Update to bug-fix release Qt 5.9.8 to fix security issues in qtwebengine in Bionic
Affects | Status | Importance | Assigned to | Milestone | |
---|---|---|---|---|---|
qtwebengine-opensource-src (Ubuntu) |
Fix Released
|
Undecided
|
Unassigned | ||
Bionic |
Won't Fix
|
Undecided
|
Unassigned |
Bug Description
[Impact]
The currently shipped release of Qt WebEngine (5.9.5) suffers from multiple security issues, because it is based on an outdated Chromium release.
To enumerate these issues, I want to quote the upstream changelogs for 5.9.6, 5.9.7 and 5.9.8 releases:
https:/
- Security fixes from Chromium up to version 66.0.3359.170:
* CVE-2018-6120
* CVE-2018-6115
* CVE-2018-6114
* CVE-2018-6118
* CVE-2018-6103
* CVE-2018-6101
* CVE-2018-6101
* CVE-2018-6085
* CVE-2018-6086
* CVE-2018-6088
* CVE-2018-6090
* Security Bug 831984
* Security Bug 816768
* Security Bug 797298
https:/
- Security fixes from Chromium up to version 69.0.3497.113:
* CVE-2018-4117
* CVE-2018-6124
* CVE-2018-6129
* CVE-2018-6130
* CVE-2018-6132
* CVE-2018-6135
* CVE-2018-6144
* CVE-2018-6145
* CVE-2018-6153
* CVE-2018-6154
* CVE-2018-6155
* CVE-2018-6155
* CVE-2018-6156
* CVE-2018-6159
* CVE-2018-6161
* CVE-2018-6162
* CVE-2018-6165
* CVE-2018-16066
* CVE-2018-16067
* CVE-2018-16068
* CVE-2018-16076
* CVE-2018-16077
https:/
- Security fixes from Chromium up to version 72.0.3626.121
* CVE-2018-17462
* CVE-2018-17469
* CVE-2018-17471
* CVE-2018-17474
* CVE-2018-17476
* CVE-2018-17481
* CVE-2018-18336
* CVE-2018-18337
* CVE-2018-18339
* CVE-2018-18340
* CVE-2018-18342
* CVE-2018-18343
* CVE-2018-18345
* CVE-2018-18347
* CVE-2018-18349
* CVE-2018-18356
* CVE-2019-5756
* CVE-2019-5758
* CVE-2019-5759
* CVE-2019-5764
* CVE-2019-5786
* Security issue 872189
* Security issue 877843
* Security issue 880207
* Security issue 899689
* Security issue 900910
* Security issue 911253
* Security issue 922677
These issues affect users of browsers based on Qt WebEngine (such as falkon and qutebrowser) and other apps (kmail, akregator).
There were also some non-security fixes in 5.9.6 release:
- [QTBUG-64071] Only add the first found widevine CDM
- [QTBUG-64925] Fix compilation with system ICU 60
- [QTBUG-66560] Remove NOTREACHED in ScreenWin:
- Fix build with GCC 8.1.0
[Proposed Fix]
To fix all these issues, I propose to upgrade to the latest release from upstream 5.9 LTS branch. I think it is better to do this via -proposed rather than -security, to allow more people to test this package before it is moved to -updates.
[Test Case]
Install applications that are using Qt WebEngine (falkon, qutebrowser, konqueror, akregator, kmail, kontact, etc.)
Make sure they are working properly and can show HTML content.
[Regression Potential]
There are many security fixes in the new release, and they can introduce regressions (e.g. incorrect display of certain HTML pages). There should be no regressions in terms of ABI compatibility, as Qt 5.9 is an LTS branch and upstream developers promise both backward and upward ABI compatibility within this branch.
no longer affects: | qtbase-opensource-src (Ubuntu) |
description: | updated |
Changed in qtwebengine-opensource-src (Ubuntu): | |
status: | New → Fix Released |
Now the question is, since upstream releases all Qt components as one stack (qtbase- opensource- src and its sisters), is an SRU of all Qt 5.9.8 LTS components to Bionic feasible, or required? It would be beneficial for IoT and embedded devices developers since Qt is used there.