New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
[18.09] qt511: 5.11.1 -> 5.11.3, qt56 & qt59 security fixes #55089
Conversation
(cherry picked from commit 776c962)
CVE-2018-19865 tracks the issue of qtvirtualkeyboard where it logs all user input. With this commit we are applying the recommended patches form the upstream project. More details can be obtained from the Qt annoucement [1]. [1] https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/ (cherry picked from commit 6660128)
This adds the "missing" qtvirtualkeyboard module of qt56. I just add this so I can apply (& test) the patches for a CVE in the next commit. This might seem strange but in case anyone decided to add / use this in the future we are on the safe(r) side. (cherry picked from commit 295a210)
* CVE-2018-15518, Qt Base: “double free or corruption” in QXmlStreamReader * CVE-2018-19873, Qt Base: QBmpHandler segfault on malformed BMP file * CVE-2018-19870, Qt Base: Check for QImage allocation failure in qgifhandler * CVE-2018-19871, Qt Imageformats: QImage: QTgaFile CPU exhaustion * CVE-2018-19865, Qt Virtual Keyboard: Qt Virtual Keyboard logs all key presses * CVE-2018-19869, Qt Svg: Fix crash when parsing malformed url reference More details can be obtained from the Qt annoucement [1]. [1] https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/ (cherry picked from commit 066be85)
This fixes * CVE-2018-15518, Qt Base: “double free or corruption” in QXmlStreamReader * CVE-2018-19873, Qt Base: QBmpHandler segfault on malformed BMP file * CVE-2018-19870, Qt Base: Check for QImage allocation failure in qgifhandler * CVE-2018-19871, Qt Imageformats: QImage: QTgaFile CPU exhaustion * CVE-2018-19865, Qt Virtual Keyboard: Qt Virtual Keyboard logs all key presses * CVE-2018-19869, Qt Svg: Fix crash when parsing malformed url reference More details can be obtained from the Qt annoucement [1]. [1] https://blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates/ (cherry picked from commit 2f5d37b)
Need to pick up fd75bbc as well |
@veprbl I picked the additional patch, will re-run my recompilation now. |
@GrahamcOfBorg test plasma5 |
This comment has been minimized.
This comment has been minimized.
This breaks |
@NixOS/darwin-maintainers could any of you have a look at this? I do not own a darwin marchine. |
Yeah I can look at it tonight. Most likely a patch just needs to be bumped. |
@matthewbauer any news? Did you have time to check why it is failing on darwin? |
Yeah you should just need to backport 8153104 as well. |
Unfortunately we don’t have access to NSWindowStyleMask. These patches should go away once we switch to a newer SDK. (cherry picked from commit 8153104)
@GrahamcOfBorg build qt511.qtbase |
Cross-link: #55994 |
Motivation for this change
Backport of #54986
I recently became aware of a few things in various Qt versions that we ship that we should address:
More details can be obtained from the Qt annoucement [1].
[1] blog.qt.io/blog/2018/12/04/qt-5-11-3-released-important-security-updates
cc maintainers @qknight @ttuegel @periklis @bkchr
Things done
sandbox
innix.conf
on non-NixOS)nix-shell -p nox --run "nox-review wip"
./result/bin/
)nix path-info -S
before and after)