5ksieve/4:17.12.3-0ubuntu1 (arm64, amd64, armhf, i386)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#qtwebengine-opensource-src

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message

Dmitry Shachnev (mitya57) wrote on 2019-08-31:

It looks like Qt WebEngine 5.9.8 CMake files depend on Qt Quick 5.9.8. Quoting from kdepim-runtime autopkgtest log:

> CMake Error at /usr/lib/x86_64-linux-gnu/cmake/Qt5WebEngineCore/Qt5WebEngineCoreConfig.cmake:101 (find_package):
> Could not find a configuration file for package "Qt5Quick" that is
> compatible with requested version "5.9.8".
>
> The following configuration files were considered but not accepted:
>
> /usr/lib/x86_64-linux-gnu/cmake/Qt5Quick/Qt5QuickConfig.cmake, version: 5.9.5

So unfortunately we cannot ship the update as is, so marking this bug as verification-failed.

If someone knows a workaround I may try to do a new upload.

tags:

added: verification-failed verification-failed-bionic
removed: verification-needed verification-needed-bionic

Revision history for this message

Steve Langasek (vorlon) wrote on 2019-09-11: Proposed package removed from archive

The version of qtwebengine-opensource-src in the proposed pocket of Bionic that was purported to fix this bug report has been removed because one or more bugs that were to be fixed by the upload have failed verification and been in this state for more than 10 days.

Changed in qtwebengine-opensource-src (Ubuntu Bionic):
status:	Fix Committed → Won't Fix

Revision history for this message

Ubuntu SRU Bot (ubuntu-sru-bot) wrote on 2019-09-11: Autopkgtest regression report (qtwebengine-opensource-src/5.9.8+dfsg-0ubuntu1)

#11

akregator/4:17.12.3-0ubuntu1 (arm64, i386, amd64, armhf)
kf5-messagelib/4:17.12.3-0ubuntu3 (arm64, i386, amd64, armhf)
konqueror/4:17.12.3-0ubuntu1 (arm64, i386, amd64, armhf)
parley/4:17.12.3-0ubuntu1 (arm64, i386, amd64, armhf)
kdepim-runtime/4:17.12.3-0ubuntu2 (arm64, i386, amd64, armhf)
libkf5ksieve/4:17.12.3-0ubuntu1 (arm64, i386, amd64, armhf)
kontact/4:17.12.3-0ubuntu1 (arm64, i386, amd64, armhf)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#qtwebengine-opensource-src

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message

Ubuntu SRU Bot (ubuntu-sru-bot) wrote on 2019-09-11:

#12

kdepim-runtime/4:17.12.3-0ubuntu2 (amd64, armhf, i386, arm64)
kf5-messagelib/4:17.12.3-0ubuntu3 (amd64, armhf, i386, arm64)
parley/4:17.12.3-0ubuntu1 (amd64, armhf, i386, arm64)
kontact/4:17.12.3-0ubuntu1 (amd64, armhf, i386, arm64)
konqueror/4:17.12.3-0ubuntu1 (amd64, armhf, i386, arm64)
libkf5ksieve/4:17.12.3-0ubuntu1 (amd64, armhf, i386, arm64)
akregator/4:17.12.3-0ubuntu1 (amd64, armhf, i386, arm64)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#qtwebengine-opensource-src

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!

Revision history for this message

Ubuntu SRU Bot (ubuntu-sru-bot) wrote on 2019-09-11:

#13

kf5-messagelib/4:17.12.3-0ubuntu3 (amd64, armhf, arm64, i386)
konqueror/4:17.12.3-0ubuntu1 (amd64, armhf, arm64, i386)
akregator/4:17.12.3-0ubuntu1 (amd64, armhf, arm64, i386)
libkf5ksieve/4:17.12.3-0ubuntu1 (amd64, armhf, arm64, i386)
kdepim-runtime/4:17.12.3-0ubuntu2 (amd64, armhf, arm64, i386)
kontact/4:17.12.3-0ubuntu1 (amd64, armhf, arm64, i386)
parley/4:17.12.3-0ubuntu1 (amd64, armhf, arm64, i386)

Please visit the excuses page listed below and investigate the failures, proceeding afterwards as per the StableReleaseUpdates policy regarding autopkgtest regressions [1].

https://people.canonical.com/~ubuntu-archive/proposed-migration/bionic/update_excuses.html#qtwebengine-opensource-src

[1] https://wiki.ubuntu.com/StableReleaseUpdates#Autopkgtest_Regressions

Thank you!