Update to bug-fix release Qt 5.9.8 to fix security issues in qtwebengine in Bionic

Bug #1830807 reported by Amr Ibrahim on 2019-05-28
12
This bug affects 1 person
Affects Status Importance Assigned to Milestone
qtwebengine-opensource-src (Ubuntu)
Undecided
Unassigned
Bionic
Undecided
Unassigned

Bug Description

[Impact]
The currently shipped release of Qt WebEngine (5.9.5) suffers from multiple security issues, because it is based on an outdated Chromium release.

To enumerate these issues, I want to quote the upstream changelogs for 5.9.6, 5.9.7 and 5.9.8 releases:

https://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/changes-5.9.6

 - Security fixes from Chromium up to version 66.0.3359.170:
   * CVE-2018-6120
   * CVE-2018-6115
   * CVE-2018-6114
   * CVE-2018-6118
   * CVE-2018-6103
   * CVE-2018-6101
   * CVE-2018-6101
   * CVE-2018-6085
   * CVE-2018-6086
   * CVE-2018-6088
   * CVE-2018-6090
   * Security Bug 831984
   * Security Bug 816768
   * Security Bug 797298

https://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/changes-5.9.7?h=5.9

 - Security fixes from Chromium up to version 69.0.3497.113:
   * CVE-2018-4117
   * CVE-2018-6124
   * CVE-2018-6129
   * CVE-2018-6130
   * CVE-2018-6132
   * CVE-2018-6135
   * CVE-2018-6144
   * CVE-2018-6145
   * CVE-2018-6153
   * CVE-2018-6154
   * CVE-2018-6155
   * CVE-2018-6155
   * CVE-2018-6156
   * CVE-2018-6159
   * CVE-2018-6161
   * CVE-2018-6162
   * CVE-2018-6165
   * CVE-2018-16066
   * CVE-2018-16067
   * CVE-2018-16068
   * CVE-2018-16076
   * CVE-2018-16077

https://code.qt.io/cgit/qt/qtwebengine.git/tree/dist/changes-5.9.8?h=5.9

 - Security fixes from Chromium up to version 72.0.3626.121
   * CVE-2018-17462
   * CVE-2018-17469
   * CVE-2018-17471
   * CVE-2018-17474
   * CVE-2018-17476
   * CVE-2018-17481
   * CVE-2018-18336
   * CVE-2018-18337
   * CVE-2018-18339
   * CVE-2018-18340
   * CVE-2018-18342
   * CVE-2018-18343
   * CVE-2018-18345
   * CVE-2018-18347
   * CVE-2018-18349
   * CVE-2018-18356
   * CVE-2019-5756
   * CVE-2019-5758
   * CVE-2019-5759
   * CVE-2019-5764
   * CVE-2019-5786
   * Security issue 872189
   * Security issue 877843
   * Security issue 880207
   * Security issue 899689
   * Security issue 900910
   * Security issue 911253
   * Security issue 922677

These issues affect users of browsers based on Qt WebEngine (such as falkon and qutebrowser) and other apps (kmail, akregator).

There were also some non-security fixes in 5.9.6 release:

 - [QTBUG-64071] Only add the first found widevine CDM
 - [QTBUG-64925] Fix compilation with system ICU 60
 - [QTBUG-66560] Remove NOTREACHED in ScreenWin::GetNativeWindowFromHWND
 - Fix build with GCC 8.1.0

[Proposed Fix]
To fix all these issues, I propose to upgrade to the latest release from upstream 5.9 LTS branch. I think it is better to do this via -proposed rather than -security, to allow more people to test this package before it is moved to -updates.

[Test Case]
Install applications that are using Qt WebEngine (falkon, qutebrowser, konqueror, akregator, kmail, kontact, etc.)

Make sure they are working properly and can show HTML content.

[Regression Potential]
There are many security fixes in the new release, and they can introduce regressions (e.g. incorrect display of certain HTML pages). There should be no regressions in terms of ABI compatibility, as Qt 5.9 is an LTS branch and upstream developers promise both backward and upward ABI compatibility within this branch.

no longer affects: qtbase-opensource-src (Ubuntu)
description: updated
Changed in qtwebengine-opensource-src (Ubuntu):
status: New → Fix Released
Amr Ibrahim (amribrahim1987) wrote :

Now the question is, since upstream releases all Qt components as one stack (qtbase-opensource-src and its sisters), is an SRU of all Qt 5.9.8 LTS components to Bionic feasible, or required? It would be beneficial for IoT and embedded devices developers since Qt is used there.

Dmitry Shachnev (mitya57) wrote :

We cannot update qtbase as that would require rebuilds of all packages using QObjectPrivate. Also there are quite a lot of changes in qtbase which make it not match the SRU criteria.

If there are some important fixes related to IoT and embedded devices, please point me to specific upstream commits or bugs.

Amr Ibrahim (amribrahim1987) wrote :

OK, thanks Dmitry.

Hello Amr, or anyone else affected,

Accepted qtwebengine-opensource-src into bionic-proposed. The package will build now and be available at https://launchpad.net/ubuntu/+source/qtwebengine-opensource-src/5.9.8+dfsg-0ubuntu1 in a few hours, and then in the -proposed repository.

Please help us by testing this new package. See https://wiki.ubuntu.com/Testing/EnableProposed for documentation on how to enable and use -proposed. Your feedback will aid us getting this update out to other Ubuntu users.

If this package fixes the bug for you, please add a comment to this bug, mentioning the version of the package you tested and change the tag from verification-needed-bionic to verification-done-bionic. If it does not fix the bug for you, please add a comment stating that, and change the tag to verification-failed-bionic. In either case, without details of your testing we will not be able to proceed.

Further information regarding the verification process can be found at https://wiki.ubuntu.com/QATeam/PerformingSRUVerification . Thank you in advance for helping!

N.B. The updated package will be released to -updates after the bug(s) fixed by this package have been verified and the package has been in -proposed for a minimum of 7 days.

Changed in qtwebengine-opensource-src (Ubuntu Bionic):
status: New → Fix Committed
tags: added: verification-needed verification-needed-bionic
Łukasz Zemczak (sil2100) wrote :

I have accepted the upload to bionic-proposed. I saw a lot of optional symbols being dropped/modified - as they were optional I suppose it should be fine, but let's keep an eye out for issues in case we missed something non-optional changing and breaking the ABI.

Also, since I have accepted it to bionic-proposed, in case we want it to land in bionic-security it would have to be rebuilt in a security-enabled PPA. If not, we'll simply release it to bionic-updates only. But it might be a good idea to get in touch with the security team here.

Dmitry Shachnev (mitya57) wrote :

As I mentioned in description, I decided to go through -proposed and not through -security to let more people test it before it’s released.

But subscribing the release team nevertheless, as they may be indeed interested in this.

To post a comment you must log in.
This report contains Public information  Edit
Everyone can see this information.

Other bug subscribers