From 3b5e88b8a2a79b660404823ff3f12501f15895c9 Mon Sep 17 00:00:00 2001 From: Jan Palus Date: Fri, 13 Aug 2021 19:27:21 +0200 Subject: [PATCH] up to 5.15.5 (multitude of security fixes) note: this is an unofficial release -- after 5.15.2 Qt no longer makes open source 5.15 releases but code is still available in Git. this upgrade consists of git extract of tag v5.15.5-lts from https://code.qt.io/cgit/qt/qtwebengine.git/ along with rev d2679df (87-based branch) from: https://code.qt.io/cgit/qt/qtwebengine-chromium.git/ additional fixes thanks to fedora: - remaing 'TRUE' replaced (no longer defined by icu) - syncqt.pl invocation to fix build errors related to missing header - font rendering issue with glibc 2.33 - gold preference -- bfd got insane when it comes to opened file descriptors (4096 is not enough to build qtwebengine and qtwenengine itself enforces no more than 4096 opened descriptors limiting it even if user's limit is higher) --- glibc-2.33.patch | 141 +++++++++++++++++++++++++++++++++++++++++++ icu.patch | 12 ++++ qt5-qtwebengine.spec | 20 ++++-- 3 files changed, 167 insertions(+), 6 deletions(-) create mode 100644 glibc-2.33.patch create mode 100644 icu.patch diff --git a/glibc-2.33.patch b/glibc-2.33.patch new file mode 100644 index 0000000..7951e6b --- /dev/null +++ b/glibc-2.33.patch @@ -0,0 +1,141 @@ +diff -up qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc.rh#1904652 qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc +--- qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc.rh#1904652 2021-05-28 07:05:45.000000000 -0500 ++++ qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/baseline_policy.cc 2021-06-24 08:34:07.566783935 -0500 +@@ -257,6 +257,18 @@ ResultExpr EvaluateSyscallImpl(int fs_de + return RestrictKillTarget(current_pid, sysno); + } + ++#if defined(__NR_newfstatat) ++ if (sysno == __NR_newfstatat) { ++ return RewriteFstatatSIGSYS(); ++ } ++#endif ++ ++#if defined(__NR_fstatat64) ++ if (sysno == __NR_fstatat64) { ++ return RewriteFstatatSIGSYS(); ++ } ++#endif ++ + if (SyscallSets::IsFileSystem(sysno) || + SyscallSets::IsCurrentDirectory(sysno)) { + return Error(fs_denied_errno); +diff -up qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc.rh#1904652 qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc +--- qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc.rh#1904652 2021-05-28 07:05:45.000000000 -0500 ++++ qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.cc 2021-06-24 08:40:08.552334787 -0500 +@@ -6,6 +6,8 @@ + + #include "sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h" + ++#include ++#include + #include + #include + #include +@@ -355,6 +357,35 @@ intptr_t SIGSYSSchedHandler(const struct + return -ENOSYS; + } + ++intptr_t SIGSYSFstatatHandler(const struct arch_seccomp_data& args, ++ void* aux) { ++ switch (args.nr) { ++#if defined(__NR_newfstatat) ++ case __NR_newfstatat: ++#endif ++#if defined(__NR_fstatat64) ++ case __NR_fstatat64: ++#endif ++#if defined(__NR_newfstatat) || defined(__NR_fstatat64) ++ if (*reinterpret_cast(args.args[1]) == '\0' ++ && args.args[3] == static_cast(AT_EMPTY_PATH)) { ++ return sandbox::sys_fstat64(static_cast(args.args[0]), ++ reinterpret_cast(args.args[2])); ++ } else { ++ errno = EACCES; ++ return -1; ++ } ++ break; ++#endif ++ } ++ ++ CrashSIGSYS_Handler(args, aux); ++ ++ // Should never be reached. ++ RAW_CHECK(false); ++ return -ENOSYS; ++} ++ + bpf_dsl::ResultExpr CrashSIGSYS() { + return bpf_dsl::Trap(CrashSIGSYS_Handler, NULL); + } +@@ -387,6 +418,10 @@ bpf_dsl::ResultExpr RewriteSchedSIGSYS() + return bpf_dsl::Trap(SIGSYSSchedHandler, NULL); + } + ++bpf_dsl::ResultExpr RewriteFstatatSIGSYS() { ++ return bpf_dsl::Trap(SIGSYSFstatatHandler, NULL); ++} ++ + void AllocateCrashKeys() { + #if !defined(OS_NACL_NONSFI) + if (seccomp_crash_key) +diff -up qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h.rh#1904652 qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h +--- qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h.rh#1904652 2021-05-28 07:05:45.000000000 -0500 ++++ qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/seccomp-bpf-helpers/sigsys_handlers.h 2021-06-24 08:39:31.205174337 -0500 +@@ -62,6 +62,10 @@ SANDBOX_EXPORT intptr_t SIGSYSPtraceFail + // sched_setparam(), sched_setscheduler() + SANDBOX_EXPORT intptr_t SIGSYSSchedHandler(const arch_seccomp_data& args, + void* aux); ++// If the fstatat syscall is actually a disguised fstat, calls the regular fstat ++// syscall, otherwise, crashes in the same way as CrashSIGSYS_Handler. ++SANDBOX_EXPORT intptr_t ++ SIGSYSFstatatHandler(const struct arch_seccomp_data& args, void* aux); + + // Variants of the above functions for use with bpf_dsl. + SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYS(); +@@ -72,6 +76,7 @@ SANDBOX_EXPORT bpf_dsl::ResultExpr Crash + SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSFutex(); + SANDBOX_EXPORT bpf_dsl::ResultExpr CrashSIGSYSPtrace(); + SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteSchedSIGSYS(); ++SANDBOX_EXPORT bpf_dsl::ResultExpr RewriteFstatatSIGSYS(); + + // Allocates a crash key so that Seccomp information can be recorded. + void AllocateCrashKeys(); +diff -up qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/services/syscall_wrappers.cc.rh#1904652 qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/services/syscall_wrappers.cc +--- qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/services/syscall_wrappers.cc.rh#1904652 2021-05-28 07:05:45.000000000 -0500 ++++ qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/services/syscall_wrappers.cc 2021-06-24 08:34:07.567783940 -0500 +@@ -261,4 +261,13 @@ int sys_sigaction(int signum, + + #endif // defined(MEMORY_SANITIZER) + ++SANDBOX_EXPORT int sys_fstat64(int fd, struct stat64 *buf) ++{ ++#if defined(__NR_fstat64) ++ return syscall(__NR_fstat64, fd, buf); ++#else ++ return syscall(__NR_fstat, fd, buf); ++#endif ++} ++ + } // namespace sandbox +diff -up qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/services/syscall_wrappers.h.rh#1904652 qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/services/syscall_wrappers.h +--- qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/services/syscall_wrappers.h.rh#1904652 2021-05-28 07:05:45.000000000 -0500 ++++ qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/sandbox/linux/services/syscall_wrappers.h 2021-06-24 08:34:07.568783944 -0500 +@@ -17,6 +17,7 @@ struct sock_fprog; + struct rlimit64; + struct cap_hdr; + struct cap_data; ++struct stat64; + + namespace sandbox { + +@@ -84,6 +85,9 @@ SANDBOX_EXPORT int sys_sigaction(int sig + const struct sigaction* act, + struct sigaction* oldact); + ++// Recent glibc rewrites fstat to fstatat. ++SANDBOX_EXPORT int sys_fstat64(int fd, struct stat64 *buf); ++ + } // namespace sandbox + + #endif // SANDBOX_LINUX_SERVICES_SYSCALL_WRAPPERS_H_ diff --git a/icu.patch b/icu.patch new file mode 100644 index 0000000..b61c923 --- /dev/null +++ b/icu.patch @@ -0,0 +1,12 @@ +diff -up qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/third_party/libxml/src/encoding.c.TRUE qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/third_party/libxml/src/encoding.c +--- qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/third_party/libxml/src/encoding.c.TRUE 2021-05-28 07:05:45.000000000 -0500 ++++ qtwebengine-everywhere-src-5.15.5/src/3rdparty/chromium/third_party/libxml/src/encoding.c 2021-06-24 09:44:41.592468805 -0500 +@@ -2004,7 +2004,7 @@ xmlEncOutputChunk(xmlCharEncodingHandler + #ifdef LIBXML_ICU_ENABLED + else if (handler->uconv_out != NULL) { + ret = xmlUconvWrapper(handler->uconv_out, 0, out, outlen, in, inlen, +- TRUE); ++ 1); + } + #endif /* LIBXML_ICU_ENABLED */ + else { diff --git a/qt5-qtwebengine.spec b/qt5-qtwebengine.spec index bdc5c60..2d44dd3 100644 --- a/qt5-qtwebengine.spec +++ b/qt5-qtwebengine.spec @@ -13,14 +13,16 @@ Summary: The Qt5 WebEngine library Summary(pl.UTF-8): Biblioteka Qt5 WebEngine Name: qt5-%{orgname} -Version: 5.15.2 -Release: 3 +Version: 5.15.5 +Release: 1 License: LGPL v3 or GPL v2 or GPL v3 or commercial Group: X11/Libraries -Source0: http://download.qt.io/official_releases/qt/5.15/%{version}/submodules/%{orgname}-everywhere-src-%{version}.tar.xz -# Source0-md5: c88cbe3158feb20c4feb3d54262feb23 +Source0: qtwebengine-%{version}.tar.xz +# Source0-md5: ef8a67c66f2e59d349c3590a3ef41615 Patch0: x32.patch Patch1: %{name}-gn-dynamic.patch +Patch2: icu.patch +Patch3: glibc-2.33.patch URL: https://www.qt.io/ BuildRequires: Mesa-khrplatform-devel BuildRequires: Qt5Core-devel >= %{qtbase_ver} @@ -106,6 +108,8 @@ BuildRoot: %{tmpdir}/%{name}-%{version}-root-%(id -u -n) %define specflags -fno-strict-aliasing %define qt5dir %{_libdir}/qt5 +%define qt5bindir %(qtpaths-qt5 --binaries-dir) + %description Qt is a cross-platform application and UI framework. Using Qt, you can write web-enabled applications once and deploy them across desktop, @@ -262,17 +266,21 @@ Qt5 WebEngine examples. Przykłady do biblioteki Qt5 WebEngine. %prep -%setup -q -n %{orgname}-everywhere-src-%{version} +%setup -q -n qtwebengine %ifarch x32 %patch0 -p1 %endif %patch1 -p1 +%patch2 -p1 +%patch3 -p1 + +%{qt5bindir}/syncqt.pl -version %{version} %build %ifarch x32 export V8_TARGET_ARCH="x32" %endif -qmake-qt5 -- \ +qmake-qt5 CONFIG+=use_gold_linker -- \ -webengine-ffmpeg \ -webengine-icu \ -webengine-opus \ -- 2.44.0